Optimize the detection of risky events in Safetica NXT
Safetica NXT audits outgoing file transfers from endpoints where it is installed. This may generate many false positives amongst risky events, such as transferring files to a secure company intranet or copying unimportant photos to a USB drive. No admin wants to sift through hundreds of logs every day to only find a few problematic operations.
To minimize such false positives and make the detection of risky events more effective, Safetica allows you to create your own rules. With their help, you can explicitly state whether you consider an event dangerous nor not, and thus tailor the detection rules to your own company environment.
For example, a construction company will want to protect their plans and a marketing company their photos and videos. On the other hand, a company that uses SharePoint regularly might want to classify all transfers to SharePoint as safe.
In the Detection rules section of Data security, you can:
see a list of our default detection rules and your own previously created rules. Default rules are marked by the [Built-in] prefix.
edit detection rules by clicking or delete them by clicking in the Actions column.
use the toggle to disable a rule without deleting it. Use the same toggle to enable a previously deactivated rule.
In the Detections column, you can see how many events were found that match that particular rule. Click the number to see the details of the events in Data security > Overview.
Detection rules in Safetica NXT are prioritized and evaluated from the top to the bottom of the list.
During evaluation, first match always applies.
Best practice: We recommend placing general detection rules into the lower part of the list. More specific detection rules and exceptions should be placed into the upper part.
You can change the order of the rules by dragging them by the row handle on the left. By arranging detection rules in the desired order, you change their priority and even create exceptions to high-priority rules.
Add your own custom detection rules, so that detected risky events better reflect your environment.
Detection rules are diacritic-sensitive. For example, a detection rule with file name or path containing the word “čísla” will not match a file or directory with a name containing “cisla”.
Detection rules are not case-sensitive.