Suspicious User Activity

Technical Library | Support

Go to the previous page

Go to the next page

View or print as PDF

TRITON AP-DATA Predefined Policies and Classifiers > Data Loss Prevention policies > Data Theft Risk Indicators > Suspicious User Activity

Suspicious User Activity

Predefined Policies and Classifiers | TRITON AP-DATA | Version 8.3.x

Data Sent During Unusual Hours

Detects data that is sent at an unusual time. You define what is considered an unusual time in the script classifier, Unusual Hours. Each rule in this policy target a different type of data, such as Office or archive files.

Example: If you define working days in the classifier as Monday-Friday and unusual hours as 9pm-5am, then data sent on Saturday, Sunday, or during the working week between 9 p.m. and 5 a.m. triggers this policy.

Source Code C family or Java Sent During Unusual Hours

Confidential in Header/Footer Sent During Unusual Hours

Office Files Sent Over Time During Unusual Hours

Archive Files Sent Over Time During Unusual Hours

Python Source Code Sent During Unusual Hours

Policy for the detection of database files. The rules for this policy are:

Database File: Ability Office format

Database File: dBase format

Database File: Filemaker format

Database File: Lotus Notes NSF format

Database File: MORE format

Database File: Microsoft Access format

Database File: Microsoft Exchange Server format

Database File: Microsoft Works for DOS format

Database File: Microsoft Works for Mac format

Database File: Microsoft Works for Windows format

Database File: Paradox format

Database File: SmartWare II format

Policy for detecting deep web URLs that appear in analyzed content such as textual documents or email messages and end with the pseudo-top-level domains .onion and .i2p. The deep web is a portion of World Wide Web content that is not indexed by standard search engines and that is intentionally hidden from the regular Internet, accessible only with special software, such as Tor. Such URLs are used for anonymous defamation, unauthorized leaks of sensitive information and copyright infringement, distribution of illegal sexual content, selling controlled substances, money laundering, bank fraud, credit card fraud and identity theft, among other things. The rules for this policy are:

Deep Web URLs: .i2p (Wide)

Deep Web URLs: .i2p (Default)

Deep Web URLs: .onion

Email to Competitors

A policy for detecting email messages that are being sent from one's corporate email address to his or her personal email address. The rules for this policy are:

Email to Competitors

Contact Information to Competitors

Encrypted Attachment to Competitors

Malicious Concealment

Policy for detection of content suspected to be manipulated to avoid detection.This may cause false positives. The rules for this policy are:

Manipulated Content - L33T

Manipulated Content - Reversed Text

Manipulated Content - ROT13

Manipulated Content - Upside Down Text

Manipulated Content (Default)

Manipulated Content (Narrow)

Manipulated Content (Wide)

Password Dissemination

Detects content suspected to be a password in clear text. The rules for this policy are:

Password dissemination

Password dissemination for Web traffic

Password Dissemination: Common Passwords without term

Suspected Mail to Self

Policy for detecting email messages that are being sent from one's corporate email address to his or her personal email address. The rule for this policy is also called:

Suspected Mail to Self

Source Code C Family or Java in Suspected Mail to Self

Confidential in Header/Footer in Suspected Mail to Self

Office Files Sent Over Time in Suspected Mail to Self

Archive Files Sent Over Time in Suspected Mail to Self

Encrypted Files of Unknown Format in Suspected Mail to Self

Encrypted Files of Known Format in Suspected Mail to Self

Database Files in Suspected Mail to Self

Python Source Code in Suspected Mail to Self

Unknown File Formats Over Time

Detects when unencrypted binary files of unknown formats are being sent repeatedly over a period of time. (Forcepoint-supported file types do not trigger this policy.)

For example: If 50 unencrypted files of an unknown format are sent during 1 hour, this policy is triggered. Thresholds are set in the Wide or Default rule."

Unknown file formats over time (Wide)

Unknown file formats over time (Default)

Unknown file formats over time (Narrow)

Unknown file formats over time to uncategorized sites

User Traffic Over Time

Policy for detection of suspicious behavior of users by measuring the rate and type of transactions over time. This may cause false positives. The rules for this policy are:

User Traffic Over Time: Specific Attachments

User Traffic Over Time: CV

User Traffic Over Time: Source Codes

Go to the previous page

Go to the next page

View or print as PDF

TRITON AP-DATA Predefined Policies and Classifiers > Data Loss Prevention policies > Data Theft Risk Indicators > Suspicious User Activity

Copyright 2016 Forcepoint LLC. All rights reserved.