Suspicious User Activity

Documentation | Support

Go to the table of contents

Go to the previous page

Go to the next page

View or print as PDF

Forcepoint DLP Predefined Policies and Classifiers > Data Loss Prevention policies > Data Theft Risk Indicators > Suspicious User Activity

Suspicious User Activity

Predefined Policies and Classifiers | Forcepoint DLP | v8.4.x

Data Sent During Unusual Hours

Detects data that is sent at an unusual time. You define what is considered an unusual time in the script classifier, Unusual Hours. Each rule in this policy target a different type of data, such as Office or archive files.

Example: If you define working days in the classifier as Monday-Friday and unusual hours as 9pm-5am, then data sent on Saturday, Sunday, or during the working week between 9 p.m. and 5 a.m. triggers this policy.

Source Code C family or Java Sent During Unusual Hours

Confidential in Header/Footer Sent During Unusual Hours

Office Files Sent Over Time During Unusual Hours

Archive Files Sent Over Time During Unusual Hours

Python Source Code Sent During Unusual Hours

Policy for detecting deep web URLs that appear in analyzed content such as textual documents or email messages and end with the pseudo-top-level domains .onion and .i2p. The deep web is a portion of World Wide Web content that is not indexed by standard search engines and that is intentionally hidden from the regular Internet, accessible only with special software, such as Tor. Such URLs are used for anonymous defamation, unauthorized leaks of sensitive information and copyright infringement, distribution of illegal sexual content, selling controlled substances, money laundering, bank fraud, credit card fraud and identity theft, among other things. The rules for this policy are:

Deep Web URLs: .i2p (Wide)

Deep Web URLs: .i2p (Default)

Deep Web URLs: .onion

Email to Competitors

A policy for detecting email messages that are being sent from one's corporate email address to his or her personal email address. The rules for this policy are:

Email to Competitors

Contact Information to Competitors

Encrypted Attachment to Competitors

Malicious Concealment

Policy for detection of content suspected to be manipulated to avoid detection.This may cause false positives. The rules for this policy are:

Manipulated Content - L33T

Manipulated Content - Reversed Text

Manipulated Content - ROT13

Manipulated Content - Upside Down Text

Manipulated Content (Default)

Manipulated Content (Narrow)

Manipulated Content (Wide)

Password Dissemination

Detects content suspected to be a password in clear text. The rules for this policy are:

Password dissemination

Password dissemination for Web traffic

Password Dissemination: Common Passwords without term

Suspected Mail to Self

Policy for detecting email messages that are being sent from one's corporate email address to his or her personal email address. The rules for this policy are:

Self CV/Resume Distribution: English (Wide)

Self CV/Resume Distribution: English (Default)

Archive Files Sent Over Time in Suspected Mail to Self

Confidential in Header/Footer in Suspected Mail to Self

Database Files in Suspected Mail to Self

Encrypted Files of Known Format in Suspected Mail to Self

Encrypted Files of Unknown Format in Suspected Mail to Self

Office Files Sent Over Time in Suspected Mail to Self

C Family or Java Source Code in Suspected Mail to Self

Python Source Code in Suspected Mail to Self

Suspected Mail to Self

Unknown File Formats Over Time

Detects when unencrypted binary files of unknown formats are being sent repeatedly over a period of time. For example, if 50 unencrypted files of an unknown format are sent during 1 hour, this policy is triggered. The rules for this policy are:

Unknown file formats over time (Wide)

Unknown file formats over time (Default)

Unknown file formats over time (Narrow)

Unknown file formats over time to uncategorized sites

User Traffic Over Time

Policy for detection of suspicious behavior of users by measuring the rate and type of transactions over time. This may cause false positives. The rules for this policy are:

User Traffic Over Time: CV and Resume

User Traffic Over Time: Source Code

User Traffic Over Time: Specific Attachment

Go to the table of contents

Go to the previous page

Go to the next page

View or print as PDF

Forcepoint DLP Predefined Policies and Classifiers > Data Loss Prevention policies > Data Theft Risk Indicators > Suspicious User Activity

Copyright 2017 Forcepoint. All rights reserved.