An alert is triggered upon using an FTP application and connecting to a remote FTP or SFTP server.

An alert is triggered upon trying to connect to a sensitive remote Mac machine using Mac's built-in Screen Sharing mechanism.

An alert is triggered upon trying to connect to a remote server that is part of the Sensitive Remote Servers list using Finder on Mac (the equivalent to Windows Explorer on Windows).

An alert is triggered upon using an FTP client on Windows or Mac and connecting to a remote server that is part of the Sensitive Remote Servers list.

An alert is triggered upon trying to type the name or IP of sensitive machine in order to connect to a VMWare VsPhere Client.

An alert is triggered upon trying to connect to Windows server that is part of a Sensitive Remote Servers list, while doing it from Mac using Microsoft Remote Desktop application.

An alert is triggered upon opening PowerShell and invoking specific commands that are used for interacting with remote machines.

An alert is triggered upon local login (accessing the machine physically) to a predefined sensitive Windows desktop, by a user not included in the authorized users list for these sensitive machines.

ACTION REQUIRED: Add users black/white list (authorized/unauthorized) in the WHO statement.

An alert is triggered upon local login (accessing the machine physically) to a predefined sensitive Windows server, by an unauthorized user.

An alert is triggered upon remote login (via RDP session) to a predefined sensitive Windows server from a client not included in the list of authorized client IPs or client names for these sensitive machines.

ACTION REQUIRED: Add users black/white list (Authorized/Unauthorized) in the WHO statement.

An alert is triggered upon remote login (via RDP session) to a predefined sensitive Windows desktop by a user not included in the predefined list.

An alert is triggered upon remote login (via RDP session) to a predefined sensitive Windows desktop from a client not included in the list of authorized client IPs or client names for these sensitive machines.

ACTION REQUIRED: Add users black/white list (authorized/unauthorized) in the WHO statement.

An alert is triggered upon remote login (via RDP session) to a predefined sensitive Windows server by an unauthorized user.

An alert is triggered upon remote login (via RDP session) to a predefined sensitive Windows server during irregular hours (before the beginning or after the end of a working weekday, or during weekend).

This alert will be triggered upon login to any type of machine (Win, Mac, Unix, Linux) of users who are part of the list Disabled Users (ex-employees whose account in Active Directory should have been disabled).

An alert is triggered when Secondary Authentication mode was used while the user was logged in to this machine, indicating that the primary user name was probably a shared account (e.g., Administrator).

An alert is triggered upon logging in to sensitive remote servers with the default privileged accounts of Administrator or root.

An alert is triggered upon running a remote login utility in order to take control over a remote machine, or to open a telnet/SSH session on a remote machine.

Taking control on remote machine from Mac

Note: This rule applies specifically on Mac systems.

An alert is triggered upon opening a Terminal application on Mac and running SSH to take control over a remote machine.

An alert is triggered upon opening a new SSH session with an identity change which could indicate an account misuse.

Note: This is rule 1 out of 2 rules for this scenario.

An alert is triggered upon opening a new SSH session with an identity change which could indicate an account misuse.

Note: This is rule 2 out of 2 rules for this scenario.

An alert is triggered upon detecting a new login to a sensitive machine from a remote unauthorized client IP. The alert applies when the agent is installed on the machine that is being controlled (i.e., not on the controlling machine).