Suspicious user activity

  • Data Sent During Unusual Hours

    Detects data that is sent at an unusual time. You define what is considered an unusual time in the script classifier, Unusual Hours. Each rule in this policy target a different type of data, such as Office or archive files.

    Example: If you define working days in the classifier as Monday-Friday and unusual hours as 9pm-5am, then data sent on Saturday, Sunday, or during the working week between 9 p.m. and 5 a.m. triggers this policy.

    • Confidential in Header/Footer Sent During Unusual Hours
    • Office Files Sent Over Time During Unusual Hours
    • Archive Files Sent Over Time During Unusual Hours
    • Python Source Code Sent During Unusual Hours
  • Deep Web URLs

    Policy for detecting deep web URLs that appear in analyzed content such as textual documents or email messages and end with the pseudo-top-level domains .onion and .i2p. The deep web is a portion of World Wide Web content that is not indexed by standard search engines and that is intentionally hidden from the regular Internet, accessible only with special software, such as Tor. Such URLs are used for anonymous defamation, unauthorized leaks of sensitive information and copyright infringement, distribution of illegal sexual content, selling controlled substances, money laundering, bank fraud, credit card fraud and identity theft, among other things. The rules for this policy are:

    • Deep Web URLs: .i2p (Wide)
    • Deep Web URLs: .i2p (Default)
    • Deep Web URLs: .onion
  • Email to Competitors

    A policy for detecting email messages that are being sent from one’s corporate email address to his or her personal email address. The rules for this policy are:

    • Email to Competitors
    • Contact Information to Competitors
    • Encrypted Attachment to Competitors
  • Malicious Concealment

    Policy for detection of content suspected to be manipulated to avoid detection.This may cause false positives. The rules for this policy are:

    • Manipulated Content - L33T
    • Manipulated Content - Reversed Text
    • Manipulated Content - ROT13
    • Manipulated Content - Upside Down Text
    • Manipulated Content (Default)
    • Manipulated Content (Narrow)
    • Manipulated Content (Wide)
  • Password Dissemination

    Detects content suspected to be a password in clear text. The rules for this policy are:

    • Password Dissemination: Email Address and Password (Wide)
    • Password Dissemination: Email Address and Password (Default)
    • Password Dissemination for HTTP Traffic (Wide)
    • Password Dissemination for HTTP Traffic (Default)
    • Password Dissemination for HTTP Traffic (Narrow)
    • Password Dissemination for non-HTTP/S Traffic (Wide)
    • Password Dissemination for non-HTTP/S Traffic (Default)
    • Password Dissemination for non-HTTP/S Traffic (Narrow)
  • Problem Gambling

    Detects expressions that are indicative of problem gambling; for example, “I am addicted to gambling”, “My gambling is out of control”. The rule for this policy is:

    • Problem Gambling
  • Suspected Mail to Self

    Policy for detecting email messages that are being sent from one’s corporate email address to his or her personal email address. The rules for this policy are:

    • Self CV/Resume Distribution: English (Wide)
    • Self CV/Resume Distribution: English (Default)
    • Archive Files Sent Over Time in Suspected Mail to Self
    • Confidential in Header/Footer in Suspected Mail to Self
    • Database Files in Suspected Mail to Self
    • Encrypted Files of Known Format in Suspected Mail to Self
    • Encrypted Files of Unknown Format in Suspected Mail to Self
    • Office Files Sent Over Time in Suspected Mail to Self
    • Source Code in Suspected Mail to Self
    • Python Source Code in Suspected Mail to Self
    • Suspected Mail to Self
  • Unknown File Formats Over Time

    Detects when unencrypted binary files of unknown formats are being sent repeatedly over a period of time. For example, if 50 unencrypted files of an unknown format are sent during 1 hour, this policy is triggered. The rules for this policy are:

    • Unknown file formats over time (Wide)
    • Unknown file formats over time (Default)
    • Unknown file formats over time (Narrow)
    • Unknown file formats over time to uncategorized sites
  • User Traffic Over Time
    Policy for detection of suspicious behavior of users by measuring the rate and type of transactions over time. This may cause false positives. The rules for this policy are:
    • User Traffic Over Time: CV and Resume
    • User Traffic Over Time: Source Code
    • User Traffic Over Time: Specific Attachment
  • Files Containing Macros

    Policy for detection of files that contain macros.

    • Macro-Enabled Microsoft Office Excel Files
    • Macro-Enabled Microsoft Office PowerPoint Files
    • Macro-Enabled Microsoft Office Visio Files
    • Macro-Enabled Microsoft Office Word Files