How to create a new detection rule

Learn how to customize default detection rules, so that identified risky events better reflect your company environment

Safetica NXT audits outgoing file transfers from endpoints where it is installed. To minimize false positives and make the detection of risky events more effective, Safetica NXT allows you to create your own detection rules. With their help, you can explicitly state whether you consider an event high-risk or safe, and thus tailor the detection process to your own company environment.

Creating a new detection rule

To create a new detection rule:

1.  Go to Data security > Detection rules.

2.  Click the button.

3.  Specify the new rule by selecting the desired criteria.

To see more than the basic criteria File category, Channel, and Destination, click the Advanced settings drop-down. Detailed info about the criteria can be found in the table below.

4.  After creation, the rule is displayed in the Detection rules overview table.

5.  Since detection rules are prioritized and evaluated from the top to the bottom of the list, drag and drop the rule by to the correct position.

After a rule is created, changed, or moved to a different position in the list, threat level is recalculated for all past events. Applying these changes might take a few minutes.

Rule creation

Detection rule criteria

Criterion                                                                  Description

File category The type of files the detection rule should be applied to
Channel The way via which the file left the endpoint
Destination Specific address or path to which the file was transferred
File File name or its part
Source type The type of location from where the file was transferred
Source Specific address or path from where the file was transferred
Minimum file size The rule will not apply to files smaller than this value

File, Source, and Destination criteria always take the entered expression as a partial match. This means that the detection rule will be applied to events that contain the entered expression amongst other words. To apply an exact match, enclose the entered word into double quotes. Please note that an exact match for file name must also include its extension.

Want to learn more? Read next:

Safetica NXT Data security - Detection rules

Safetica NXT Data security - Overview

How to create a new detection rule from the Event overview table

How to filter high-risk events in Safetica NXT

How to use custom filters in Safetica NXT