Adding Rules

To add a new user behavior rule, do the following:

1. Log in to the Management Tool as a user with the administrative Client Installation and Management permission.

2. Click the User Behavior Analysis navigation link on the left.

3. On the Rules tab, click the Add Rule button in the top right of the page.


4. On the Add Rule page, in the Properties section at the top, define the following rule properties:

• Select the Enable rule checkbox to enable the rule.

• Enter a unique name for the rule.

• Optionally, enter a description for the rule.

5. In the Conditions section below, select the Unusual work hours checkbox, and then select a risk level. The risk level can be Normal, High, or Critical.


6. Scroll down to the Clients and Client Groups sections, and select the Clients and/or Client groups to which the rule will be assigned.

NOTE: To find specific Clients / Client groups, enter their names or a part of their names in the Search box.


7. Scroll down to the Email Notifications section, and select how you would like to receive notifications on detected anomalies in users’ behavior, and define an email address to which the notifications will be sent:

• Select the Send notification on detected anomalies for a finished session checkbox if you want to be notified about anomalies in users’ behavior when a session finishes.

• Select the Send instant notification on detected anomalies checkbox if you want to be notified immediately when an anomaly in users’ behavior is detected.

• Select the Send total session risk score in case of no anomalies checkbox if you want to be notified when a session finishes with no anomalies in users’ behavior.

• In the Send Email Notification To field, enter the email address to which notifications will be sent, or multiple email addresses separated by semicolons.

NOTE: To receive email notifications correctly, make sure that the Email Sending Settings contain the correct parameters for sending emails.


8. Scroll down to the Additional Actions section, and define additional actions to be performed when an anomaly in users’ behavior is detected:

• Select the Show warning message to user checkbox if you want a warning message to be displayed to the user when the rule is triggered. You can enter a custom message to be displayed to the user when a behavior anomaly is detected.

- Select the Block user in the current session checkbox if you want to automatically block the user from performing suspicious actions.


9. Click the Finish button in the bottom right on the page to save the rule.

10. The rule is now created.