The list of Recommended rules at the top of the Manage Rules screen contains a number of pre-configured templates. Customize the default settings in these templates to quickly create alert rules that notify you when activity occurs that your organization finds risky.
To view recommended rule templates, select Alerts > Manage Rules. A number of the recommended rules appear at the top of the screen, but more are available. To create a rule from one of the templates:
- If the recommended rule you want to use is already listed, click its name.
- Otherwise, click View all recommendations to view all recommended rules, and then click the rule name.
When the Step 1 of 3 panel opens for that template, use it to customize the rule for your unique needs and environment. Each recommended rule template uses alert rule settings to identify the specific file activity to alert on. The descriptions below identify the alert rule setting that each recommended rule uses; log into the Code42 console to view or change the options specific to that rule.
Earnings report exfiltration
Earnings reports contain a wealth of information about your organization's financial health and outlook. The Earnings report exfiltration recommended rule can notify you about potential exfiltration of this valuable business data prior to its official release. This recommended rule uses the Filename or extension setting to monitor the movement of files that contain references to "earnings" or "financial" (and variations thereof) in their filenames. This criteria uses the * wildcard along with similar words or abbreviations to detect activity for a variety of naming conventions and file types.
Tips to customize this rule: Add the Individual users setting and exclude the usernames of members of your Finance team. This prevents the rule from being triggered by expected activity as these team members collaborate on and exchange financial reports.
Microsoft Outlook exfiltration
Employee inboxes contain a wealth of important business information in the form of emails exchanged about projects and opportunities. Secure these communications by using the Microsoft Outlook exfiltration recommended rule to monitor the movement of inbox archive files. This recommended rule uses the Filename or extension setting to monitor file extensions associated with Microsoft Outlook messages, calendar, and contact data. This criteria uses the * wildcard along with those extensions to detect activity for a variety of naming conventions and file types.
Tips to customize this rule: Add the Destination setting and select the External devices and Cloud storage options to monitor when such files are moved to these destinations for external access. (These files can be large, so exfiltration via personal email is not likely.)
Some password management systems install a client application on employee devices for local password database storage. For example, KeePass stores passwords in encrypted .KDBX files, while LastPass stores passwords in encrypted .PASS files. Although these files are encrypted and can only be accessed with a master password, they can be viewed by anyone with that master password and an installed version of the password management software. The Password exfiltration recommended rule uses the Filename or extension setting to track the movement of such password files to identify possible exfiltration.
This same rule also tracks the movement of files that may contain login credentials and passwords based on filenames containing common and obvious words, such as "credentials," "login," or "usernames." This criteria uses the * wildcard along with those words or abbreviations to detect activity for a variety of naming conventions and file types.
Tips to customize this rule: Add the Destination setting and select common exfiltration vectors to watch these locations.
- External media: Select Removable media
- Cloud storage: Select all options
- Email services: Select all options
Source code exfiltration by extension
The scripts and code created by software developers is essential intellectual property for many businesses. The Source code exfiltration by extension recommended rule monitors the possible exfiltration of those files by using the Filename or extension setting to watch specific file extensions associated with source code files. This criteria uses the * wildcard along with those extensions to detect activity for a variety of naming conventions and file types.
Tips to customize this rule:
- If you use a programming language that uses file extensions that are not listed above, add them to the Filename or extension setting.
- Add the Individual users setting and exclude the usernames of members of your QA team (for example). This filters out that expected activity so that you are not alerted as members of your QA team upload and exchange files as part of their testing.
- Add the Destination setting and make sure that the options for the source code repositories you use are not checked. This prevents you from being alerted about everyday uploads to your corporate source code repository by software developers.
Salesforce report exfiltration
Salesforce users can generate a number of reports that contain valuable sales, finance, and contact data. To detect the unauthorized release or access of this important business information, use the Salesforce report exfiltration recommended rule to identify file events associated with such reports. This rule uses the Filename or extension setting along with the * and ? wildcards to detect activity for reports generated from Salesforce.
Tips to customize this rule:
- The criteria used in the rule accounts for both the "Formatted" and "Details only" report types that users can generate.
- When a user generates a "Formatted" report, Salesforce by default suggests a file name that contains the user-defined report name (represented by the * wildcard in the criteria), followed by the export date and time (represented by the ? wildcards in the criteria.) This suggestion is always in .xlsx format. Note that users can change that suggested filename.
- When a user generates a "Details only" report, Salesforce by default suggests a filename of "report" followed by a 13-number string. (Each ? wildcard in the filename or extension criteria is standing in for one of these numbers in that default string.) Note that users can change that suggested filename.
- If your organization uses a different naming convention for Salesforce reports, add that convention to the Filename or extension criteria.
- Ensure that your Code42 administrator has added the domains your organization uses for its Salesforce and corporate cloud service environments to the trusted domains list. Doing so prevents the rule from being triggered by expected file activity generated by your sales team as they collaborate on leads and opportunities.
Source code email exfiltration
Like the Source code exfiltration by extension recommended rule, this recommended rule monitors the possible exfiltration of your important software intellectual property. However, this rule differs in two ways:
- It uses the File categories setting to monitor file classifications normally associated with common programming languages.
Remember that the examples listed for the Source Code file category are not exhaustive. It contains many more file extensions that are not listed. Keep in mind that file extensions are not the only method Code42 uses to identify a file's category.
- It uses the Destination setting to watch for uploads of those files to personal email services to be sent as email attachments.
Tips to customize this rule: As with the Source code exfiltration by extension recommended rule, add individual users or destinations as filters so that the rule is not triggered by expected activity.
Zip file exfiltration
Zip or archive files are a useful way to compress large or multiple files into more manageable packages for collaboration, but can also be used to conceal the business content that is being exfiltrated. The Zip file exfiltration recommended rule uses the File categories setting to notify you when such archive files are involved in file activity so that you can determine whether additional investigation is warranted.
Tips to customize this rule:
- Add the File volume setting to specify either a total file count or cumulative file size threshold (or both) after which the alert should be triggered. If your users generally exchange a small number of archive files for feedback and collaboration, this setting filters out that expected activity to improve fidelity.
- Add the Destination setting and select applicable destinations other than Email services. Generally, most email services inherently prevent archive files from being attached to messages.
Cloud share permission changes
Like the recommended rules above, this template uses the Destination rule settings to alert you when a user makes a file in your organization's cloud service environment publicly available via a direct link or shares it with external users.
Tips to customize this rule: Add the Individual users settings to exclude certain users from being monitored by this rule. For example, members of your legal team are working on a case with external counsel, and need to share files with that firm. You can exclude these legal team members from the rule so that this expected activity is filtered out and you do not get notified about their sharing activity.
File extension mismatch exfiltration
This recommended rule uses the File extension mismatch rule setting to alert you when exfiltration activity is detected for any file with an extension that doesn't match its contents. This setting doesn't have any criteria to select or enter: adding it to a rule automatically monitors for files with a mismatch between their extension and contents.
Tips to customize this rule: Add the Individual users setting to alert you when a mismatch is detected in file activity generated by specific users. For example, the Risk Exposure dashboard indicates that Filip has moved a large number of files, and further investigation in Forensic Search shows that many of these carry the File Mismatch risk indicator. You add Filip as a user monitored by this rule to better understand why his files show mismatches.
This recommended rule uses the Filename or extension rule setting to alert you when exfiltration activity is detected that involves files with a variation of "resumé" or "cv" in their filenames. This criteria uses the * wildcard along with the words or abbreviations that appear in such filenames to detect activity for a variety of naming conventions and file types.
Tips to customize this rule:
- Add the Individual users settings to the rule, and then add the usernames of anyone identified on the High Risk Employees list as a flight risk. The rule then alerts you when Code42 detects activity generated by any of those users for files that match the "resumé" filename or extension criteria.
- Use the Destination settings to prevent your organization's cloud storage environment from being monitored by this rule. For example, your organization asks that all employees place a copy of their resumés in a folder on the corporate OneDrive environment due to compliance and auditing regulations. Add the Destination settings to the rule and select any applicable destinations except for the OneDrive option under Cloud sharing. Code42 then does not notify you about this expected activity when a new employee copies their CV to the corporate OneDrive.
- Ensure that your trusted domains list includes the domain of any website you use for job postings. For example, you want your employees to apply for new internal opportunities as they open up by posting their resumés to the job posting. Make sure that the domain you use for internal and external employment opportunities is listed in your trusted domains list. When an employee applies for an open position by attaching their resumé, Code42 evaluates that domain against your trusted domains and does not alert you about this expected activity to avoid labeling that employee as a flight risk.
Cloud sync folder exfiltration
This recommended rule uses the Destination rule setting to alert you about files that are moved to personal cloud storage services, such as Apple iCloud or Box. This rule monitors activity in both endpoint folders and users' web browsers to notify you when:
- Any file is moved to a folder on the endpoint that is commonly used to sync files with personal cloud storage services
- Any file is uploaded to a personal cloud storage service using tools within a browser window
Tips to customize this rule:
- Use the File categories setting to limit the file activity detected by this rule to only specific groupings of files. For example, your training department commonly uploads video files to various cloud storage providers to post training on external websites or make promotional materials available to advertising partners. Add the File categories settings to the rule but do not select the Video option to prevent Code42 from notifying you about this expected activity.
- Remove any company-approved personal cloud storage providers from the rule. For example, your company has a "work from anywhere" culture and encourages employees to use Google Drive to collaborate with colleagues and access files anywhere. To filter this approved activity out of alerts generated by this rule, clear the Google Drive option in the Destination settings.
Removable media exfiltration
The Removable media exfiltration recommended rule uses the Destination rule settings to alert you when any file is moved to removable media (such as an external memory card or USB drive).
Tips to customize this rule:
- Add the Filename or extension setting to alert you only when files with filenames or extensions that match the criteria you enter are moved to removable media. For example, your Accounting department uses "earnings" in the naming convention for financial reports. You can add this filename criteria to the rule to notify you when a user moves one of these reports to removable media.
- Add the File volume setting to reduce the noise generated by this rule so that it alerts you only when users move files to removable media in total count or size that exceed the thresholds you enter. For example, you could specify that the rule is triggered only when users move 5 or more files or only when users move more than a cumulative total of 100 MB to removable media.