List of Active Alert Rules

Alert Rule Name	Required Tuning (Mandatoryand Optional)
DATA EXFILTRATION
Performing large file or folder copy during irregular hours	Optional: Irregular Hours/Days within the Alert Rule
Exporting data from enterprise web application by file downloading	Optional: List - Enterprise web applications to detect download from Optional: List - File extensions to detect their exporting from enterprise apps
Accessing upload and sharing cloud services	-
Exfiltrating tracked file to the web by uploading	Mandatory: List - Keywords in file names to trigger alert on uploading Optional: List - Excluded file names from alerts on exfiltration
Performing large file or folder copy	-
Exfiltrating a file to an unlisted USB device	Optional: List – Allowed listed USB devices Optional: List - Excluded file names from alerts on exfiltration
Connecting unlisted USB device	Optional: List – Allowed listed USB devices Optional: List - Excluded vendors/models from alert on detecting connected USB
Exfiltrating a file to the web by uploading	Mandatory: List - Keywords in file names to trigger alert on uploading Optional: List - Excluded file names from alerts on exfiltration
Exfiltrating a file that was tagged with a sensitive MIP label	Mandatory: List - Sensitive MIP labels
Exfiltrating tracked file to a cloud sync folder	Optional: List - Excluded file names from alerts on exfiltration
Printing sensitive documents	Mandatory: List – Sensitive files
Printing large number of pages during irregular hours	Optional: Irregular Hours/Days within the Alert Rule
Sending email with sensitive keywords in Subject to untrusted domain	Mandatory: List - Sensitive keywords to be detected in Subject of outgoing emails
Sending email with large file attachment to untrusted domain	Optional: File size threshold (5000 KB by default)
Sending email with sensitive file attachment to untrusted domain	Mandatory: List – Sensitive files
Saving email file attachment to a local sync folder	-
Saving email file attachment to a USB storage device	-
Pasting files copied from sensitive folders	Mandatory: List - Sensitive folders
Pasting text that contains predefined sensitive keywords	Mandatory: List - Keywords to be monitored upon copying them to clipboard
DATA INFILTRATION
Browsing harmful, risky or contaminating sites	-
Downloading file from a site dedicated to downloads	-
Downloading file from a cloud storage service site	Optional: List - Excluded site names from alert on download from cloud services
Downloading file with potentially malicious extension	Optional: List - File extensions to detect malicious file download
Downloading file from infected or malicious site	-
CARELESS BEHAVIOR
Running software to enable sharing and access from remote machine	-
Opening a clear text file that potentially stores passwords	-
BYPASSING SECURITY CONTROLS
Running TOR browser	-
Downloading the MIMIKATZ utility	-
Browsing to website related to MIMIKATZ utility	-
Running VPN, Proxy or Tunneling tools	-
HIDING INFORMATION AND COVERING TRACKS
Clearing browsing history in Google Chrome	-
Clearing browsing history in IE or Firefox	-
Running steganography tools	-
RUNNING MALICIOUS SOFTWARE
Running password and license cracking tools	-
Running hacking or spoofing tools	-
Running command-line-based hacking tool	-
Running port scanning tools	-
UNACCEPTABLE USE
Running computer anti-sleep software	-
Browsing Illegal activities, violence or hate sites	-
Browsing unauthorized predefined sites	Mandatory: List - Unauthorized black-listed websites
Browsing Adult sites	-
Browsing Gambling sites	-
Browsing Illegal drugs sites	-
UNAUTHORIZED DATA ACCESS
Accessing sensitive folder	Mandatory: List - Sensitive folders
UNAUTHORIZED MACHINE ACCESS
Logging in remotely (RDP) to sensitive Windows Server from unauthorized client	Mandatory: List - Sensitive Windows servers Optional: List - Authorized addresses for login from
Logging in to any machine by disabled users (ex-employees)	-
Logging in Remotely (RDP) to sensitive Windows Desktop by unauthorized user	Mandatory: List - Sensitive Windows desktops
SEARCHING FOR INFORMATION
Searching data on password cracking	-
Searching data on steganography	-
Searching data on monitoring or sniffing	Optional: List - Monitoring/sniffing keywords
Searching data on Remote Access and Desktop Sharing	Optional: List - Remote access and desktop sharing keywords
Running advanced monitoring or sniffing	Optional: List - Monitoring/sniffing keywords
Searching data on hacking or spoofing	Optional: List - Hacking/Spoofing keywords
Searching data on file transfer (FTP or SFTP)	Optional: List - FTP keywords
Searching data on Dynamic-DNS	Optional: List - Dynamic-DNS keywords
Searching data on Darknet TOR (The Onion Router)	Optional: List - TOR (Darkweb) keywords
Searching data on VPN, Proxy or Tunneling	Optional: List - VPN/Proxy/Tunneling keywords
PERFORMING UNAUTHORIZED ADMIN TASKS
Running PowerShell-specific dangerous command	Optional: List - PowerShell dangerous commands
MESSING WITH ITM ON-PREM (OBSERVEIT) COMPONENTS
Trying to kill ObserveIT processes on Windows	Optional: List - Command line tools Optional: List - ITM On-Prem (ObserveIT) services on Windows Optional: List - Kill commands on Windows
Trying to Kill ObserveIT processes on Mac	Optional: List - Command line tools Optional: List - ITM On-Prem (ObserveIT) services on MAC Optional: List - Kill commands on Mac and Unix/Linux
Opening ObserveIT Agent folder	-
INSTALLING/UNINSTALLING QUESTIONABLE SOFTWARE
Installing hacking or spoofing tools	Optional: List - Hacking/Spoofing keywords Optional: List - Reserved keyword used in Window Title of OIT virtual screenshots
COPYRIGHT INFRINGEMENT
Downloading file from copyright-violating or P2P site	-
Browsing copyright-violating sites	-
CREATING BACKDOOR
Adding a local Windows User	-