Professional Documents
Culture Documents
ITM SaaS StudentGuide-AA
ITM SaaS StudentGuide-AA
Student Guide
Proofpoint, Inc.
Copyright © Proofpoint, Inc.,925 West Maude, Sunnyvale, CA 94085 USA. All rights
reserved.
Information in this manual is subject to change without notice. No part of this publication
may be reproduced or distributed in any form or by any means, electronic or mechanical,
for any purpose, without the express written permission of Proofpoint, Inc.
Produced by Proofpoint Technical Training. This curriculum is a product created and
delivered by many individuals working at Proofpoint and we acknowledge them here.
About Proofpoint
Proofpoint, Inc. (NASDAQ:PFPT) is a leading cybersecurity company that protects
organizations’ greatest assets and biggest risks: their people. With an integrated suite of
cloud-based solutions, Proofpoint helps companies around the world stop targeted
threats, safeguard their data, and make their users more resilient against cyber attacks.
Leading organizations of all sizes, including more than half of the Fortune 1000, rely on
Proofpoint to mitigate their most critical security and compliance risks across email, the
cloud, social media, and the web. No one protects people, the data they create, and the
digital channels they use more effectively than Proofpoint.
Trademarks
Proofpoint is a trademark, registered trademark, or tradename of Proofpoint, Inc. in the
United States and other countries. Proofpoint Enterprise Archive is a trademark of
Proofpoint, Inc. All other trademarks contained herein are property of their respective
owners.
ii
Contents
Lesson 1: Insider Threat Management Overview ............................................................ 1
Exercise 1-1: Access ITM and log in with email address .................................. 15
Exercise 1-2: Access Documentation ................................................................. 15
Exercise 1-3: Access your Student Endpoints. .................................................. 16
Lesson 2: Solution Configuration .................................................................................. 19
Exercise 2-1: Use cases for Central Healthcare ................................................ 27
Exercise 2-2: Create Use Case for Your Organization ....................................... 29
Lesson 3: User Management ......................................................................................... 31
Exercise 3-1: Add Users ..................................................................................... 45
Exercise 3-2: Assign Access Policy to your newly created Users ..................... 46
Exercise 3-3: Review Console User Login Activity .............................................. 46
Lesson 4: Agent Realms ................................................................................................ 49
Exercise 4-1: Add an Agent Realm to your account ......................................... 71
Lesson 5: Agent Policies ................................................................................................ 75
Exercise 5-1: Create two additional custom Agent Policies .............................. 92
Exercise 5-2: Assign and order your Agent Policies to your Agent Realm........ 95
Lesson 6: Agent Deployment ........................................................................................ 97
Exercise 6-1: Download the Installation Configuration Files ........................... 108
Exercise 6-2: Use graphical MSI Wizard to install Agent ................................. 109
Exercise 6-3: Use graphical MSI Wizard to install the Updater on Endpoint 2 110
Exercise 6-4: Use Agent Updater to install an Agent on Endpoint 2 ............... 110
Lesson 7: Endpoint File Content Scanning ................................................................. 113
Exercise 7-1: Build a Detector Set to Detect Sensitive Content ...................... 125
Exercise 7-2: Edit your Agent Realm and Enable Content Scanning .............. 125
Lesson 8: Rules and Conditions .................................................................................. 129
Exercise 8-1: Build a custom Condition to define External Websites ............. 171
Exercise 8-2: Edit an existing template from the Threat Library for new Rule . 172
Exercise 8-3: Create Prevent Rule to Block file upload to External Website ... 172
Exercise 8-4: Block File External Website Upload on File Content Scan ........ 173
Lesson 9: Notifications, Tagging, and Alerts ............................................................... 175
Exercise 9-1: Create and Enable End User Notification on Agent Realm ....... 210
Exercise 9-2: Create an Endpoint Notification Policy for your Prevent Rule.... 211
Exercise 9-3: Test Your Rules to Generate Live Alerts ..................................... 212
Exercise 9-4: Review and Perform Workflow functions on Generated Alerts .. 213
Exercise 9-5: Tag Configured/Generated objects ............................................ 214
Lesson 10: Explorations ............................................................................................... 217
Exercise 10-1: Exploration from template to view Web Upload activities ....... 251
Exercise 10-2: Custom Exploration identifying whose copy to USB blocked . 252
Exercise 10-3: Determine MIP label of attempted file copy to USB ................. 252
Exercise 10-4: Determine new file names applied to specific files .................. 253
iii
Lesson 11: Dashboard Setup and Interpretation ........................................................ 255
Exercise 11-1: Access and navigate to select items on the Dashboard ......... 263
Exercise 11-2: Edit the Dashboard objects to change the presentation ......... 263
Exercise 11-3: Add your custom Exploration to the Dashboard page............. 264
Lesson 12: System Monitoring and Support Services ............................................... 267
Exercise 12-1: Increase the Agent’s trace level output ................................... 300
Exercise 12-2: Perform a dump of the Agent’s Log file at debug level............ 301
Lesson 13: Challenge Labs ......................................................................................... 303
iv
Lesson 1: Insider Threat Management Overview
Introduction
This lesson provides an overview of the Insider Threat Management product. It also presents information
to access the Insider Threat Management system.
1
Insider Threat Management for Administrators and Analysts - Student Guide - Level 2
Endpoint management, cloud application monitoring, and email data loss prevention (DLP) use the
Proofpoint Information and Cloud Security Platform as a common interface. Each of these products sends
information to the platform where it can be analyzed. The Proofpoint Information and Cloud Security
Platform also provides centralized administration for licensing and storage management.
The SaaS product supports multiple endpoint types: Mac, Windows, Unix , and Linux. It also supports
servers: AWS, Azure, VMware, and Citrix. ITM collects both User and Activity Data from the Agents.
The SaaS ITM via the Proofpoint Information Protection Platform provides elastic search, No SQL
Database, serverless compute, scalable storage, anomaly detection, and consolidated management with
Identity and Access Management (IAM), a web service that helps you securely control access to AWS
resources.
Notice that Endpoint DLP is a subset of Insider Threat Management. Proofpoint Endpoint DLP and ITM
leverage the same lightweight agent and API-first, cloud infrastructure. Endpoint DLP is optimized for a
data loss use case in an affordable package. A single agent can be deployed to track data activities as
well as user activities. A single agent can be deployed to track data activities as well as user activities.
Using policies, organizations can focus on everyday users for data loss while gaining additional user
activity context for high-risk users.
Everyday Users– applies to all users / groups who do not have privileged permissions
Privileged Users – administrators in systems and applications. This list is to be populated with users and
groups that exist in any Active Directory deployment.
Third Parties – all third-party users. These users are considered high risk as they usually have access to
sensitive information although they are not part of the organization. Those individuals that may be
contracting, consulting; also known as not a permanent employee
Watch List – includes individuals with reasons such as alcoholism or financial debt issues, includes
employees that are possibly looking for other jobs or are on a separation list, and so on – generally
requires Human Resources approval
Targeted Users – Users/groups being targeted for attacks, for example, CFOs, CEOs, other executives.
Proofpoint Endpoint DLP and ITM leverage the same lightweight agent and API-first, cloud infrastructure.
Endpoint DLP is optimized for data loss use case in an affordable package.
This slide shows the features available for Endpoint DLP and for the ITM products. Notice that the ITM
product adds User Activity Alerts and Visual Capture to the feature set shared with Endpoint DLP. It is
possible to mix the products within your deployment so some endpoints can be configured for ITM and
others for Endpoint DLP.
Endpoint DLP monitors data activity ITM add monitoring of user activity
• File upload to Web Hiding information
• File copy to local cloud sync Unauthorized access
• File printing Bypassing security controls
• Copy/paste of file/folder/text Careless behavior
• File tracking (Web to USB, Web to Web, etc.) Copyright infringment
• File download from Web Unauthorized communication tools
• File sent to email attachment Unauthorized administration tasks
• File downloaded from email Unauthorized USB activity
• IT sabotage
• Privilege elevation
• Identity theft
• Suspicious GIT activity
• Unacceptable use.
For each installation, you start by creating an Account for your organization to run Insider Threat
Management and Endpoint Data Loss Prevention. You assign Endpoints to Agent Realms via a
configuration file. From the console you also assign Agent Policies to the Agent Realm. Then the console
associates the Agent policies to the Endpoint (establishes the relationship).Content Scanning is enabled
on the endpoints within an Agent Realm
Users in this diagram refer to console users, not monitored or observed users. Access Policies get
applied to Console Users and determine which functions each user can perform, such as administration,
observation of activity, and create rules. You can create Groups to assign Access Policies to Groups and
then assign individuals to the Groups to ease administration tasks.
The Threat Library contains a template of rules provided with each installation. Rules can come from the
Threat Library or you can create them directly within your Account without using the Threat Library. Rules
contain Conditions. Conditions can exist at the top level of the Account from where you can assign them
to Rules. Rules generate the Alerts.
You create a Notification Policy to specify how you will be notified (email, webhook, Slack, or another
way). Once identified, you can include that Notification Policy within the Rule. Thus, when the Rule fires
(generates the Alert) it uses that Notification Policy specified within the Rule.
Conditions can be used in Explorations and Rules.
The installed Agent App on the Endpoint generates Activities and Screenshots. Filters and Conditions
determine what gets shown in an Exploration. These can be filtered and then viewed within Explorations.
Activities and Screenshots also get fed into the Rule engine and the Rule Engine then generates Alerts.
These Alerts include what a monitored user did as well as screenshots of the activities.
Analysts set filters and conditions (pre-built filters) to create Explorations. You can manually create filters
or use an already specified Condition as a filter.
A tag is an identifier that can be attached to rules, conditions, activities, alerts, and other things to group
these things under a common name. Then you can create an investigation easily out of it.
The User Interface has a Tag Management area where you can create a tag, such as high risk or data
exfiltration. During Exploration you can assign the tag to individual alerts. You can also tag rules that
generated this alert. You can then group all these items under the common name with a filter in an
Exploration. There are pre-set tags with the system.
Once items have been tagged, you can then use tags in a filter in Explorations. Once tagged, Activities
show up that have the common tag.
Objectives
• Navigate to the correct URL to access the training system for this course
https://proofpoint-training.explore.proofpoint.com/v2/apps/login
• Log in with assigned email address or user name and password
• Access the Administration application
• Access product Documentation to describe three Endpoint Solution options
• Access your student Endpoints via:
https://educationservices.access.proofpoint.com/login/?service=mc
3. List the three Proofpoint products currently using Proofpoint Information and Cloud Security Platform
__________________________________________________________________________________________
__________________________________________________________________________________________
__________________________________________________________________________________________
4. Click ITM / Endpoint DLP Admin for ITM SaaS Administration information and help. Note the
numerous sub-topics.
5. Click Getting Started - Insider Threat Management > Supported Platforms and Requirements
for ITM / Endpoint DLP and then identify the Web browsers currently supported for ITM
__________________________________________________________________________________________
__________________________________________________________________________________________
__________________________________________________________________________________________
Note: Click on separate tab to return to ITM Administration.
2. Once logged in to the MetaConnect portal, open any of the of your student VMs. Refer to the table
above based on which student you were assigned by the instructor.
3. Authenticate to any of the student Endpoints with the following:
• Computer: (ITM-EP-Sxx-D1 and ITM-EP-Sxx-D2 based on table above)
• User name: Administrator
• Password: Proof!train9
• Domain: empty (no text)
You are now logged into the Endpoint on which you will be installing the ITM Agent in a later lab.
4. Repeat step 3 to set up the other Student Endpoint.
19
Insider Threat Management for Administrators and Analysts - Student Guide - Level 2
The diagram above outlines the necessary pieces of information to define an effective use case:
Goal
1. Start by defining a business goal. This is most often defined by the business stakeholders and can
include things such as reducing risk of intellectual property theft, preventing leaking of employee
Personally Identifiable Information (PII), or gain visibility into the organization’s leavers.
Risk Personas
2. Next, define who are the people who have access to this critical information (Risk Personas). Determine
who are the groups who can access the data today, and who are the individuals who have privileged
access to the data.
Privileged access is especially important since anyone with higher access privileges will have higher
impact in case of a malicious intention or a mistake. Determine how these people are defined in your
organization – is there a naming convention? Are there Active Directory Security Groups?
Assets
3. Assets – data assets, in this case – are where the data resides. Data can be located on a corporate
SharePoint site, a file server share, or in an enterprise application such as Salesforce.
Risky Behaviors
4.What are the behaviors we are trying to detect? Are we detecting uploads to the web, exfiltrating data to
USB devices, copying data to Google Drive client?
Actions
Lastly, define what you would like to do when your use case goes into action. Some examples include:
• Send an automated notification to your Security Operations Center (SOC) which would initiate an
investigation workflow.
• Use Proofpoint ITM Agent’s prevention features to prevent the file USB copy.
• Use a webhook notification to initiate an automated workflow.
For a successful implementation of ITM, you must first establish your goal or goals with the product.
Some common goals include the identification and monitoring of the following:
• USB copy activity: View all users who have copied files to their USB device
• Suspicious users: View all activities in all channels (endpoint, email, cloud) for a group of users, for
example those planning to leave the company
• Upload files to Web: View all users who have uploaded files to their personal webmail
• Download files from the Web: View all users who have downloaded a file from share/cloud drives
• Exfiltration attempts: View file exfiltration attempts that were blocked by a prevention rule
After you determine your use case, you will configure the system to gather data. You start with Settings to
ensure you have the correct product entitlements (ITM or Endpoint DLP) to accomplish your goals. We
also verify enablement of the Provider for our users and that the email domain of the Users is allowed.
You establish Agent Realms and download Agent Apps to endpoints you wish to monitor.
Then you review the Default Agent Policy and made modifications as appropriate. You will add users with
differing access policies.
The system now can collect data. Click Settings in the left navigation menu to monitor the current data
collection statistics.
To present the data we want to see, we start by creating an Exploration. Since we want to monitor web file
uploads, below shows an example of Web File Upload exploration setup.
1. Choose Analytics
2. Select Explorations
3. Click New Exploration
4. Name the exploration ‘Web Upload’
5. Click + to show ‘Filter by’ list
6. Select Activity > Categories > Web File Upload
7. Click Done
The ideal goal of the ITM / Endpoint DLP system is to have it auto-generate 10 to 12 action items per day.
We target that number so that you can follow-up on a daily basis as problematic actions appear.
To get to that reasonable number you must continually review and modify explorations, add and then
refine rules with conditions. Your target is for the system to auto-identify 10 to 12 actionable items per
day. Perform the following actions to meet this target:
• Modify explorations, refine rules, introduce conditions
• Include notification policies to generate just the Alerts you seek.
• Refine and review - Continue modifications until desired number of Alerts is auto-generated
Objectives
Read the company description and create focused use cases. Consider the following ITM concerns of
your CEO.
• Protect confidential contract data
• Prevent leaking of proprietary recipes
• Gain visibility into organization’s leavers
Read the company description and complete the details for each of the Use Cases below
Company Description
I
Use Case 1:
1. ITM Business Concern – Protecting confidential contract data
2. Risk Personas – Contracts team, CFO, Sales Representatives, IT staff with privileges
(active directory group names or names of individuals need to be identified)
3. Data asset locations – File server shares, selected endpoints, SharePoint location, SalesForce
4. Risky Behaviors (ITM) - Uploads to Web, Exfiltrating to USB devices, Copying data to Google Drive
client
5. Actions when Use Case triggers - Send automated notification to SOC to initialize an investigative
workflow
Use Case 2:
1. ITM Business Concern – Leaking of contract data
2. Risk Personas - _________________________________________________________________________
3. Data asset locations – ___________________________________________________________________
4. Risky Behaviors (ITM) - _________________________________________________________________
5. Actions when Use Case triggers - ________________________________________________________
Use Case 3:
1. ITM Business Concern – Gaining visibility into organization’s leavers
2. Risk Personas – ________________________________________________________________________
3. Data asset locations – ___________________________________________________________________
4. Risky Behaviors (ITM) - _________________________________________________________________
5. Actions when Use Case triggers - ________________________________________________________
Objectives
• Complete the details for your company description with requested information
• Create a use case for you own organization
Company Description
Name: Your Organization’s Name _____________________________________________________________
Company Purpose (mission): _________________________________________________________________
Business (ITM) Concern: _____________________________________________________________________
Risk Personas:
• ________________________________________________________________________________________
• ________________________________________________________________________________________
• ________________________________________________________________________________________
• ________________________________________________________________________________________
Assets
Data assets – where critical data resides
• ________________________________________________________________________________________
• ________________________________________________________________________________________
• ________________________________________________________________________________________
• ________________________________________________________________________________________
Risky Behaviors
What to detect
• ________________________________________________________________________________________
• ________________________________________________________________________________________
• ________________________________________________________________________________________
• ________________________________________________________________________________________
Actions
What to do when use case triggers
• ________________________________________________________________________________________
• ________________________________________________________________________________________
• ________________________________________________________________________________________
• ________________________________________________________________________________________
31
Insider Threat Management for Administrators and Analysts - Student Guide - Level 2
This illustration shows where User Management fits in the implementation of Insider Threat Management.
This lesson reviews the steps and fields to complete in order to create and configure a user and access
policies.
Add Users
1. Select Users under User Management in left navigation bar.
2. Enter the email of the user you want to add in the ‘Add user by email’ field.
3. Click Add User
The user is then added to the list.
Access policies are a list of roles and privileges assigned to a user. Roles are a set of privileges.
Proofpoint recommends that you assign a role to each user. The system contains several pre-defined
roles.
Use privileges to add an additional capability to an assigned role. For example. you might assign a user
the Configuration Administration role with the ability to modify account configuration including identity
providers, users, and settings as well as endpoint agent configurations and policies. In addition, you
might also assign the Activity View privilege, giving the user the ability to view all monitored activity as
part of the Insider Threat Console.
Assigning Access Policy
1. From Users, click the line of specific user for Details
2. Click Actions and choose Access Policies from the drop-down list
3. Choose High Level Access or Granular Access
4. Review list and select policy or policies to assign
5. Click Done
Adding Groups
1. From the Proofpoint Information and Cloud Security Platform, select the Administration app. Select
User Management > Groups and the list of current groups appears.
2. Click Add Group and when prompted in the fields, provide an Alias and optionally a Description and
then click Save.
3. The group is added to the list.
Assigning the Group Membership and Policy
Once you've added a group, you can
• Assign access policies
• Assign members from the list of users
1. Click on the group you want and the Details window opens.
2. To edit the description, select the Details tab and click Edit.
3. To assign access policies, select the Access Policies tab and click Edit. Select the access policies
you want to assign to all members of the group.
4. Click View to see the list of capabilities for a policy. Click Edit to set an expiration for the access
policy.
5. Click Done to save.
a. To assign the members to a group, select Members and click Edit. Select the users, groups and
personas you want to assign as members of the group and click Done to save.
b. To assign groups to the group, select the Assignment tab and click Edit. Select the groups that
you want to add to the group and click Done to save.
Adding Personas
1. From the Proofpoint Information and Cloud Security Platform, select the Administration app. Select
User Management > Personas and the list of current personas appears.
2. Click Add Persona and when prompted in the fields, provide an Alias and then click Save.
Editing the Persona
You can review/modify the persona, including the access policies assigned to the persona, the groups the
persona is assigned to and which users can switch to the persona.
1. Select the Persona you want from the list to display the details.
2. To modify the Alias of the persona, from the Details tab, in the General area, click Edit.
3. To modify the access policies of the persona, from the Details tab, in the Access Policies area, click
Edit
4. To modify which groups the persona is a member of, from the Groups tab, in the Groups area, click
Edit.
5. To modify the trust relationships of the persona, in the Trust tab, click Edit to review or modify the
users or members of groups who are allowed to switch to the persona.
Deleting the Persona
To delete a persona, do the following
1. Select the Persona you want from the list to display the details.
2. From the Actions drop-down menu, select Delete.
3. When prompted, click Delete to confirm.
• Suggested Persona: Click to show the available personas. This persona has access policies
assigned to it.
• If you use a persona, anyone with access to that persona has the same access policies as assigned
to it.
• If you want to create a new persona, type the name in this field.
• Start Date/Time and End Date/Time: Enter the start and end timeframe for the trust relationship. (If
you do not want to set a timeframe, clear the field)
In the Access tab, in the Persona area, you can change the access policies assigned the Suggested
Persona you selected.
a. Select Add Access Policies. A list of all access policies displays. This list includes Proofpoint
predefined and custom access policies.
b. Select the policies you want and click Add.
In the Trusts tab add any users and groups that you want to gain access to the assigned persona. By
default, the requesting user displays and you can add any other users and/or groups.
In the Notifications tab, select the tenant that will respond to the request. Also add any users that you
want to be notified of this request. Notification is usually sent to relevant approvers so they are aware that
a request has been submitted.
• Click Submit Request.
Working with Proofpoint Support - Incoming Request Use Case
Your company would like your Proofpoint support representative to take a look at some issues and help
create some useful rules and alerts. For security and privacy reasons, the support representative requests
access to some activities using a support persona.
When you receive the access request, you can edit it and accept or reject it.
1. From the Proofpoint Information and Cloud Security Platform, select the Administration app. Select
User Management > Access Requests. Select the Incoming tab to see any new requests.
2. Click ... next to the request you want and click Respond.
3. The Access Requests details display. Review them. You can edit the request. For example, you can
change the time frame in the Time area and the capabilities by clicking Add Access Policies.
4. Click Accept to accept the request.
You can assign policies from the Proofpoint predefined access policies or create a custom policy.
Proofpoint Predefined Access Policies: Examples of predefined policies include Full Administration which
assigns full access to all system capabilities and resources, Activity View which assigns view-only access
to all monitored activity and List View which assigns only the ability to view lists. Proofpoint predefined
access policies cannot be modified.
Custom Access Policies: You define the set of capabilities you want to you assign to specific users or
groups. Custom access policies can be created and modified by a console user with sufficient privileges.
For information about setting up and using custom access policies, see Custom Access Policies.
You can assign multiple policies to a user or group.
Inheriting Access Policies
Access policies can be assigned directly to a user or a group and you can assign more than one policy to
a user or group
Users inherit access policies from a group if the user is a member of that group.
For example, a user is assigned Console User View policy with the ability to view users and their
policy assignments. That user is added to a group that has been assigned Activity Exploration policy
with the ability to view and explore all monitored activity as part of the Information Protection Platform.
The user still has Console User View policy capabilities and in addition, inherits Activity Exploration
policy and all its capabilities.
By default, assignments are set to never expire.
If needed, you can set an expiration date for an access policy to indicate when it will no longer apply.
Access Policies View
You view and manage access policies from the Administration app in the Proofpoint Information and
Cloud Security Platform, in the Access Policies view.
Select User Management > Access Policies and the list of Access Policies displays.
The list includes name and description of the access policy and when the access policy was created and
modified. In the Created By column, you can see whether the access policy is a Proofpoint predefined
access policy or a custom access policy.
In the Users view, select View Activities from the Actions drop-down list next to the user whose activities
you want to see.
The Exploration view for the selected user displays.
When you set up an authentication method such as O365 then you would use those credentials for
authentication.
If not using OAuth/SAML for authentication, then you would need to set up and generate a password for
the user.
To update User information, click Users in the left navigation bar. Click the specific user from the list of
users and select Edit.
Make changes as required in the dialog box that appears. Note the password requirements listed. Also,
note that you can set the Password Expiration time using the drop-down menu. Expiration time ranges
from one to 365 days.
Scenario
Central Healthcare’s Insider Threat Management team consists of direct team members and external
constituents who may require access to the application, its configuration, and output. This lab has you
build three new users to support this need and target each users needs within the Console.
Objectives
• Add three new Users to the console to reflect the users who will access the solution in your
environment:
• ITM Administrator
• ITM Analyst/Assistant Admin
• HR Analyst
• Review Console User Audit Activities
Full access to all system Ability to configure various Read Only access to the Console.
capabilities and resources. functions within the tool.
49
Insider Threat Management for Administrators and Analysts - Student Guide - Level 2
For more information on Agent Realms click HELP and enter Agent Realms, click Agent Realms in ITM
Administration documentation list.
This illustration shows where an Agent Realm fits in the implementation of Insider Threat Management.
This lesson reviews the steps and fields to complete in order to create and configure an Agent Realm.
From the console you also assign Agent Policies to the Agent Realm. Then the console associates the
Agent policies to the Endpoint.
The agent realm configuration is stored in the installation configuration file. An agent realm contains:
• Endpoints (agents) that are attached to the agent realm
• Agent policies that are assigned to the agent realm. An agent realm must be assigned at least one
recording policy. By default, a default account policy is assigned to an agent realm. You can add and
assign other recording policies to an agent realm. An agent realm can have more than one recording
policy.
• Retention period for all collected data
Retention
• The solution retains ingested data based on the retention tier the customer is entitled to (has
purchased). Customers can choose from one of the following retention tiers – 7, 14, 30, 45, 60, 90, or
max days. Data is available in the ITM platform as long as it is within the retention period. Data older
than the retention period is purged from the platform, on a rolling basis.
Advanced Settings - Agent Realms
The following advanced settings define general Agent behavior:
• Configuration policies
• Visibility
• Recording
• Storage
• Device triggers
• File activity monitoring
• Processing
You may not see all the settings since some features may need to be turned on by Proofpoint.
To view existing Agent Realm, from the Proofpoint Information Protection Platform, select the
Administration app, Then from the Endpoints group, select Agent Realms. The Agent Realms view
displays showing existing Agent Realms.
The Agent Realms view shows the following columns:
• Alias – Realm name
• Region – Geographic location of realm
• Collector Kind – What gathers incidents
• ITM Retention – Maximum retention of agent realm data for ITM
• EDLP Retention – Amount of time agent realm data is retained for DLP
For additional information you can click each of the following
• Down chevron to view Realm Policies
• Circle i to view recent Realm activity
• Three dots (...) to view the Information menu
You must set up at least one Agent Realm before you can deploy the Agent.
1. From the Agent Realms pane, click Add Realm in upper right.
This opens the New Agent Realm input panes: General, Advanced Settings, and Assign Policies tabs.
2. Enter a name for the new realm in the Alias field.
The name is required.
You can only use lowercase characters, dashes, and underscores.
Resource Group
Choose your correct Resource Group from the drop-down list.
Collector Kinds
Select the type of feed used to forward captured user activity.
• Agent: Data from direct attached Agents
• Enterprise Feeder: Data from Enterprise
• Generic Feeder: Link to a generic feeder
Data Retention
Data retention has two options from which to choose. Each has the same options in their drop-down
menu.
• EDLP Retention: Amount of time the agent realm is retained for DLP.
• ITM Retention: Amount of the agent realm is retained for ITM.
Choose Maximum, 7, 14, 30, 45, 60, or 90-day retention periods for each type of retention.
Data retention has two options from which to choose. Each has the same options in their drop-down
menu.
• EDLP Retention: Amount of time the agent realm is retained for DLP.
• ITM Retention: Amount of the agent realm is retained for ITM.
Choose Maximum, 7, 14, 30, 45, 60, or 90-day retention periods for each type of retention.
The configuration files setting allows you to encrypt your configuration files. This provides another layer of
protection for the configuration files, as these contain potentially sensitive data, should a laptop be lost or
stolen or compromised.
Proofpoint recommends that you enable the two settings shown here: Prevention Enabled and Microsoft
Information Protection (MIP) enabled.
Enabling Prevention will block file transfer from the managed endpoint to an inserted USB drive.
Microsoft Information Protection (MIP) Enabled allows for detection and this value gets pulled into the
metadata. It can then be leveraged for all the functionality that looks at the metadata. Conditions, rules,
and explorations can leverage those labels in the metadata. These MIP labels can be used as a starting
point.
These settings allow for the recording of screenshots on Agents. You can also automatically grant
permission to capture screenshots on MacOS devices by enabling the setting here.
Only ITM offers the recording option.
Agent Storage is where you set the amount of storage for your Agent Realm. This screen shows the
default setting for time in seconds and size in megabytes.
These settings limit recording storage per Agent - for buffered data (such as offline and Activity Replay).
The limit is determined by whichever comes first.
Agent cache refers to storage used by agent when in an offline state. The Agent caches the data locally
when the Endpoint is offline. These settings determine how much cache storage is available. These
default settings are usually adequate. You might change these available amounts if a user is offline (no
internet access) for an extended period.
Enable End User Notifications - Turn on/off end user notifications. By default, this is off.
When turned on, the custom notification will be shown on every prevented endpoint activity as configured
by your prevention rules.
End-user notifications display when an endpoint activity is blocked by a prevention rule. You can
customize the end-user notification with the logo and the text for the message subject and body that you
want. You can use the available variables such as file name, rule name and IP when you compose the
text.
End user notifications are defined per Agent Realm. When you configure a customized end-user
notification, it will display for all endpoint activity blocked by all prevention rules in the Agent Realm. (If
you do not configure a customized end-user notification, the default notification generated by the
operating system displays.)
Student Notes
Allows you to set security key for Agent Uninstall
Enabled - Turn on/off Enable Agent Auto Upgrade. By default, this is on.
The Auto Updater will be in progress, and you will not see the results until the maximum delay time plus
the time it takes for the Auto Updater to check the policy. You can review, monitor and modify the
Endpoint Update Policies.
The Endpoint Update Policies view lists each policy and its details. By selecting a policy you see its last-
known status, review and modify the details of the policy and manage Agent Realm assignments and
priorities.
An account policy must be assigned to each agent realm. You can assign multiple recording policies to
an agent realm. By default, the default account policy is automatically created and assigned to each
agent realm.
To assign existing policies to an agent realm, from the New Agent Realm screen, select Assign Existing
Policies.
The Assign Existing Policies screen displays.
Select the policies you want to assign to the agent realm and click Assign.
An account policy must be assigned to each agent realm. You can assign multiple recording policies to
an agent realm. By default, the default account policy is automatically created and assigned to each
agent realm.
1. To assign existing policies to an agent realm, from the New Agent Realm screen, select Assign
Existing Policies.
The Assign Existing Policies screen displays.
2. Select the policies you want to assign to the agent realm and click Assign.
Scenario
Central Healthcare has a single headquarters location where the ITM Application is deployed. As a
starting point for the use of the application, the ITM team has determined that only a single Agent Realm is
required to meet their goals and objectives around how and what the app will record on an Endpoint. This
lab will address this goal.
Objectives
• Add an Agent Realm to your Account
• Specify the Data Retention Period for your new Agent Realm to 45 days for DLP and 60 days for ITM
• Configure Recording settings for your new Agent Realm to allow screenshots but not automatically
grant MacOS permission to capture screenshots
• Accept defaults for other settings
d. Agent Storage
• Limit - Time (Seconds) 604800
• Limit - Size (MBs) 512
• Encryption Enabled *
e. File Activity Monitoring
• Enabled: Enabled
• Tracking Duration 2592000
• Tracking File Count 10000
f. Interaction
•Enable Content Scanning (Leave Disabled for now. We will revisit this later in the class
lessons.)
g. End User Notifications
• Enable End User Notifications (Leave this Disabled)
h. Endpoint Update
• Enable Endpoint Update*
6. Click Next and Save to complete your new Agent Realm.
75
Insider Threat Management for Administrators and Analysts - Student Guide - Level 2
For each installation, you start by creating an Account for your organization to run Insider Threat
Management and Endpoint Data Loss Prevention. You assign Endpoints to Agent Realms via a
configuration file.
From the console you also assign Agent Policies to the Agent Realm. Then the console associates the
Agent policies to the Endpoint (establishes the relationship).
Agent Policies
• Agent policies define what the agent captures. Agent policies are assigned to agent realms so that
you can configure settings and apply these settings to the endpoints in multiple agent realms
simultaneously.
Default Account Policy
• A default account policy is configured for each account and assigned to each Agent Realm. If no
other account policies are added, the default account policy is applied to all users. You can edit the
default policy and change the settings.
• By default, the Default Account Policy is set for DLP Only.
• The default account policy includes settings for metadata capture and user interface options.
Screenshots are not enabled and collection activity is not available.
• If you want to change the default policy to include screenshots and collections activity, you must be
entitled for ITM. Toggle off DLP-Only, so you can see the additional options.
Additional Agent Policies
• You can create additional Agent Policies for specific Agents with specific settings, and you can assign
multiple Agent Policies to an Agent Realm. When more than one Agent Policy is assigned to an Agent
Realm, you can prioritize their order so you can further define which settings are applied to which
agents.
A default account policy is configured for each account and assigned to each agent realm. If no other
account policies are added, the default account policy is applied to all users. You can edit the default
policy and change the settings.
By default, the Default Account Policy is set for DLP Only.
The default account policy (DLP-only) includes settings for metadata capture and user interface options.
Screenshots are not enabled, and collection activity is not available.
If you want to change the default policy to include screenshots and collections activity, you must be
entitled for ITM functionality. Toggle off DLP-Only, so you can see the additional options.
General Tab
1. You must enter an Alias or Name for the Agent Policy.
2. Enter a description to make it easy to identify the policy from a list.
3. Choose the Signal Type, either DLP (file related events) or ITM (DLP events and endpoint events). You
can also change Signal type by clicking the grey button at the upper right. It toggles from DLP to ITM.
4. Click Next or select Details.
From the IF section on the left-side of the screen, click Select Category. This allows you to select the
categories and values for the recording policy. For example, include for all users with the username =
administrator.
When you click Select Category, the ‘MATCHING CRITERIA Choose Property’ panel opens.
The available categories display in the ‘MATCHING CRITERIA Choose Property’ panel. Select the
Category you want and then relevant Values for that category display.
You can continue adding categories to your agent policy using the And/Or options.
From the THEN section on the right-side of the screen, click Select Settings. This allows you to select the
settings and values for the policy. For example, include items from Metadata Capture, User Interface,
Screenshots, and Collection settings.
On the right-side of the screen, in the Then.area, select the settings that will apply when the IF condition
is met. Click Select Settings to choose the settings.
The available settings display.
Select the relevant settings.
You can continue to define the settings using the And/Or options.
Click Done. The summary of the agent policy displays.
You can create additional agent polices for specific agents with specific settings, and you can assign
multiple agent policies to an agent realm. When more than one agent policy is assigned to an agent
realm, you can prioritize their order so you can further define which settings are applied to which agents.
When you have more than one Agent Policy, you can define the priority order for the recording policies for
an Agent Realm. This order determines which settings will be enabled and turned on per Agent Policy.
You set the priority of the Agent Policies in the Agent Realm view. Priorities are set from low to high.
A default account policy is assigned to each account. The default account policy is always the lowest in
the priority list.
If you create another Agent Policy, its priority is always higher than the default account policy.
By default, a new Agent Policy will inherit all the settings from the Agent Policy directly below it in the
priority list.
Scenario
Through the use of other applications, Central Healthcare’s ITM Team has recognized that a subset of
their users continue to visit restricted Websites and utilize forbidden Applications and would like deeper
visibility into these activities. The Agent Policies you’ll build here will address this goal.
Objectives
• Create and order a stack with two additional Agent Policies that apply a specific Recording
configuration based on the following criteria
Wireshark Unileaks.org
Surfshark Openleaks.org
• For Agents which do not meet the criteria above, screen shots and keyboard logging are not required
by default
Second Policy
1. In the upper right corner, click Add Policy
2. Below the General tab, populate the following values:
Exercise 5-2: Assign and order your Agent Policies to your Agent Realm
1. Within the ITM SaaS console, navigate to Administration.
2. On the left navigation menu, select Agent Policies below the heading Endpoints.
3. Locate your Risky Applications agent policy in the table of Agent Policies and click Assign to
Realm.
a. From the Assign to Realm, POLICY: <student id>-<date>-RISKY-APPLICATIONS dialogue,
select your Agent Realm
b. Click Assign in the lower right.
4. Locate your Risky Websites agent policy in the table of Agent Policies and click Assign to Realm.
c. From the Assign to Realm, POLICY: <student id>-<date>-RISKY-WEBSITES dialogue, select
your Agent Realm
d. Click Assign in the lower right.
5. Confirm that your two new custom Agent Policies and the Default Account Policy are assigned to your
Realm correctly.
6. On the left navigation, select Agent Realms below the heading Endpoints.
7. Locate your <student ID>-realm-date within the table and select it.
a. On the right, select the Policy Priorities tab and click Edit.
b. In the Edit Agent Realm:<student ID>-realm-date dialogue box, in the Agent Policies table,
locate your Risky-Websites Policy and click … on the right.
c. From the popup menu select Move Up to place your ‘Risky-Websites’ Policy above your ‘Risky-
Applications’ Policy.
d. Click Save.
97
Insider Threat Management for Administrators and Analysts - Student Guide - Level 2
For each installation, you start by creating an Account for your organization to run Insider Threat
Management and Endpoint Data Loss Prevention. You assign Endpoints to Agent Realms via a
configuration file. From the console you also assign Agent Policies to the Agent Realm. Then the console
associates the Agent policies to the Endpoint (establishes the relationship).
You must download and install the correct Agent App to the endpoint to access and monitor endpoints.
1. From the Proofpoint Information Protection Platform, select the Administration app.
2. Select Downloads.
3. From the Downloads list, select the stable version, for example winagentx64-0.x.x.x.zip and click
Download.
4. Save the downloaded .zip file locally
5. Extract the contents of the .zip file to see the following files:
• ITMSaaSBundle-<version>.msi: Agent Setup file
• WinagentInstall.cmd: Executable installation file
• WinagentUninstall.cmd: Executable file for uninstall
• bundleinfo: Text file that describes contents of folder
Once installed, the Auto Updater continually (once every 10 minutes) checks which Endpoint Update
Policies it should run. If there are multiple policies, with the same conditions, by default, the Auto Updater
will run the last created policy.
The Auto Updater self updates so once it is initially installed, any future updates are automatically
installed. You do not need to download and install new versions.
Auto Updater checks which version is currently installed on the endpoint and whether it matches the
target version in the policy. If the versions do not match, the Auto Updater updates the endpoint with the
target version. If the endpoint is already updated to the target version, Auto Updater does not try to
update it again.
• The Auto Updater can be installed on any supported Windows-based operating system (server or
desktop) that you want to monitor.
• Hardware Requirements:
• Processor: Intel i3 or higher or AMD equivalent
• 4 GB RAM or more
• At least 1 GB free hard disk space
• 100 Mb/1Gb Ethernet adapter (1 Gigabit link speed recommended)
• Software Requirements
• Microsoft Windows Server /2012/2012 R2/2016/2019 (64-bit only), Windows 8/8.1, or Windows 10
(it is recommended that you always use the latest Service Pack for your operating system)
• .NET Framework 4.5.2 must be installed
• When using HTTPS connection, make sure the target endpoints trust your CA digital certificate (or the
self-signed digital certificate) that issues the SSL certificate. To enable the computers that are running
the agent to trust your digital certificate source, you must import the root CA digital certificate (or the
self-signed digital certificate) to each client computer. After importing the digital certificate, the
computer will trust that source and communication through SSL/TLS will be allowed.
You can use Auto Updater to not only update existing Agents, but also to Install Agents by following these
steps.
1. Install Auto Updater (MSI wizard)
2. Validate successful installation
3. Create New Endpoint Update Policy
4. Select Endpoint(s) for installation
5. Assign policy to your Realm
6. Monitor status of Updater-based install
Previously endpoint information was accessed from the Endpoint Monitoring and Endpoint Registry
views. These options are still available, however it is recommended that you use the Endpoint Catalog
view since all the information is now in one place. These older views will be removed in the future.
Some of the features of the Endpoint Category include:
• Filtering the view to see exactly what you need
• Viewing endpoint details such as endpoint name, kind and version
• Exporting the data to PDF, JSON or CSV file
• Exploring activities and system activities of the endpoint
• Reviewing details and status of the component (Agent/Auto Updater) for each endpoint
• Managing the log level to include more details
• Review active and inactive endpoints
Objectives
Deploy ITM Agents to targeted Endpoints using both the Endpoint local, graphical and Console native
Update Policy install methods.
• Download and install the Agent install package locally on a targeted Windows Endpoint using the
graphical MSI Wizard
• Download and install the Auto Updater install package locally on a targeted Windows Endpoint using
the graphical MSI Wizard
• Configure an Agent Update Policy to install a net new Agent to a targeted Windows Endpoint.
Exercise 6-3: Use graphical MSI Wizard to install the Updater on Endpoint 2
1. On Endpoint 2, open Windows Explorer and navigate to the Downloads folder.
2. Locate the winupdater-<version> file and download and extract it to the same folder.
3. Once extracted you will see the following files:
• UpdaterSetup-<version>.exe: Updater Setup file
• SaasUpdaterSetupInstall: Script for command line installation
4. Install the Updater locally using the MSI Wizard.
a. From the files you extracted, double click UpdaterSetup-<version> to run the installer package.
This launches the Install Wizard.
b. In the initial dialogue box seen, click Next.
c. Accept the license agreement and click Next
d. In the next dialogue, select No Proxy.
e. Click Next.
f. Enter the locations for:
• Installation folder: C:\Program Files\Windows Client Utility\Updater Utility\
• Installation configuration file: Select Browse and navigate to your Agent Updater file
g. Click Next
h. Click Install. The installation of the Updater will run and complete.
i. Click Close.
j. Validate the Updater install was successful and is now communicating with the Cloud. On left
hand Navigation, below the Endpoint heading, select Endpoint Catalog.
• Locate your Endpoint 2 in the table and confirm it’s Actively Reporting and the Component Type
column reflects ‘’.
11. In the Hostname Endpoint dialogue locate your Endpoint 2, select it from the list, and click Done.
12. Below the Then install… heading, choose the following values:
a. Endpoint Bundle Version: Most recent version in list.
b. Content Analyzer: Enable this toggle.
c. Schedule Window: Start – Immediately End – Never
d. Maximum concurrent updates: 5%
e. Schedule Polling Interval (Advanced): 5m
13. Click Next.
14. In the Agent Realms dialogue, click Select Agent Realms.
15. In the Select Agent Realms dialogue, locate your Realm, select it from the list, and click Assign.
16. You will see your Realm associated with this Update Policy. Click Save.
17. Back on the Endpoint Update Policies page, locate your Update Policy and select it.
18. Below the Status tab you’ll be able to monitor the status on the Updater based install that should now
be running.
19. Within this tab, click View all n endpoint events. This will place you in an Exploration view with a filter
set which will show you any/all related events around the progress on the Agent installation.
20. This process can take some time to complete, but eventually you should start to see both events and
updates to the Status tab. Once the Success field indicates the Agent has completed installation on
Endpoint 2, you should now see this Endpoint reflected in the Endpoint Catalog.
113
Insider Threat Management for Administrators and Analysts - Student Guide - Level 2
Endpoint File Content Scanning is a function provided by the embedded Endpoint DLP solution which is
a subset of greater ITM functionality. It is a default functionality of both ITM and Endpoint DLP.
This allows you to scan files on the managed endpoint based upon when any of five trigger activities
occur. These are: Web Upload, Web Download, Copy to USB, Cloud Share Sync, and Document Open.
You create specific Detector Rules to implement this function.
You can use content scanning to scan files and detect when users are attempting to exfiltrate sensitive
information, such as credit card information, banking routing numbers and national identity numbers.
Content scanning is defined per Agent Realm. You can view the results and details of the scanned content
in the Explorations view.
You must set up rules for Endpoint Content Scanning to function. Rules include detectors and data
identifiers to create detector sets. You must identify each of these prior to creating rules. You access
Endpoint File Content Scanning components for rule creation in the Data Loss Prevention application.
Definition
• Endpoint DLP feature that provides visibility into sensitive data within documents
Purpose
• Prevent exfiltration of sensitive documents to USB and Cloud Sync folders
Use
• Whenever any one or combination of the following activities is performed, we can trigger Endpoint
File Content Scanning:
• Web upload
• Web download
• Copy to USB
• Cloud share sync
• Document Open
Admin tasks
• Build Detector Sets made up of detectors and data identifies and add to Realm
• Enable Content Scanning for Agents
• Create content scanning rules
Data Loss Prevention application opens to Detectors. Here is where you can view and select the key
detectors that you want to trace.
Your agreed upon goal for Endpoint File Content Scanning determines which detectors (what you are
looking for) you want to select for this process.
We’ve identified three types of Data Identifiers. These are the function of content scanning the utility uses
to find the matches.
• Dictionaries
• Extensible – you can build your own dictionaries. This allows you to build your own type of data or
data values you wish to scan for within the particular content.
• Smart IDs
• Default dictionaries with associated code attached to make them more intelligent and better at
what they do. Cannot build your own, nor edit the existing Smart IDs
• Exact Data Matching (EDM)
• Looks for specific language within expressions
Most customers use pre-defined dictionaries and Smart IDs to define their data identifiers. Most start
simple and then expand the solution as they identify the unique needs within their environment over time.
This course does not include the creation of custom dictionaries and recommends you contact Proofpoint
Professional Services should you desire customization from the available default options.
You use detectors available in the tool to define the detector sets. You build a set of detectors that fulfill
your requirements, which will be made up of default data identifiers. You use default dictionaries and
Smart IDs to build the Detector Set that fulfills your requirement.
After selecting Detectors from the Data Detection section of the left navigation bar, follow these steps to
create a new Detector Set.
1. Click Add Set
2. In the General Tab, enter Name and Description, both are required.
3. In the Settings, click Add / Remove to show the pre-loaded detectors. These can be combination of
Smart ID and dictionary or just a Smart ID or just a Dictionary. They have been created focused
around standards and best practices.
• Select Detectors based upon your predetermined goal, such as a concern if files are uploaded or
downloaded, saved to USB or Cloud Share Synced with US Social Security numbers and Credit
Card numbers. This would be considered inherently risky, and we want to detect these data types
when these activities occur.
4. Click Done
5. Click Save
6. View your new Detector Set on the Detector Sets list.
In the command line installation, set the flag for Content Scanning=1. With the graphical MSI installation,
you are given two choices of components to install: one for Client Utility and second check box for
Content Scanner. Choose these selections during agent install to have content scanning installed on each
of your endpoints.
The last step for Endpoint File Content Scanning is to build rules around these activities so that when
users perform these activities and we get the corresponding match, we generate the Alerts that says one
of these risky activities occurred. Rules can be either New Detection Rule or New Prevention Rule.
You will create a Detection Rule in the Filtering lesson when we are creating other ITM/Endpoint DLP
rules.
Scenario
To align and remain compliant with various Compliance Policies, both internal and external, Central
Healthcare needs to scan files for specific content which may reflect Insider Threat Risk behaviors. In this
lab you scan Endpoint Files to determine if they contain sensitive personal information, like Driver’s
License and Social Security numbers.
Objectives
• Build a Detector Set which contains Detectors for both Social Security and Driver’s License numbers
• Update your Agent Realm and enable Content Scanning
Exercise 7-2: Edit your Agent Realm and Enable Content Scanning
1. Within the ITM SaaS console, navigate to the Administration App.
2. On left navigation bar, below the heading Endpoints, select Agent Realms.
3. Locate and click to select the Agent Realm you previously configured in Lesson 4.
4. Click Edit on the right side of the page.
129
Insider Threat Management for Administrators and Analysts - Student Guide - Level 2
This illustration shows where data filtering fits in the implementation of Insider Threat Management. This
lesson reviews the steps and fields to complete in order to create rules to filter collected data.
The purpose of the Insider Threat Management software is to gather data, present it, and filter the data to
a select set of actionable items. While you can use the tools available in multiple ways, this lesson
presents a simple method to use Insider Threat Management.
We start with a simple goal of identifying Web Uploads.
The system has been gathering data from the endpoints where we installed the Agent apps.
To start the process, we will create Conditions to use within the Rules, create Rules from the Threat Library
templates, then and finally create Rules from scratch.
After you have created a use case, you can create a rule to identify the behaviors you are seeking. Ensure
that your rule includes exclusions. Add a notification then enable the rule. As you review generated Alerts,
you can continue to refine the rule to ensure the actionable items generated still meet your desired daily
target.
The Threat Library is a collection of common out-of-the box threat scenarios based on research with
Computer Emergency Response Team (CERT) institute at Carnegie Mellon, National Insider Threat Task
Force (NITTF), National Institute of Standards and Technology (NIST) standards, customer base, and
third party research firms.
You use the items (templates) to create and build new rules.
Threat Library items are associated with a category to help you navigate and see what is available and
facilitate using and maintaining the items. For a list and description of each item.
If you are a DLP only user, the Threat Library currently provides a limited list of data exfiltration scenarios.
All available scenarios are listed and described in the Threat Library dashboard.
The dashboard includes Publish date, an indication of what has been added/updated. This lets you see
the most recent items added to the Insider Threat Library.
The Threat Library contains many rule templates. These make it easy to create a new rule. Select your
template and click Save as Rule. At that point you can use as is or edit the rule to meet your specific
needs.
As part of creating each row, you decide the logic parameter. Select from the drop-down list.
Complete the IF statement by clicking Select Values and choosing from the list.
6. Then section
a. Define Alert severity
b. Select Notification Policies
c. Select Tags
d. Click Save
You can use conditions to set up lists. For example, you might create a list of all users who have recently
given notice or a list of websites users are prohibited from using. You use these lists when creating rules
to trigger alerts as well as in explorations.
A conditions will allow you to:
• trigger an alert when one of users in the risky group browses the Web
• trigger an alert when a web browsing is to a one of the social media sites
• trigger an alert when web browsing is by a specific user and to a specific social media site
So, if you apply the risky users condition to a rule that triggers an alert whenever a file is copied to a USB,
an alert will be triggered when one of the risky users copies a file to USB.
You can see the conditions that have been created in the Conditions table.
3. General tab: complete Name and Description ‘Risky Users’, Click Next
5. From ‘Select Field’ list, select User and then User Name
7. Select Values: select users to include, click Done
Your Insider Threat Management system includes pre-defined conditions that you can use but you cannot
edit (created by Proofpoint). You can edit and modify any of the conditions you create. You can also
delete those conditions you created.
After you create a rule you automate the Alerts and Notifications generated. You can continue to refine the
rule to ensure the actionable items generated still meet your desired daily target.
You can add rows to your rule at initial creation or later via editing. Your additional rows can be at the
same level as an existing row or nested beneath a row. This organization controls how the rule gets
executed.
Refining rules follow the same process as creating rules. Select your starting point, the applied logic, and
the specific values to filter on.
You can create quite complex rules. Most customers do not start with highly complex rules. Rather the
initial rules are relatively simple until the customer works with the Insider threat Management System for
several months. As time progresses, the need for complex rules becomes apparent to identify and alert
on specific activities.
Follow these steps to create an Endpoint File Content Scanning detection rule.
1. Select Administration App > Policies > Rules
2. Click New Rule
3. Click New Detection Rule
4. General Tab
a. Enter Name
b. Enter Description of new detection rule
If a user in that Realm were to upload file that contains a Social Security number, the system generates an
Alert that looks like what is shown here.
Web file upload was the activity that occurred and was detected by the Content Scanning Test Rule where
user matched on Social Security number.
In the Details section, you can see the snippet in the Conditions that matched detailed information.
Scenario
Based on the goals and objectives which Central Healthcare seeks to support with this application, the
ITM Teams has determined that Data Exfiltration via Web Upload activities are of primary concern and
focus. This lab focuses on building various Rules to evaluate this significant User activity in this
environment.
Objectives
• Create a Condition that identifies External Websites.
• Edit an existing template, from the Threat Library, to alert whenever a User uploads a document to an
External Website
• Build a custom Prevent Rule, to Block Web File Upload Activity to an External Website
• Build a custom Prevent Rule, to Block Web File Upload Activity to an External Website based on an
Endpoint File Content scan result
Exercise 8-2: Edit an existing template from the Threat Library for new Rule
Create a Rule from an existing Rule Template to detect an Alert when a user uploads a document to an
external website.
1. From the console, navigate to the Administration app.
2. Click Policies on left side navigation.
3. Below Policies, select Threat Library.
4. Locate the Rule titled, Exfiltrating any file to the web by uploading and select it in the table.
5. Click Save as a Rule, on the right.
6. When the New Rule: Exfiltrating any file to the web by uploading pane opens, select … (dots) on
the right of the IF section, and select Convert to Rows.
7. Below the Primary Category In Web File Upload row, click +Add Row.
8. Click Select, and click Select Existing Condition.
9. In the Select Existing Condition dialogue box, type external in the Search field.
10. Locate and select your External Websites Condition from the list. You will see this parameter added
to the Rule.
11. Click Save. View your new custom Rule in the table of Rules
Exercise 8-3: Create Prevent Rule to Block file upload to External Website
Create a Prevention Rule to detect and block when a user uploads a document to an external website.
1. From the console, navigate to the Administration app.
2. Click Policies on left side navigation bar.
3. Below Policies, click Rules.
4. On the Rules pane, on the right, click New Rule.
5. In the New Rule Type dialogue, click New Prevention Rule.
6. In the New Rule: dialogue box, below the General Tab, enter the following Name for your rule:
Prevent Web File Upload to External Website-<studentID>-<date as mmddyy>
7. In the Description field, add a text based description of your Rule, if you’d like.
8. Below the Settings Tab, on the left, within the IF field click Select Values.
9. In the Protocols – Devices dialogue box, select Web File Upload.
10. In the IF field, click, +Add Row. Click Select.
11. Click Select Prevention Condition from the drop-down list.
12. In the Select Prevention Condition dialogue box, locate your External Websites Condition and select
it. You now see the additional parameter added to your Prevent Rule: Condition Is External Websites.
13. Below the Settings Tab, on the right within the THEN field, click to select the radio button for Block.
14. On the lower right, click Next.
15. Below the Agent Policies Tab, locate one of the Agent Policies you created in lab exercise 5, and
click the box next to it to select it.
Should you see a message - One or more selections requires configuration at the Realm level Check
Configuration, check your Agent Realm to ensure Prevention has been enabled.
Exercise 8-4: Block File External Website Upload on File Content Scan
Create a Prevention Rule to detect and block document upload by a user to an external website based on
an Endpoint File Scan result.
1. From the console, navigate to the Administration app.
2. Click Policies on left side navigation.
3. Below Policies, click Rules.
4. On the Rules page, on the upper right, click New Rule.
5. In the New Rule Type dialogue, click New Prevention Rule.
6. In the New Rule: dialogue box, below the General Tab, enter the following Name for your rule:
Prevent Web File Upload to External Website Based on Scan Result-<studentID-<date as mmddyy>
7. In the Description field, add a text based description of your Rule, if you’d like.
8. Below the Settings Tab, on the left, within the IF field click Select Values.
9. In the Protocol – Devices dialogue box, select Web File Upload from the list.
10. Within the IF field click, +Add Row. Click Select.
11. Click Select Field. From the Select Field dialogue box, click Detector. In the drop-down menu, click
Indicator/Detector Name. You’ll now see the additional parameter added to the Rule.
12. On the left, below IF, to the right of Indicator/Detector Name In, click Select Values.
13. In the Detectors – DETECTOR NAME dialogue, locate the Detectors you have previously configured
in Exercise 7-1 and click each to select them from the list.
14. Click Done. You’ll now see the additional parameter added to the Rule.
15. Below this new parameter, on the left below IF. Click +Add Row.
16. Click Select and choose Select Prevention Condition from the drop-down list .
17. In the Select Prevention Condition dialogue box, locate your External Websites Condition in the list
and select it. You now see the additional parameter added to your Prevent Rule: Condition Is External
Websites.
18. Below the Settings Tab, on the right within the THEN field, ensure the radio button for Block is
selected.
19. On the lower right, click Next.
20. Below the Agent Policies Tab, locate one of the Agent Policies you created in Exercise 5, and click
the box next to it to select it.
Should you see a message - One or more selections requires configuration at the Realm level Check
Configuration, check your Agent Realm to ensure Prevention has been enabled.
21. Click Save.
175
Insider Threat Management for Administrators and Analysts - Student Guide - Level 2
This illustration shows where data filtering fits in the implementation of Insider Threat Management. This
lesson reviews the steps and fields to complete in order to add Notification, Alerts, and Tags to Rules.
Rules generate Alerts. You can create Notification Policies and add them to rules to send notifications
when a Rule generates an Alert.
Definition
• Defines who gets notification of alert and delivery mechanism
Purpose
• Inform users when an alert is triggered
Use
• Ensure certain people see alerts
Admin tasks
• Create, Edit, Delete Notification Policies
• Add notification to Rules
• Set up Webhooks
• Slack, Outlook Groups, Splunk Clouds, Microsoft Teams, other 3rd party apps
Justifications can be used with prevention rules to offer the user the option of continuing a prevented
action by selecting a response. When a justification is selected, the action is allowed. If you want to use
justifications, you must first create a default justification for the Agent Realm. Justifications are turned on
in the End User Notifications area in the Advanced settings of the Agent Realm. Here you define the
Default Block message a user sees when an action is blocked by a prevention rule.
In the Default Prompt area, you must define a default justification by selecting one or both of the
following:
• Click Add New Justification and select from one or more of the predefined justifications
You can select one or more Justifications from the list.
• Select Allow user to enter freeform text reply
Use the justifications from the Justification page in notification policies that are used with prevention
rules. Default Justification is by Realm but can be set up as a notification with justification at the rule level.
1. From the Administration application, select Integrations > Notification Policies.
2. Create the message you want and turn on Allow user to respond, to define the response that you
want to appear in the end user notification.
3. In the Label above selection textbox, add text that you want to display above the justification.
4. In Justifications section, click Add/Edit to add/edit justifications from the list of justification that you
want included in the notification. These include custom justifications you created and standard
justifications added by Proofpoint.
5. If you want the user to add freeform text, select Allow user to enter freeform text reply and enter the
text you want to prompt the user in the Label textbox.
You can set up a notification with justification at the rule level. In that case, the user is prompted for the
justification when the action that is defined in the rule occurs. You can select:
• Prompt the user to provide a justification and the default justification you defined for the Agent
Realm will be used
• Block and assign the end user notification that includes a customized justification you want to use
Webhooks are user-defined HTTP callbacks. The problem they intend to solve is "pushing" information to
you. Push, as a server-based resource, doesn’t know where or who to push to. Webhook is an
architectural pattern that aims to solve this issue.
1. Select Add webhooks and from the drop-down list, select the platform you want
2. Click the link for detailed instructions.
3. When you complete the instructions, you'll receive a URL. Copy the URL and click Save
4. The webhook is added and relevant notifications will be sent to your chosen platform.
5. Click Done
Tags are labels you can create and assign to selected information. These tags make it easier for analysts
to identify and categorize important information.
A tag is an identifier that can be attached to rules, conditions, activities, alerts, and other things to group
these things under a common name. Then you can create an investigation easily out of it.
The User Interface has a Tag Management area where you can create a tag, such as high risk or data
exfiltration. During Exploration you can assign the tag to individual alerts. You can also tag rules that
generated this alert. You can then group all these items under the common name with a filter in an
Exploration. There are pre-set tags with the system.
Once items have been tagged, you can then use tags in a filter in Explorations. Then Activities show up
that have the common tag.
All tags can be viewed from the Proofpoint Information Protection platform console in the in the
Administration app. Select Tag Management.
To see details about where a tag is used, click on it. In the example the tag is used 57 times in the Threat
Library. By clicking on the arrow, you leave Tag Management and go to the relevant view.
All tags can be viewed from the Proofpoint Information Protection platform console in the in the
Administration app. Select Tag Management.
1. Choose tags from list
2. Add new tags as needed
3. Click Done to save
Assigned tags appear on tag list with count
4. Click tag to view tagged Explorations
You can use tag management throughout your work. You can apply the same tag to activities, rules,
conditions you create, explorations and alerts to help you identify and categorize.
For example, you're creating several rules to monitor a group of employees you are watching. To make it
easier to find those rules in the Rules list, you can tag each rule, in this example, watched group.
Add tag to rules
1. Select rule to tag
2. Click Add Tags
3. Select tag
4. Click Done
5. Use Filter by to locate items such as rules, explorations, conditions, alerts, and items in Threat
Library.
The installed Agent App on the Endpoint generates Activities and Screenshots. Filters and Conditions
determine what gets shown in an Exploration. These can be filtered and then viewed within Explorations.
Activities and Screenshots also get fed into the Rule engine and the Rule Engine then generates Alerts.
These Alerts include what a monitored user did as well as screenshots of the activities.
To see the Alerts, from the Proofpoint Information Protections Platform, select the Analytics app and
then from the side menu, select Alerts.
Alerts are displayed in graphic and table format so you can easily identify what is happening. You can
view and analyze the alert details with intuitive data visualizations.
Definition
• Warning triggered by defined rule
Purpose
• Monitor and investigate suspicious activity wit
Use
• Monitor potentially risky user activities
Admin tasks
• Set severity level
• Low, medium, high, or critical
• Enable relevant screenshot
• Select Filter by
• All Endpoints or DLP only
To see the Alerts, from the Proofpoint Information Protections Platform, select the Analytics app and
then from the side menu, select Alerts.
Alerts are displayed in graphic and table format so you can easily identify what is happening. You can
view and analyze the alert details with intuitive data visualizations.
Alerts are displayed in graphic and table format so you can easily identify what is happening. You can
view and analyze the alert details with intuitive data visualizations by clicking on the alert.
The alerts table lets you see a list of all the alerts and edit the columns to see specific information. The
alerts are listed chronologically.
By clicking on a row, you can see the details of the alert.
The details vary depending on the alert channel.
You can select to show/hide a summary of all alerts. By clicking on a rule, you can see all the relevant
alerts.
You can choose to group common alerts. This means that when the same exact alert happens
consecutively, it is grouped with the previous alert.
To group alerts, click ... at the top of the table and select Group Common Alerts from the menu.
Each bar indicates the number of alerts that are grouped with this item. For example, when you see two
bars there are two grouped alerts. These two alerts are exactly the same; that is, the same activity, the
same users, the same URL domain, etc.
To ungroup the activity and see the other activities, select Ungroup Common alerts from the menu.
The timeline lets you see all activities in chronological order detailing each action taken in the sequence
they were performed. The timeline shows how users access, move and manipulate files and data. This
way you can see and understand what happened before and after an alert or a specific user activity and
understand the context.
By default, when you open the timeline you see the list of user activities on the left and summary and
details area for the selected user activity on the right. The histogram at the top provides a quick visual
view of when user activity occurred. From the left-side, you can select Show Filters where you can filter
what you see.
From the left-side of the timeline view, you can select Show Filters to view available filters to limit what you
see.
The timeline view includes the icons shown here to indicate user activity type.
The File Timeline shows the history of the file you are investigating. You access this view from the Details
panes of the identified activity.
This shows recommended steps to investigate an Alert - from vewing Alerts to distributing information
gathered to the appropriate individuals.
Scenario
Although the ITM team at Central Healthcare is small, each of its members, as well as external
constituents, will have access to the Alert output of the tool. Therefore, a keen understanding of Alert
functions and capabilities are required. Based on their Acceptable Use Policy, they have identified the
need to send End User Notifications if and when a user violates any policy contained therein when
performing certain Endpoint behaviors.
Objectives
• Configure and enable an Agent Realm level End User Notification.
• Build an Endpoint Notification Policy, including Justifications, and apply it to your Prevent Rule.
• Test each of the Rules configured in Lesson 8.
• Review the Alert Data and use the various Workflow functions with it.
• Create a tag and tag your existing Rule, Condition, and Alerts to present like objects together based
on the assigned Tag.
Exercise 9-1: Create and Enable End User Notification on Agent Realm
1. From the console, navigate to the Administration view.
2. Click Endpoints on left navigation menu.
3. Below Endpoints, select Agent Realms.
4. In the Agent Realms table, locate the Agent Realm you created in Exercise 4 and select it from the
table.
5. On the right, click Edit.
6. Below the Advanced Settings tab, locate the End User Notifications field, and enable Enable End
User Notifications. Locate the field titled Default Block.
7. On the left, in the box beside Subject, change this value to:This is the Realm level Default Block
Message.
8. On the left, in the Message box (inserting variables as noted), craft your End User Notification as
follows:
• Type: A Web File upload to an External Website has been detected.
• On a new line, type: The Rule that was triggered was –
• Insert the cursor after the dash (-) and click +Rule Name in the Variables list.
• Your Message will now reflect: The Rule that was triggered was – [[Rule Name]]
• Insert another line and type: The File involved in the Activity was –
• Insert the cursor after the dash (-) and click +File Name(s) in the Variables list.
• Your Message will now reflect: The File involved in the Activity was –[[File Name(s)]]
9. In the Default Prompt section, locate the field with Reason for Action within it.
10. Edit this value by typing: Policy Violation
11. Click box to Allow user to enter freeform text reply.
12. Click Save.
Exercise 9-2: Create an Endpoint Notification Policy for your Prevent Rule
1. From the console, navigate to the Administration view.
2. Click Integrations on the left navigation menu.
3. Click Notification Policies below it.
4. On the upper right of the page, click New Notification Policy.
5. On the NEW POLICY page, add a value in the Name field: Prevent Rule Notification Policy-
<studentid>-<date>
6. Below the Type heading, click the Endpoint radio button.
7. Click Next.
8. On the left of the page, locate the Subject field and update the value with: Scan Result has Sensitive
Content - Upload Blocked.
9. In the Message field:
• Type: An Endpoint File Scan has occurred.
• On a new line, type: The Rule that was triggered was –
• Insert the cursor after the dash (-) and click +Rule Name in the Variables list.
• Your Message will now reflect: The Rule that was triggered was – [[Rule Name]]
• Insert another line and type: The File involved in the Activity was –
• Insert the cursor after the dash (-) and click +File Name(s) in the Variables list.
• Your Message will now reflect: The File involved in the Activity was –[[File Name(s)]]
10. Within the End User Justification section, enable the Allow user to respond toggle.
11. Locate the Label above selection field and type: Upload Justifications
12. Locate the Justifications heading and click Add New Justification.
13. In the Justifications dialogue box, below Select Values, locate and select the following values from
the list:
• I have obtained prior approval to perform this action
• The recipients are approved for sharing this content
• This action is part of an established business process
• The data in this file is not confidential
• This action is allowed as part of my role
14. Within the Search Values field, type: This is my unique Justification-<studentid>-<date as
mmddyy>
15. Click, Add it as a new value
16. In the New Justification dialogue box, click Save.
17. In the Justifications dialogue locate your custom Justification and select it from the list.
217
Insider Threat Management for Administrators and Analysts - Student Guide - Level 2
This illustration shows where an Exploration fits in the implementation of Insider Threat Management. This
lesson reviews the steps and fields to complete in order to create and configure an Exploration.
The purpose of the Insider Threat Management software is to gather data, present it, and filter the data to
a select set of actionable items. While you can use the tools available in multiple ways, this lesson
presents a simple method to use Insider Threat Management.
We’ll start with a simple goal of identifying Web Uploads with an Exploration.
The system has been gathering data from the endpoints where we installed the Agent apps.
To start the process, we will create a simple Exploration to locate the Web Upload actions. We will then
continue to work to review and refine the exploration prior to implementing conditions and rules.
You can create explorations for user activities and system events. You can filter the data by rules,
conditions, and you can use the items in the Threat Library. In addition, the agent detects exfiltration
attempts that were blocked by a prevention rule and can display this as an activity category.
You can create your own custom explorations or use the available templates.
Some examples of explorations include:
• USB copy activity: View all users who have copied files to their USB device
• Suspicious users: View all activities in all channels (endpoint, email, cloud) for a group of users, for
example those planning to leave the company
• Upload files to Web: View all users who have uploaded files to their personal webmail
• Download files from the Web: View all users who have downloaded a file from share/cloud drives
• Exfiltration attempts: View file exfiltration attempts that were blocked by a prevention rule
Explorations are extremely powerful and quick queries that you build out based on the information
collected. They are structured in a way to be intuitively understood by users.
To create an Exploration, follow these steps.
1. Define exploration goal
2. Create and run Exploration (conduct the search)
• Use output from exploration to analyze the data set of activities
3. Analyze output
• Number of Activities
• Common output (risky or not)
4. Modify exploration to identify actionable activities
• Filter until reasonable number of Activities (10-15 per day)
5. Save Exploration
• Re-run Exploration to identify any additional activities for action
After you set up your exploration, the results will display and you can define what you want to see.
You can export activities to CSV, JSON, or PDF files.
.
The first step of an exploration is to define your goal – what do you want to identify? Insider Threat
management collects large numbers of activities. To make your exploration meaningful, you must narrow
it to just the actionable items. You want to collect those items where you can take action within a
reasonable time, such as within the day.
You can create your own custom explorations or use the available templates.
These templates target activities Proofpoint has found most customers focused on monitoring and
investigating (interested in).
Note: Be aware that when you create an Exploration from a Template, the system automatically saves
the Exploration.
4. Click the pencil (or dots > Edit) to modify selected filter.
Number of activities changes with each edit.
5. Click + to add filters
Select from ‘Filter by’ list
Choose from the Filter by lists to add filters to your Exploration to limit the number of Activities.
The Data Dictionary contains a table to help you locate your desired filter. The Data Dictionary assists you
in mastering the ‘Filter by’ menus (currently 29 menus) not alphabetical, no partial entries on search, and
search is limited to current list, sub lists not included with each search.
Use the Data Dictionary to identify and help locate options to filter your Exploration. Data Dictionary is
currently still work in progress and thus unreleased.
https://documentation.observeit.com/SAAS/product_overview/data_dictionary.htm
Items in the “Data you can filter by” column hold additional ‘filter by’ items
• This list of items is dynamic based on Activities collected
This section describes the entities and fields used in the Proofpoint Information and Cloud Security
Platform. The JSON path is also included.
Note: This is a partial list of fields. More fields will be added.
Note: The fields here the most commonly used fields. Other fields included in the Proofpoint Information
and Cloud Security Platform may not be described here.
Note: You may not see all the fields listed here when you view Proofpoint Information and Cloud
Security Platform. What you see depends on your entitlements.
Note: This dictionary uses the term observed system and observed entity. These refer to the system that
is monitored by Proofpoint security system. For example, Office 365 Cloud Application monitored
by CASB, Windows Laptop monitored by PFPT Endpoint Agent, Email Gateway monitored by
PFPT email security (PPS)
Note: Signals refer to types of activity monitored by the security system.
6. Review Results
Click the dots (…) under Actions to view options. Choices include:
• Show Exploration in Dashboard, displays below standard Exploration graphics
• Duplicate when you want to use existing Exploration as base for a new one
• Add/Edit tags – these can be modified at any time
• View/Edit Details for information on this Exploration
• Archive – you can Archive and unarchive Explorations and view them with the Archive tab
Click the dots (…) at top of Exploration to view options. Choices include:
• Remove from dashboard
• Duplicate when you want to use existing Exploration as base for new one
• View/Edit Details for information on this Exploration
• Archive - you can archive and unarchive Explorations and view them with the Archive tab
Follow the steps shown on the slide to add Tags to your Exploration.
Select Archive where you can Archive and unarchive Explorations and view them.
This is where you can delete an existing Exploration. Delete is a two-step process where you first archive
the Exploration, then you can delete it.
You can change the view between a list view and a graphic view. In these views you can sort and filter the
information.
The results of your Exploration show both activities and alerts. Alerts have color-coded icons to indicate
their severity.
Click to see drop-down menu to change item status. The status shows on each item in Explorations and
in the Alerts listing.
Click the Summary tab to view key information about the selected activity. This includes:
• Activity – why is it in this list
• User – Aliases (how listed) as well as link to timeline for this activity
• Endpoint – name of the endpoint where activity occurred (link to Timeline)
• File/Resources – Path to stored files
• Process/Application – what triggered this activity’s selection
• Tags – where you can add tags to this item
• File Rename – action that triggered this item (with File Timeline link)
• Rules – What in a rule triggered this item’s selection
• Extension – what file extensions involved
From the Summary information, click Open Timeline to see activity before and after the activity of
concern.
Access File Timeline from the Summary tab. Here you can view the file history.
File Activity Details shows the history of the file in question. It shows dates, times, actions taken, and
locations.
Click each field to view additional information. Most Common fields include:
• Activity
• User
• Workflow
• Endpoint
• Process/Application
• User Interface
• Files/Resources
• Agent
• Indicator
• Feed
• Entity/Application
• Components
• Data
• Event
Send button functions as Done. Send button becomes enabled when you insert a comment.
Scenario
To support Central Healthcare’s goals and objectives around various activities, having quick, easy access
to Endpoint user activities of these types is of utmost importance. This lab will focus on building the
configuration function which fulfills this requirement.
Objectives
• Build an Exploration, using a Template, that will show which User uploaded a file named “Commission
Sales Agreement.”
• Build a custom Exploration to determine which user attempted to copy a file to a USB drive but was
blocked.
• Build an Exploration using a default template to determine the MIP Classification label of a file
attempted to be copied to a USB storage device.
• Build a custom Exploration to determine new file names which were applied to specific files.
10. Mouse over the 1st filter on the left for REGION TIME SOURCE and click the pencil..
11. In the Filter By dialogue, below the Over the last… heading, click 30d.
12. Click Done.
13. Add a filter to your Exploration by clicking + next to the “Web File Upload” filter at the top of the page.
14. In the ‘Filter by’ view, expand Files/Resources and click Name.
15. In the list of files, locate “commission sales agreement.docx” and select it.
16. Click Done
17. Within the activity located by this search, note the User Name value. Record it here.
______________________________________________________________________________________
18. Click Save.
4. Locate the 1st filter in your Exploration titled, Region Time Source, and click the pencil to update the
timespan of the filter.
5. In the Filter By dialogue, below the Over the Last… heading, click 30d.
6. Click Done. You should now see about 1500 +/- Activities in results.
7. To the right of your 1st filter click the + to add another filter.
8. In the Filter By dialogue box, locate and expand Activity and click Categories.
9. From the list of Categories, select File Write Blocked, then click Done
The activity shows the details of what occurred.
10. Click anywhere on the Activity line to open the Alert details.
11. Select Summary tab and scroll down.
12. Below the File Write Blocked heading note the value provided indicating the name of the file that was
blocked.
255
Insider Threat Management for Administrators and Analysts - Student Guide - Level 2
From the Analytics App, click Dashboard in the left navigation bar. This takes you to the view of the top six
items, as defined by the system, for Analysts to monitor.
Click Select Widgets to set default view to other options. Choose the six you wish to see when you open
your Dashboard and click Save.
ITM & DLP: displays information about ITM and Endpoint DLP alerts and events as well as cloud events.
You can see graphs of (standard/preconfigured/canned) analytics as well as any explorations that you
have configured
Definition
• User interface for analysts
Purpose
• Presents quick look at activities on endpoints by region
Use
• Shows top things for analysts to monitor
User tasks
• Customize desktop view
• Modify the result order, select most or least
• Choose the chart type, select bar, pie, or table
• Save Explorations to dashboard
You can customize each of the six common charts at the top of Explorations to serve your needs best.
Click Select Widgets to set default view to other options. Choose the six you wish to see when you open
your Dashboard and click Save. Click the Settings gear to change the default result order and the chart
type.
As you create your own Explorations, you can choose to display each on the dashboard. They display
below the standard charts. You can remove each of these from your dashboard when you choose.
To quickly investigate an item further, you click on that item in the selected chart. This opens the
Explorations page where you can continue your investigation.
Scenario
You’ve been concerned by feedback from a manager that employees seem to be spending
disproportionate amounts of time browsing the Internet. Using the Dashboard, select and access User
Activity of interest and concern and navigate the workflow of the Dashboard.
Objectives
• To focus these findings and make them available for quick review, edit the presentation of the
Dashboard objects
• You want to be able to review these findings with your colleague easily so, add your custom
Exploration to the Dashboard
6. Click the gear icon in the upper right corner of the object, again.
7. This toggles the view and allows you to change how the data is presented within the graph. Change
the Chart Type from Bar graph to circle graph. Notice the presentation of the data is now presented
with a circle versus bar graph.
8. Set each of the six standard Dashboard Widgets to your preferences.
267
Insider Threat Management for Administrators and Analysts - Student Guide - Level 2
In order to know exactly how your account is configured, review the entitlements. To see the entitlements,
from the Proofpoint Information Protection platform, select the Administration app and then select
Settings.
• Entitlements are based upon your organization's licenses and include
• Entitlement status of Proofpoint CASB
• Entitlement status of Proofpoint Email DLP
• Entitlement status of SaaS metadata feed for exporting data to external S3 bucket
• Maximum retentions per product
• Status of the entitlement, such as active or expired
• Average activity per user per day for endpoint products
• Visual storage capacity for endpoint ITM SaaS
Statistics show what your organization is ingesting and using. From the Statistics view, you can take a
look at your account at a point in time as well as historically. This view lets you understand the activity rate
and if applicable, screenshot storage, and you can compare this with your account entitlements.
To view the account statistics, from the Proofpoint Information Protection platform, select the
Administration app. Select Account > Statistics.
At the top of the Statistics, you can set the time period you want to see (last 7 days, last 14 days, last 30
days, last 90 days, and all time).
The statistics view shows activity for all channels:
• Endpoint channel: Endpoint DLP, ITM Specific and Endpoint Health
• Cloud channel: CASB
• Email channel: Unified Alerts
When you select an activity from Activities by time area, it then shows in the Activity Ingestion Rate
graph in the Details area, so you can see ingestion over the selected time period.
View common warning messages
• Regarding usage
• Regarding stale session
Gather information
• Incident ID
• Details
Complete recommended procedures for each. Copy details for Support, if you cannot clear.
Customers who are authorized support contacts (ASC), or limited access role, and have a login
(credentials) for the Proofpoint Customer Success Center (PCSC) can access the community.
1. Customers with these credentials access the community from the PCSC login page. (The community
is located behind the login.)
2. Logging in directs the user to their personalized community homepage.
3. The community organizes information by both product and topic. You can also navigate quickly to the
information you are looking for by using the Product Quick Links, the Explore by Product drop-down
menu, or by searching key terms.
DLP only does not show in the Edit Agent Realm policy list – have to look at each policy
The policy above overrides policies below.
1. Identify and click the Agent Realm to review
2. Click dots per policy and select Edit
3. Review General and Details tab per policy
**Remember policies read from top down. Thus, DLP, at top will prevent screen captures of ITM policy at
bottom.
Agent Real
1. Edit Realm
• Check retention policy and time
2. Advanced Settings
• Endpoints > Agent Realms> Dots >Edit > Advanced Settings > Configuration Files > Configuration
Files > Encryption enables (yes/no)
Advanced Settings per Realm
1. Policies > Agent Policies > Dots (per policy) >
• Disabled encryption gives more access to configuration files on the Agent
• Dump with key performs decryption
2. Review policy stack
a. Realm Policies flow top to bottom
b. If top says capture only metadata- will override lower policies (no screen captures)
c. Default (DLP only) for policy creation -no screen shots or web browsing
Concern when working with master installation config (for VDI, for example, Citrix)
Each set at installation – after which config file becomes invalid
• May want short to protect access to tenant, etc.
• SaaS Agent required installation file for each provision
• After time expires, need to build new master image for agent installs
Install the Agent from the Wizard in AgentSetup-<version>.msi or from the command line in
WinagentInstall.cmd
1. On the master image machine, install the ObserveIT Windows agent.
2. To install using the Wizard when you run AgentSetup-<version>.msi, check Install for a master
image when prompted.
3. To install using the command line, set the parameter ITX_MSTR_IMAGE to true in
WinagentInstall.cmd. This is a system environment variable and it must be set to true for the master
image.
4. After the Agent is installed, configure the master image on your VDI infrastructure, such as Citrix,
Microsoft or other to create the number of VDIs.
When you see one of these warning message, be sure to collect information for Support team.
When not seeing information collection from Endpoints, collect the following with Endpoint Catalog.
• Check for last activity and last heartbeat
• If running – shows latest version Endpoint is running
• Verify pre-set filter has not been set
You must be an Authorized Support Contact (ASC) to access the Proofpoint support community and
open a support case. If you are not an ASC, you can reach out to an ASC at your organization or contact
your account team. Your Account Manager designates the initial ASC. That individual receives credentials
and instructions to access the Proofpoint Customer Success Center portal in a Welcome letter. An ASC
can add additional ASCs within the Support Center portal
1. As Authorized Support Contact log in to the PCSC portal
2. Select the Case tab
3. Create New ‘Support Case’ by completing the following items
• Case Record Type
• Blocked Sending IP (PDR)
• Email Classification Errors (FN/FP)
• Insider Threat Management Support Case (default for ITM customers)
• Request for Enhancement
• Support Case
• Support Contact: Add/Update/Remove
• Training Request
• Product Type – High-level information to help categorize and expedite your question/problem.
• Component – Further identify the nature of your question/problem leads to a quicker resolution.
• Subject – Provide a concise statement of your question or problem.
• Description – Provide a detailed description of the question/problem including background, history,
observations, and steps you have taken to resolve the situation. Also include recent changes to your
Proofpoint system or other systems that may affect it as well as any other information that you think
will contribute to resolving the case.
• Attachments – Add files you believe will help troubleshooting. Please include items such as
screenshots, log files, spam messages and system configuration files (e.g. filter.cfg). (25MB
attachment size limit or use Proofpoint Secure Share)
The “must gather” is now a live document and available on the Community Pages. Use this when
contacting Technical support to know what to collect and how to collect it.
This table provides the definitions of case severity to use as you open a case
it-utility.exe can dump important information file, change log level or decrypt configs at run-time, without
stopping or restarting agent and windows service.
Files decryption is also could be done by Security - Files Decryptor
In order to run utility you may need to get Agent Instance Id (See SAAS Agent Security) and put it as -i (-
-id) argument. The second way is to run utility as SYSTEM user without -i (--id) argument.
To Execute command arguments use pattern: [PATH TO OBSERVEIT/CLOUD]/it-utility.exe [VERB] -
[SHORT-OPTION] [VALUE]
Example: C:\Observit\it-utility.exe log -l info -i xxxxxx-yyyy-aaaa-bbbb-zzzzzzz
Run utility as SYSTEM user
In order to avoid getting Instance ID or perform register/unregister you need to run utility as SYSTEM
user:
1. Download PsExec utility from https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
2. Open command line with Administrator privileges
3. Go to PsExec directory and type psexec -i -s cmd to run cmd as SYSTEM user
4. Then in the new command line window go to Client Utility directory and start using utility
This table shows the arguments and explanations for using it-utility.exe. We will practice some of these in
this class.
Log Retrieval and Logs Retrieved to be added in Agent Version 2.4 (will not work with earlier versions)
1. Click on Agent
2. Change trace level to 1 hour, 1 day, 3 days, or 1 week
3. Wait (check on last heartbeat – 10 minutes from then)
Retrieval will capture everything that is in logs folder for time period selected. (dump command)
Agent traces collected and saved for up to 2 weeks
Can be accessed through person to back end to collect this or customer must collect from console and
send to Support.
Note that the bundle number is not the same as the number for items within the bundle.
Since policies are not limited to a single Condition, you can use to test a rule.
Use Persona to act as user when pursuing an investigation. Can be assigned to internal investigator or set
for use by Proofpoint technical support.
Scenario
Central Healthcare’s ITM Team is small. When working with Proofpoint Technical Support, they need to be
efficient with these interactions. Gaining an understanding of Support’s needs when working with them
will help maintain this efficiency.
Objectives
• Increase the Agent’s trace level output to gather troubleshooting data for related Support case.
• Use the it-utility.exe utility to change the Agent’s Log level
• Perform a dump of the Agent’s Log file, with increased debug output level, for inclusion in your
Support case.
• Use the it-utility.exe utility to dump internal agent data from a managed Endpoint.
• Gather output file(s) for inclusion in Support case.
10. Now repeat the action/activity on the Endpoint which causes the current issue. This will gather
relevant debug data into the Agent’s log file.
Exercise 12-2: Perform a dump of the Agent’s Log file at debug level
1. On the Desktop of the problematic Endpoint, open a command prompt.
2. Navigate via the command line to the directory where the Agent is installed. By default this would be:
C:\Program Files\IT Client Utility\Client Utility.
• cd C:\Program Files\IT Client Utility\Client Utility
3. Navigate to your C drive on the Agent Endpoint via Windows Explorer.
4. Create a Folder at the root of C: named “Agent Debug.”
5. Use the following command to dump the Agent’s log file for inclusion in your Support case:
a. it-utility.exe dump -d all -t "c:\Agent Debug" <instance ID of Endpoint gathered in step 5 of last
exercise>
b. This will dump the Agent’s log file to C:\Agent Debug.
c. The output will look similar to this:
All files were dumped to:
c:\Agent Debug\dumpConig145016_14072021.zip
c:\Agent Debug\dumpLog145016_14072021.zip
6. Navigate to C:\Agent Debug and gather the zip files created. Be SURE to attach this to the related
Support case for review.
7. Remove the Agent Debug folder from its location once the zip files have been gathered.
8. If the Agent’s trace level shows debug, change it back to the default Error level by issuing this
command:
a. ./it-utility.exe log -l error -i <instance ID of Endpoint gathered in step 5 of last exercise>.
b. The output will look like this:
[appsettings.json] Log Level changed from 'Debug' to 'Error'
[servicesettings.json] Log Level changed from 'Debug' to 'Error'
Log Level changed...
303
Insider Threat Management for Administrators and Analysts - Student Guide - Level 2
You may use any materials for reference to solve the problems presented here.
Your instructor will provide problem solutions upon request.