Learn how to customize default detection rules, so that identified risky events better reflect your company environment
Safetica NXT audits outgoing file transfers from endpoints where it is installed. To minimize false positives and make the detection of risky events more effective, Safetica allows you to create your own detection rules. With their help, you can explicitly state whether you consider an event high-risk or safe, and thus tailor the detection rules to your own company environment.
To create a new detection rule:
1. Go to Data security > Detection rules.
2. Click the button.
3. Specify the new rule by selecting the desired criteria.
To see more than the basic criteria File category, Channel, and Destination, click the Advanced settings drop-down. Detailed info about the criteria can be found in the table below.
4. After creation, the rule is displayed in the Detection rules overview table.
5. Since detection rules are prioritized and evaluated from the top to the bottom of the list, drag and drop the rule by to the correct position.
After a rule is created, changed, or moved to a different position in the list, threat level is recalculated for all past events. Applying these changes might take a few minutes.
Detection rule criteria
|File category||The type of files the detection rule should be applied to|
|Channel||The way via which the file left the company|
|Destination||Specific address or path to which the file was transferred|
|File||File name or its part|
|Source type||The type of location from where the file was transferred|
|Source||Specific address or path from where the file was transferred|
|Minimum file size||The rule will not apply to files smaller than this value|
File, Source, and Destination criteria always take the entered expression as a partial match. This means that a detection rule is applied to events that contain the entered expression amongst other words. To apply an exact match, enclose the entered word into double quotes. Please note that an exact match for file name must also include its extension