Recommended rules reference

Overview

The list of Recommended rules at the top of the Manage Rules screen contains a number of pre-configured templates. Customize the default settings in these templates to quickly create alert rules that notify you when activity occurs that your organization finds risky.

Recommended rules

To view recommended rule templates, select Alerts > Manage Rules. To create a rule from one of the templates, select from the rules at the top of the page:

Or, for more options, click View all recommendations, then select a rule.

When the Step 1 of 3 panel opens for that template, use it to customize the rule for your unique needs and environment. Each recommended rule template uses alert rule settings to identify the specific file activity to alert on. The descriptions below identify the alert rule setting that each recommended rule uses; log into the Incydr console to view or change the options specific to that rule.

Filenames

Password exfiltration

Some password management systems install a client application on employee devices for local password database storage. For example, KeePass stores passwords in encrypted .KDBX files, while LastPass stores passwords in encrypted .PASS files. Although these files are encrypted and can only be accessed with a master password, they can be viewed by anyone with that master password and an installed version of the password management software. The Password exfiltration recommended rule uses the Filename or extension setting to track the movement of such password files to identify possible exfiltration.

This same rule also tracks the movement of files that may contain login credentials and passwords based on filenames containing common and obvious words, such as "credentials," "login," or "usernames." This criteria uses the * wildcard along with those words or abbreviations to detect activity for a variety of naming conventions and file types.

Tips to customize this rule: Add the Destination setting and select common exfiltration vectors to watch these locations.

• External devices: Select Removable media
• Cloud storage uploads: Select common cloud storage destinations, such as Box, Dropbox, and Google Drive
• Email uploads: Select common email providers, such as Gmail, iCloud, Outlook, and Yahoo

File categories

Source code email exfiltration

This recommended rule monitors the possible exfiltration of your important software intellectual property. This rule uses the Destination and the File categories rule settings to monitor file classifications normally associated with common programming languages uploaded as attachments to personal email services.

Tips to customize this rule: As with the Source code exfiltration recommended rule, add individual users or destinations as filters so that the rule is not triggered by expected activity.

Zip file exfiltration

Zip or archive files are a useful way to compress large or multiple files into more manageable packages for collaboration, but can also be used to conceal the business content that is being exfiltrated. The Zip file exfiltration recommended rule uses the File categories setting to notify you when such archive files are involved in file activity so that you can determine whether additional investigation is warranted.

Tips to customize this rule:

• Add the File volume setting to specify either a total file count or cumulative file size threshold (or both) after which the alert should be triggered. If your users generally exchange a small number of archive files for feedback and collaboration, this setting filters out that expected activity.
• Add the Destination setting and select applicable destinations other than Email uploads. Generally, most email services inherently prevent archive files from being attached to messages.

Source code exfiltration

The scripts and code created by software developers is essential intellectual property for many businesses. The Source code exfiltration recommended rule monitors the possible exfiltration of those files by using the File categories setting to monitor file classifications normally associated with common programming languages.

Tips to customize this rule:

• Add the Individual users setting and exclude the usernames of members of your QA team (for example). This filters out that expected activity so that you are not alerted as members of your QA team upload and exchange files as part of their testing.
• Add the Destination setting and make sure that the options for the source code repositories you use are not checked. This prevents you from being alerted about everyday uploads to your corporate source code repository by software developers.

User behaviors

Cloud share permission changes

Like the recommended rules above, this template uses the Destination rule settings to alert you when a user makes a file in your organization's cloud service environment publicly available via a direct link or shares it with external users.

Tips to customize this rule: Add the Individual users settings to exclude certain users from being monitored by this rule. For example, members of your legal team are working on a case with external counsel, and need to share files with that firm. You can exclude these legal team members from the rule so that this expected activity is filtered out and you do not get notified about their sharing activity.

File extension mismatch exfiltration

This recommended rule uses the File extension mismatch rule setting to alert you when exfiltration activity is detected for any file with an extension that doesn't match its contents. This setting doesn't have any criteria to select or enter: adding it to a rule automatically monitors for files with a mismatch between their extension and contents.

Tips to customize this rule: Add the Individual users setting to alert you when a mismatch is detected in file activity generated by specific users. For example, the Risk Exposure dashboard indicates that Filip has moved a large number of files, and further investigation in Forensic Search shows that many of these carry the File Mismatch risk indicator. You add Filip as a user monitored by this rule to better understand why his files show mismatches.

Destinations

Data sent to AI tools

This recommended rule uses the Destination and File categories rule settings to alert you when filenames that imply corporate data are uploaded to unapproved AI tools. The rule is also configured to automatically send an Instructor lesson to the user.

Corporate data moving to likely personal domains

This recommended rule uses the Destination rule setting to alert you when files acquired from locations with a source risk indicator are uploaded to personal email domains.

Specifically, this rule applies to events that meet all of these criteria:

• Includes the Email domains destination risk indicator
• Contains any source risk indicator except HR sources
• Has a risk severity of Critical or High

Cloud sync folder exfiltration

This recommended rule uses the Destination rule setting to alert you about files that are moved to personal cloud storage services, such as Apple iCloud or Box. This rule monitors activity in both endpoint folders and users' web browsers to notify you when:

• Any file is moved to a folder on the endpoint that is commonly used to sync files with personal cloud storage services
• Any file is uploaded to a personal cloud storage service using tools within a browser window

Tips to customize this rule:

• Use the File categories setting to limit the file activity detected by this rule to only specific groupings of files. For example, your training department commonly uploads video files to various cloud storage providers to post training on external websites or make promotional materials available to advertising partners. Add the File categories settings to the rule but do not select the Video option to prevent Incydr from notifying you about this expected activity.
• Remove any company-approved personal cloud storage providers from the rule. For example, your company has a "work from anywhere" culture and encourages employees to use Google Drive to collaborate with colleagues and access files anywhere. To filter this approved activity out of alerts generated by this rule, clear the Google Drive option in the Destination settings.

Removable media exfiltration

The Removable media exfiltration recommended rule uses the Destination rule settings to alert you when any file is moved to removable media (such as an external memory card or USB drive).

Tips to customize this rule:

• Add the Filename or extension setting to alert you only when files with filenames or extensions that match the criteria you enter are moved to removable media. For example, your Accounting department uses "earnings" in the naming convention for financial reports. You can add this filename criteria to the rule to notify you when a user moves one of these reports to removable media.
• Add the File volume setting to reduce the noise generated by this rule so that it alerts you only when users move files to removable media in total count or size that exceed the thresholds you enter. For example, you could specify that the rule is triggered only when users move 5 or more files or only when users move more than a cumulative total of 100 MB to removable media.

Sources

Salesforce report exfiltration

Salesforce users can generate a number of reports that contain valuable sales, finance, and contact data. To detect the unauthorized release or access of this important business information, use the Salesforce report exfiltration recommended rule to identify exported or downloaded file events associated with such reports. This rule uses the Acquired from Salesforce risk indicator to detect files downloaded from Salesforce that are later moved to an untrusted destination.

Ensure that your Incydr administrator has added the domains your organization uses for its Salesforce and corporate cloud service environments to the trusted domains list. Doing so prevents the rule from being triggered by expected file activity generated by your sales team as they collaborate on leads and opportunities.

Related topics