List of Active Alert Rules
|
Alert Rule Name |
Required Tuning (Mandatoryand Optional) |
|---|---|
|
DATA EXFILTRATION |
|
|
Performing large file or folder copy during irregular hours |
|
|
Exporting data from enterprise web application by file downloading |
|
|
Accessing upload and sharing cloud services |
- |
|
Exfiltrating tracked file to the web by uploading |
|
|
Performing large file or folder copy |
- |
|
Exfiltrating a file to an unlisted USB device |
|
|
Connecting unlisted USB device |
|
|
Exfiltrating a file to the web by uploading |
|
| Exfiltrating a file that was tagged with a sensitive MIP label |
|
|
Exfiltrating tracked file to a cloud sync folder |
|
|
Printing sensitive documents |
|
|
Printing large number of pages during irregular hours |
|
|
Sending email with sensitive keywords in Subject to untrusted domain |
|
|
Sending email with large file attachment to untrusted domain |
|
|
Sending email with sensitive file attachment to untrusted domain |
|
|
Saving email file attachment to a local sync folder |
- |
|
Saving email file attachment to a USB storage device |
- |
|
Pasting files copied from sensitive folders |
|
|
Pasting text that contains predefined sensitive keywords |
|
|
DATA INFILTRATION |
|
|
Browsing harmful, risky or contaminating sites |
- |
|
Downloading file from a site dedicated to downloads |
- |
|
Downloading file from a cloud storage service site |
|
|
Downloading file with potentially malicious extension |
|
|
Downloading file from infected or malicious site |
- |
|
CARELESS BEHAVIOR |
|
|
Running software to enable sharing and access from remote machine |
- |
|
Opening a clear text file that potentially stores passwords |
- |
|
BYPASSING SECURITY CONTROLS |
|
|
Running TOR browser |
- |
|
Downloading the MIMIKATZ utility |
- |
|
Browsing to website related to MIMIKATZ utility |
- |
|
Running VPN, Proxy or Tunneling tools |
- |
|
HIDING INFORMATION AND COVERING TRACKS |
|
|
Clearing browsing history in Google Chrome |
- |
|
Clearing browsing history in IE or Firefox |
- |
|
Running steganography tools |
- |
|
RUNNING MALICIOUS SOFTWARE |
|
|
Running password and license cracking tools |
- |
|
Running hacking or spoofing tools |
- |
|
Running command-line-based hacking tool |
- |
|
Running port scanning tools |
- |
|
UNACCEPTABLE USE |
|
|
Running computer anti-sleep software |
- |
|
Browsing Illegal activities, violence or hate sites |
- |
|
Browsing unauthorized predefined sites |
|
|
Browsing Adult sites |
- |
|
Browsing Gambling sites |
- |
|
Browsing Illegal drugs sites |
- |
|
UNAUTHORIZED DATA ACCESS |
|
|
Accessing sensitive folder |
|
|
UNAUTHORIZED MACHINE ACCESS |
|
|
Logging in remotely (RDP) to sensitive Windows Server from unauthorized client |
|
|
Logging in to any machine by disabled users (ex-employees) |
- |
|
Logging in Remotely (RDP) to sensitive Windows Desktop by unauthorized user |
|
|
SEARCHING FOR INFORMATION |
|
|
Searching data on password cracking |
- |
|
Searching data on steganography |
- |
|
Searching data on monitoring or sniffing |
|
|
Searching data on Remote Access and Desktop Sharing |
|
|
Running advanced monitoring or sniffing |
|
|
Searching data on hacking or spoofing |
|
|
Searching data on file transfer (FTP or SFTP) |
|
|
Searching data on Dynamic-DNS |
|
|
Searching data on Darknet TOR (The Onion Router) |
|
|
Searching data on VPN, Proxy or Tunneling |
|
|
PERFORMING UNAUTHORIZED ADMIN TASKS |
|
|
Running PowerShell-specific dangerous command |
|
|
MESSING WITH OBSERVEIT COMPONENTS |
|
|
Trying to kill ObserveIT processes on Windows |
|
|
Trying to Kill ObserveIT processes on Mac |
|
|
Opening ObserveIT Agent folder |
- |
|
INSTALLING/UNINSTALLING QUESTIONABLE SOFTWARE |
|
|
Installing hacking or spoofing tools |
|
|
COPYRIGHT INFRINGEMENT |
|
|
Downloading file from copyright-violating or P2P site |
- |
|
Browsing copyright-violating sites |
- |
|
CREATING BACKDOOR |
|
|
Adding a local Windows User |
- |