An alert is triggered upon browsing to websites that offer cloud transfer or storage services, in order to potentially upload a file and share it with another person. This action can indicate an intent to remove sensitive information from the organization.

An alert is triggered when any user browses for a file to be inserted as an attachment to an Outlook email message.

An alert is triggered upon either insertion of a USB device or detecting an already connected USB device which is not part of the white listed USB devices. Note that this alert is relevant only for agents from version 7.7 onward.

An alert is triggered upon connecting a USB storage device to the computer with an agent older than version 7.7. This operation can indicate an early intent to either take out sensitive information or to copy files/folders into the organization assets.

An alert is triggered upon either insertion of a USB device or detecting an already connected USB device which is either white listed or exists in the ignored list.

An alert is triggered when any user copies text from a file in the list named “Sensitive files”.

An alert is triggered upon copying to the clipboard any text from a predefined sensitive desktop application.

An alert is triggered upon copying to the clipboard any text from a predefined sensitive web application.

An alert is triggered when a credit card number is copied to the clipboard.

An alert is triggered upon copying to the clipboard a predefined keyword from a predefined sensitive web application.

An alert is triggered upon copying to the clipboard a predefined keyword from a predefined sensitive desktop application.

An alert is triggered upon copying to the clipboard files that are predefined as sensitive. This operation could indicate an intent to steal sensitive information from the organization.

An alert is triggered upon copying to the clipboard folders that are predefined as sensitive. This operation could indicate an intent to steal sensitive information from the organization.

An alert is triggered upon exfiltrating any file (tracked or non-tracked) whose either origin (upon beginning of tracking) or final (upon exfiltration) MIP label is part of the list of sensitive labels.

An alert is triggered upon exfiltrating a file (both tracked file and non-tracked file) to an unlisted USB device. Note that this rule will not be triggered for files named in the exclusion list: Excluded file names for alerts on exfiltration.

An alert is triggered when any user uploads any file from any origin to any website or web-application.

An alert is triggered when any user moves or copies a tracked file (downloaded or exported from the web) to a cloud storage sync folder.

An alert is triggered when any user uploads a tracked (downloaded or exported from the web) file to any website or web-application.

An alert is triggered when any user attempts to exfiltrate sensitive data via SFTP, SCP or RSYNC to Amazon.

An alert is triggered upon downloading a file from a list of sensitive enterprise web applications.

Opening AirDrop sharing folder on Mac

Note: This rule applies specifically on Mac systems.

An alert is triggered upon opening a local folder that allows sharing with a remote device. This operation can indicate an early intent to copy sensitive information to other devices to exfiltrate it from the organization.

An alert is triggered upon opening a local folder whose content is always synchronized with a remote cloud storage service. This operation could indicate an intent to copy sensitive information to this folder in order to steal it from the organization.

Opening cloud storage sync folder on Mac

Note: This rule applies specifically on Mac systems.

An alert is triggered upon opening a local folder in which content is always synchronized with a remote cloud storage service. This operation can indicate an early intent to copy sensitive information to this folder to exfiltrate it from the organization.

An alert is triggered upon pasting files or folders that were originally copied from a folder that appears in the list of sensitive folders.

An alert is triggered upon performing paste of screenshot or image into desktop application (Accessing cloud services for upload and sharing by Process Name) that is part of the list of sensitive desktop applications for pasting text or images into them.

An alert is triggered upon performing paste of screenshot or image into web application (by site name) that is part of the list of sensitive web applications for pasting text or images into them.

An alert it triggered upon performing paste of text into application (by Process Name) that is part of the list of sensitive desktop applications for pasting text into them.

An alert is triggered upon performing paste of text into a web application (by site name) that is part of the list of sensitive web applications for pasting text into them.

An alert is triggered upon pasting text that contains keywords that are part of the list of sensitive keywords to be monitored for copy & paste.

An alert is triggered upon pasting files or folders that are part of the list of sensitive files or the list of sensitive folders.

An alert is triggered upon copying to clipboard either a large number of files/folders or files/folders whose total size exceeds the thresholds defined in Server Policy. This action could indicate an intent to steal information from the organization.

An alert is triggered upon copying to clipboard during irregular working hours either a large number of files/folders or files/folders whose total size exceeds the thresholds defined in a Server Policy. This could indicate an intent to steal information.

An alert is triggered upon sending large number of pages to a printer during irregular working hours. This action could indicate that the user is stealing information from the organization.

An alert is triggered upon sending to a printer one of the predefined sensitive documents. This action could indicate that the user is stealing sensitive information from the organization.

An alert is triggered upon running a cloud backup software that can copy files/folders to a remote location. This action could indicate an intent to steal sensitive information from the organization.

Running Android File Transfer on Mac

Note: This rule applies specifically on Mac systems.

An alert is triggered upon using the Android File Transfer application on Mac. This operation can indicate an early intent to copy sensitive information to a private phone to exfiltrate it from the organization.

An alert is triggered upon running a CD/DVD burning software. This operation could indicate an intent to steal sensitive information from the organization.

This alert will be triggered upon saving a file attachment from email client directly to one of the supported local sync folders.

This alert will be triggered upon saving a file attachment from email client directly to a USB storage device.

This alert will be triggered upon sending out email to at least one untrusted domain with file attachment which is larger than predefined value (5MB by default).

This alert will be triggered upon sending out email with file attachment whose name is within the predefined list of sensitive files, and where at least one of the recipients is within untrusted domain.

This alert will be triggered upon sending out email that contains in the Subject a sensitive keyword (that appears in a dedicated list), and where the list of recipients includes at least one recipient in an untrusted domain.

An alert is triggered upon opening the Switch Account window in Microsoft Office applications. This action could indicate an intent to send the currently opened document out of the organization to a private account.

An alert is triggered upon taking screenshots on Windows or Mac via the relevant keyboard shortcuts in each operating system.

An alert is triggered upon browsing to web mail, Chat, IM or Social Media sites and typing words that are confidential from intellectual property aspects.

An alert is triggered when any user on a Mac endpoint attempts to use curl to upload a file to any website.

An alert is triggered upon browsing to websites that offer cloud transfer or storage services, in order to potentially upload a file and share it with another person. This action could indicate an intent to steal sensitive information from the organization.

An alert is triggered upon running Unix email tools (such as MAILX, SSMTP, MAIL, SENDMAIL, MUTT) to transfer data out of the server.

An alert is triggered upon running TELNET to send out an email from the server.

An alert is triggered upon running an SFTP/SCP or RSYNC command in order to exfiltrate a file from a sensitive directory.

An alert is triggered when a user attempts to exfiltrate an SSL certificate using SFTP, SCP or RSYNC.

An alert is triggered when a user attempts to exfiltrate system information using PING.

An alert is triggered when Passwd, Group, Shadow or Profile files are exfiltrated via SFTP.

An alert is triggered when SSH or SSHD configuration files or keys are exfiltrated via SFTP.

An alert is triggered upon running the GET command via SFTP/SCP or RSYNC to retrieve sensitive files (Passwd, Group, Shadow or Profile) from a remote configuration directory.

An alert is triggered upon running the SFTP/SCP or RSYNC command to exfiltrate an SSH or SSHD configuration file from a server.

An alert is triggered when any user on a Unix or Linux endpoint attempts to use curl to upload a file to any website.