1. Home Page

Safetica NXT Data security - Detection rules

Optimize the detection of risky events in Safetica NXT

Safetica NXT audits outgoing file transfers from endpoints where it is installed. This may generate many falsely positive risky events that are actually safe (such as transferring files to a secure company intranet or copying unimportant photos to a USB drive). No admin wants to sift through hundreds of logs every day to only find a few problematic operations.

To minimize such false positives and make the detection of risky events more effective, Safetica allows you to create your own rules. With their help, you can explicitly state whether you consider an event dangerous nor not, and thus tailor the detection rules to your own company environment.

For example, a construction company will want to protect their plans and a marketing company their photos and videos. On the other hand, a company that uses SharePoint regularly might want to classify all transfers to SharePoint as safe.


In Data security > Detection rules, you can:

see a list of our default detection rules and your own previously created rules. Default rules are marked by the [Built-in] prefix.

edit detection rules by clicking or delete them by clicking   in the Actions column.

use the toggle to disable a rule without deleting it. Use the same toggle to enable a previously deactivated rule.

see the number of events that have matched a particular rule since it was last updated. Click the number to see matching events for the selected date range in Data security > Overview.

Detection rules hits

detection rules in Safetica NXT are prioritized and evaluated from the top to the bottom of the list.

During evaluation, first match always applies.

Best practice: We recommend placing general detection rules into the lower part of the list. More specific detection rules and exceptions should be placed into the upper part.

change the order of rules by dragging them by the row handle on the left. By arranging detection rules in the desired order, you change their priority and even create exceptions to high-priority rules.

Detection rules move

add your own custom detection rules, so that detected risky events better reflect your environment.

Detection rules are diacritic-sensitive. For example, a detection rule with file name or path containing the word “čísla” will not match a file or directory with a name containing “cisla”.

Detection rules are not case-sensitive.

Want to learn more? Read next:

How to create a new detection rule

How to create a new detection rule from the Event overview table

How to set up alerts