ITM SaaS StudentGuide-AA

Insider Threat Management
for Administrators and Analysts- Level 2
Release February 2023

Proofpoint
925 West Maude Ave
Sunnyvale, CA 94085
www.proofpoint.com
Insider Threat Management for
Administrators and Analysts -
Level 2
Student Guide
Proofpoint, Inc.
Copyright © Proofpoint, Inc.,925 West Maude, Sunnyvale, CA 94085 USA. All rights
reserved.
Information in this manual is subject to change without notice. No part of this publication
may be reproduced or distributed in any form or by any means, electronic or mechanical,
for any purpose, without the express written permission of Proofpoint, Inc.
Produced by Proofpoint Technical Training. This curriculum is a product created and
delivered by many individuals working at Proofpoint and we acknowledge them here.
About Proofpoint
Proofpoint, Inc. (NASDAQ:PFPT) is a leading cybersecurity company that protects
organizations’ greatest assets and biggest risks: their people. With an integrated suite of
cloud-based solutions, Proofpoint helps companies around the world stop targeted
threats, safeguard their data, and make their users more resilient against cyber attacks.
Leading organizations of all sizes, including more than half of the Fortune 1000, rely on
Proofpoint to mitigate their most critical security and compliance risks across email, the
cloud, social media, and the web. No one protects people, the data they create, and the
digital channels they use more effectively than Proofpoint.
Trademarks
Proofpoint is a trademark, registered trademark, or tradename of Proofpoint, Inc. in the
United States and other countries. Proofpoint Enterprise Archive is a trademark of
Proofpoint, Inc. All other trademarks contained herein are property of their respective
owners.
Insider Threat Management for Administrators and Analysts - Level 2

Courseware Version AA
February 2023
Printed in the United States of America
ii
Contents
Lesson 1: Insider Threat Management Overview ............................................................ 1
Exercise 1-1: Access ITM and log in with email address .................................. 15
Exercise 1-2: Access Documentation ................................................................. 15
Exercise 1-3: Access your Student Endpoints. .................................................. 16
Lesson 2: Solution Configuration .................................................................................. 19
Exercise 2-1: Use cases for Central Healthcare ................................................ 27
Exercise 2-2: Create Use Case for Your Organization ....................................... 29
Lesson 3: User Management ......................................................................................... 31
Exercise 3-1: Add Users ..................................................................................... 45
Exercise 3-2: Assign Access Policy to your newly created Users ..................... 46
Exercise 3-3: Review Console User Login Activity .............................................. 46
Lesson 4: Agent Realms ................................................................................................ 49
Exercise 4-1: Add an Agent Realm to your account ......................................... 71
Lesson 5: Agent Policies ................................................................................................ 75
Exercise 5-1: Create two additional custom Agent Policies .............................. 92
Exercise 5-2: Assign and order your Agent Policies to your Agent Realm........ 95
Lesson 6: Agent Deployment ........................................................................................ 97
Exercise 6-1: Download the Installation Configuration Files ........................... 108
Exercise 6-2: Use graphical MSI Wizard to install Agent ................................. 109
Exercise 6-3: Use graphical MSI Wizard to install the Updater on Endpoint 2 110
Exercise 6-4: Use Agent Updater to install an Agent on Endpoint 2 ............... 110
Lesson 7: Endpoint File Content Scanning ................................................................. 113
Exercise 7-1: Build a Detector Set to Detect Sensitive Content ...................... 125
Exercise 7-2: Edit your Agent Realm and Enable Content Scanning .............. 125
Lesson 8: Rules and Conditions .................................................................................. 129
Exercise 8-1: Build a custom Condition to define External Websites ............. 171
Exercise 8-2: Edit an existing template from the Threat Library for new Rule . 172
Exercise 8-3: Create Prevent Rule to Block file upload to External Website ... 172
Exercise 8-4: Block File External Website Upload on File Content Scan ........ 173
Lesson 9: Notifications, Tagging, and Alerts ............................................................... 175
Exercise 9-1: Create and Enable End User Notification on Agent Realm ....... 210
Exercise 9-2: Create an Endpoint Notification Policy for your Prevent Rule.... 211
Exercise 9-3: Test Your Rules to Generate Live Alerts ..................................... 212
Exercise 9-4: Review and Perform Workflow functions on Generated Alerts .. 213
Exercise 9-5: Tag Configured/Generated objects ............................................ 214
Lesson 10: Explorations ............................................................................................... 217
Exercise 10-1: Exploration from template to view Web Upload activities ....... 251
Exercise 10-2: Custom Exploration identifying whose copy to USB blocked . 252
Exercise 10-3: Determine MIP label of attempted file copy to USB ................. 252
Exercise 10-4: Determine new file names applied to specific files .................. 253
iii
Lesson 11: Dashboard Setup and Interpretation ........................................................ 255
Exercise 11-1: Access and navigate to select items on the Dashboard ......... 263
Exercise 11-2: Edit the Dashboard objects to change the presentation ......... 263
Exercise 11-3: Add your custom Exploration to the Dashboard page............. 264
Lesson 12: System Monitoring and Support Services ............................................... 267
Exercise 12-1: Increase the Agent’s trace level output ................................... 300
Exercise 12-2: Perform a dump of the Agent’s Log file at debug level............ 301
Lesson 13: Challenge Labs ......................................................................................... 303
iv
Lesson 1: Insider Threat Management Overview
Introduction
This lesson provides an overview of the Insider Threat Management product. It also presents information
to access the Insider Threat Management system.
1
Insider Threat Management for Administrators and Analysts - Student Guide - Level 2
2 Copyright © 2023 Proofpoint, Inc.

Insider Threat Management Overview
Endpoint management, cloud application monitoring, and email data loss prevention (DLP) use the
Proofpoint Information and Cloud Security Platform as a common interface. Each of these products sends
information to the platform where it can be analyzed. The Proofpoint Information and Cloud Security
Platform also provides centralized administration for licensing and storage management.
Copyright © 2023 Proofpoint, Inc. 3

The SaaS product supports multiple endpoint types: Mac, Windows, Unix , and Linux. It also supports
servers: AWS, Azure, VMware, and Citrix. ITM collects both User and Activity Data from the Agents.
The SaaS ITM via the Proofpoint Information Protection Platform provides elastic search, No SQL
Database, serverless compute, scalable storage, anomaly detection, and consolidated management with
Identity and Access Management (IAM), a web service that helps you securely control access to AWS
resources.

Notice that Endpoint DLP is a subset of Insider Threat Management. Proofpoint Endpoint DLP and ITM
leverage the same lightweight agent and API-first, cloud infrastructure. Endpoint DLP is optimized for a
data loss use case in an affordable package. A single agent can be deployed to track data activities as
well as user activities. A single agent can be deployed to track data activities as well as user activities.
Using policies, organizations can focus on everyday users for data loss while gaining additional user
activity context for high-risk users.
Everyday Users– applies to all users / groups who do not have privileged permissions
Privileged Users – administrators in systems and applications. This list is to be populated with users and
groups that exist in any Active Directory deployment.
Third Parties – all third-party users. These users are considered high risk as they usually have access to
sensitive information although they are not part of the organization. Those individuals that may be
contracting, consulting; also known as not a permanent employee
Watch List – includes individuals with reasons such as alcoholism or financial debt issues, includes
employees that are possibly looking for other jobs or are on a separation list, and so on – generally
requires Human Resources approval
Targeted Users – Users/groups being targeted for attacks, for example, CFOs, CEOs, other executives.

Proofpoint Endpoint DLP and ITM leverage the same lightweight agent and API-first, cloud infrastructure.
Endpoint DLP is optimized for data loss use case in an affordable package.
This slide shows the features available for Endpoint DLP and for the ITM products. Notice that the ITM
product adds User Activity Alerts and Visual Capture to the feature set shared with Endpoint DLP. It is
possible to mix the products within your deployment so some endpoints can be configured for ITM and
others for Endpoint DLP.
Endpoint DLP monitors data activity ITM add monitoring of user activity
• File upload to Web Hiding information
• File copy to local cloud sync Unauthorized access
• File printing Bypassing security controls
• Copy/paste of file/folder/text Careless behavior
• File tracking (Web to USB, Web to Web, etc.) Copyright infringment
• File download from Web Unauthorized communication tools
• File sent to email attachment Unauthorized administration tasks
• File downloaded from email Unauthorized USB activity
• IT sabotage
• Privilege elevation
• Identity theft
• Suspicious GIT activity
• Unacceptable use.

Tracked files – Files downloaded to endpoint

Local files (non-tracked files) – Files created on the endpoint
ITM and Endpoint DLP provide detailed information on tracked file activity
ITM and Endpoint DLP provide limited information on non-tracked file activity (primarily exfiltration
information)
As you create policies and rules you will notice these terms and what you can configure for both tracked
and non-tracked files.

For each installation, you start by creating an Account for your organization to run Insider Threat
Management and Endpoint Data Loss Prevention. You assign Endpoints to Agent Realms via a
configuration file. From the console you also assign Agent Policies to the Agent Realm. Then the console
associates the Agent policies to the Endpoint (establishes the relationship).Content Scanning is enabled
on the endpoints within an Agent Realm
Users in this diagram refer to console users, not monitored or observed users. Access Policies get
applied to Console Users and determine which functions each user can perform, such as administration,
observation of activity, and create rules. You can create Groups to assign Access Policies to Groups and
then assign individuals to the Groups to ease administration tasks.
The Threat Library contains a template of rules provided with each installation. Rules can come from the
Threat Library or you can create them directly within your Account without using the Threat Library. Rules
contain Conditions. Conditions can exist at the top level of the Account from where you can assign them
to Rules. Rules generate the Alerts.
You create a Notification Policy to specify how you will be notified (email, webhook, Slack, or another
way). Once identified, you can include that Notification Policy within the Rule. Thus, when the Rule fires
(generates the Alert) it uses that Notification Policy specified within the Rule.
Conditions can be used in Explorations and Rules.

The installed Agent App on the Endpoint generates Activities and Screenshots. Filters and Conditions
determine what gets shown in an Exploration. These can be filtered and then viewed within Explorations.
Activities and Screenshots also get fed into the Rule engine and the Rule Engine then generates Alerts.
These Alerts include what a monitored user did as well as screenshots of the activities.
Analysts set filters and conditions (pre-built filters) to create Explorations. You can manually create filters
or use an already specified Condition as a filter.

A tag is an identifier that can be attached to rules, conditions, activities, alerts, and other things to group
these things under a common name. Then you can create an investigation easily out of it.
The User Interface has a Tag Management area where you can create a tag, such as high risk or data
exfiltration. During Exploration you can assign the tag to individual alerts. You can also tag rules that
generated this alert. You can then group all these items under the common name with a filter in an
Exploration. There are pre-set tags with the system.
Once items have been tagged, you can then use tags in a filter in Explorations. Once tagged, Activities
show up that have the common tag.

This slide shows Professional Services default implementation process.

Login configuration
• We need to get the customer to log into the product first. If the customer went through Proof-of-
Concept process, they may already have Identity Provider configured. If not – we do this together.
Realms and policies configuration
• We configure Agent Realms here; configure and attach Agent Policies to the Realms.
Agents deployment
• Next step is to get the Agents deployed in your organization. We get the installation package and
supporting configuration files at this stage. This will allow you to push the Agent using internal
package management tools.
Use case - work with raw data
• Here we move to configuring Proofpoint ITM to work with the customer’s raw data. The first step is for
the customer to define their ITM goals.
Define Users
• As goals are established, the customer should also identify those individuals to be monitored
Define Data Locations
• Part of defining the use case is to identify where critical data is located. This is important for creating
policies and rules
Define Activities of Concern
• Identifying what activities to flag prior to creating policies and rules defines what to filter.
• Filtering
Lastly, creating policies and refining rules is the process to filter the collected data to identify the critical
activities that indicate Insider Threat actions. Once identified appropriate referrals can be taken to address
these.

On your system you will see the above login screen.

When you have the URL for your ITM account, log in with Single Sign On or with username and password
according to your organization’s setup.

Click Administration to configure or modify settings for this account.

Developer contains access to the API. You click Data Loss Prevention to set up detectors and data
identifiers to create Detector sets for Endpoint File Content Scanning.
Click Analytics to view, and filter activities for further investigation.

Exercise 1: Accessing Insider Threat Management and

Student Endpoints
Objectives
• Navigate to the correct URL to access the training system for this course
https://proofpoint-training.explore.proofpoint.com/v2/apps/login
• Log in with assigned email address or user name and password
• Access the Administration application
• Access product Documentation to describe three Endpoint Solution options
• Access your student Endpoints via:
https://educationservices.access.proofpoint.com/login/?service=mc
Student Student ID Email Address Endpoint 1 Endpoint 2
Student 1 student01 student01@proofpointtraining.com 10.25.25.101 10.25.25.201
Instructor instructor instructor@proofpointtraining.com 10.25.25.11 10.25.25.12

Exercise 1-1: Access ITM and log in with email address

1. Open Browser and navigate to the URL provided below:
2. Select Use Username and Password.
3. Log into UI using your assigned student Email Address, like: student01@proofpointtraining.com,
with password ProofpointTrainingRocks1!
4. Click Administration to access the Administration application.
Exercise 1-2: Access Documentation

1. Click the question mark at top right from within Administration.
2. Click Proofpoint Information and Cloud Security Platform to learn about options for Data Loss
Prevention (DLP).

3. List the three Proofpoint products currently using Proofpoint Information and Cloud Security Platform
__________________________________________________________________________________________
__________________________________________________________________________________________
__________________________________________________________________________________________
4. Click ITM / Endpoint DLP Admin for ITM SaaS Administration information and help. Note the
numerous sub-topics.
5. Click Getting Started - Insider Threat Management > Supported Platforms and Requirements
for ITM / Endpoint DLP and then identify the Web browsers currently supported for ITM
__________________________________________________________________________________________
__________________________________________________________________________________________
__________________________________________________________________________________________
Note: Click on separate tab to return to ITM Administration.
Exercise 1-3: Access your Student Endpoints.

1. Open Browser and navigate to the URL provided below:
https://educationservices.access.proofpoint.com/login/?service=mc
a. Select Use Username and Password at the bottom of the login screen.
b. Log into UI using your assigned student Email Address, like:
student01@proofpointtraining.com, with password ProofpointTrainingRocks1!
c. When the Self-Service Portal appears, select the waffle icon and click MetaConnect.
2. Once logged in to the MetaConnect portal, open any of the of your student VMs. Refer to the table
above based on which student you were assigned by the instructor.
3. Authenticate to any of the student Endpoints with the following:
• Computer: (ITM-EP-Sxx-D1 and ITM-EP-Sxx-D2 based on table above)
• User name: Administrator
• Password: Proof!train9
• Domain: empty (no text)
You are now logged into the Endpoint on which you will be installing the ITM Agent in a later lab.
4. Repeat step 3 to set up the other Student Endpoint.



Lesson 2: Solution Configuration
Introduction
This lesson describes steps for successful use of Insider Threat Management. It also describes how to
configure a specific solution to identify activities within your ITM system.
19

Solution Configuration
The diagram above outlines the necessary pieces of information to define an effective use case:
Goal
1. Start by defining a business goal. This is most often defined by the business stakeholders and can
include things such as reducing risk of intellectual property theft, preventing leaking of employee
Personally Identifiable Information (PII), or gain visibility into the organization’s leavers.
Risk Personas
2. Next, define who are the people who have access to this critical information (Risk Personas). Determine
who are the groups who can access the data today, and who are the individuals who have privileged
access to the data.
Privileged access is especially important since anyone with higher access privileges will have higher
impact in case of a malicious intention or a mistake. Determine how these people are defined in your
organization – is there a naming convention? Are there Active Directory Security Groups?
Assets
3. Assets – data assets, in this case – are where the data resides. Data can be located on a corporate
SharePoint site, a file server share, or in an enterprise application such as Salesforce.
Risky Behaviors
4.What are the behaviors we are trying to detect? Are we detecting uploads to the web, exfiltrating data to
USB devices, copying data to Google Drive client?
Actions
Lastly, define what you would like to do when your use case goes into action. Some examples include:
• Send an automated notification to your Security Operations Center (SOC) which would initiate an
investigation workflow.
• Use Proofpoint ITM Agent’s prevention features to prevent the file USB copy.
• Use a webhook notification to initiate an automated workflow.

For a successful implementation of ITM, you must first establish your goal or goals with the product.
Some common goals include the identification and monitoring of the following:
• USB copy activity: View all users who have copied files to their USB device
• Suspicious users: View all activities in all channels (endpoint, email, cloud) for a group of users, for
example those planning to leave the company
• Upload files to Web: View all users who have uploaded files to their personal webmail
• Download files from the Web: View all users who have downloaded a file from share/cloud drives
• Exfiltration attempts: View file exfiltration attempts that were blocked by a prevention rule

Use Case 1 (Example)

1. ITM Business Concern – Protecting confidential contract data
2. Risk Personas – Contracts team, CFO, Sales Representatives, IT staff with privileges
(active directory group names or names of individuals need to be identified)
3. Data asset locations – File server shares, selected endpoints, SharePoint location, SalesForce
4. Risky Behaviors (ITM) - Uploads to Web, Exfiltrating to USB devices, Copying data to Google Drive
client
5. Actions when use case triggers - Send automated notification to SOC to initialize an investigative
workflow

After you determine your use case, you will configure the system to gather data. You start with Settings to
ensure you have the correct product entitlements (ITM or Endpoint DLP) to accomplish your goals. We
also verify enablement of the Provider for our users and that the email domain of the Users is allowed.
You establish Agent Realms and download Agent Apps to endpoints you wish to monitor.
Then you review the Default Agent Policy and made modifications as appropriate. You will add users with
differing access policies.
The system now can collect data. Click Settings in the left navigation menu to monitor the current data
collection statistics.

To present the data we want to see, we start by creating an Exploration. Since we want to monitor web file
uploads, below shows an example of Web File Upload exploration setup.
1. Choose Analytics
2. Select Explorations
3. Click New Exploration
4. Name the exploration ‘Web Upload’
5. Click + to show ‘Filter by’ list
6. Select Activity > Categories > Web File Upload
7. Click Done

The ideal goal of the ITM / Endpoint DLP system is to have it auto-generate 10 to 12 action items per day.
We target that number so that you can follow-up on a daily basis as problematic actions appear.
To get to that reasonable number you must continually review and modify explorations, add and then
refine rules with conditions. Your target is for the system to auto-identify 10 to 12 actionable items per
day. Perform the following actions to meet this target:
• Modify explorations, refine rules, introduce conditions
• Include notification policies to generate just the Alerts you seek.
• Refine and review - Continue modifications until desired number of Alerts is auto-generated

Exercise 2: Create Use Cases
Exercise 2-1: Use cases for Central Healthcare

Scenario
The CEO of Central Healthcare has several Insider Threat Management (ITM) concerns. As the ITM
admin, you need to define what you are looking to do with this new tool. You need to address the Insider
Threat Management concerns and create focused ITM Use Cases for Central Healthcare.
Objectives
Read the company description and create focused use cases. Consider the following ITM concerns of
your CEO.
• Protect confidential contract data
• Prevent leaking of proprietary recipes
• Gain visibility into organization’s leavers
Read the company description and complete the details for each of the Use Cases below
Company Description
I
Central ITM Concerns Risk Personas Data Assets Risky Actions

Healthcare Behaviors
Definition • Company • Business • Key Personnel • File • What you • Possible actions
Mission concerns that and Key Groups operations, want to fo perform when
• Web site can be with critical data data location, detect a use case
addressed by access application triggers
identifying • Users with use
insider threats privileged access
of negligent,
compromised,
or malicious
users

Central ITM Concerns Risk Personas Data Assets Risky Actions

Healthcare Behaviors
Specifics • Small, regional • Protecting • Contracts team - • File Server • Uploads • Send
healthcare company’s CORP\SG- share to Web Automated
provider contract Contracts • Selected • Exfiltering notification to
providing information • Chief Financial endpoints data to Security
Family • Leaking of Officer (CFO) - • Corporate USB Operations
Medicine, patient HIPAA CORP\cfo devices Center (SOC) to
Sharepoint
practices information initialize an
• Privileged IT • Enterprise • Copying
throughout US investigative
• Gaining administrators application, data to
mid-west workflow
visibility into (CORP\Domain Salesforce Google
• 500 organization’s Admins) Drive • Use ITM
employees leavers (who is • Sales client Agent’s
• Exchange leaving to join prevention
Representatives
Server using a competitor) feature to
• Customer Service prevent file to
Active
Representatives USB copy
Directory
• Use webhook
notification to
initialize
automated
workflow
Use Case 1 is completed as an example.
Use Case 1:
1. ITM Business Concern – Protecting confidential contract data
2. Risk Personas – Contracts team, CFO, Sales Representatives, IT staff with privileges
(active directory group names or names of individuals need to be identified)
3. Data asset locations – File server shares, selected endpoints, SharePoint location, SalesForce
4. Risky Behaviors (ITM) - Uploads to Web, Exfiltrating to USB devices, Copying data to Google Drive
client
5. Actions when Use Case triggers - Send automated notification to SOC to initialize an investigative
workflow
Use Case 2:
1. ITM Business Concern – Leaking of contract data
2. Risk Personas - _________________________________________________________________________
3. Data asset locations – ___________________________________________________________________
4. Risky Behaviors (ITM) - _________________________________________________________________
5. Actions when Use Case triggers - ________________________________________________________
Use Case 3:
1. ITM Business Concern – Gaining visibility into organization’s leavers
2. Risk Personas – ________________________________________________________________________
3. Data asset locations – ___________________________________________________________________
4. Risky Behaviors (ITM) - _________________________________________________________________
5. Actions when Use Case triggers - ________________________________________________________

Exercise 2-2: Create Use Case for Your Organization

Scenario
From the description of your company, you need to identify an ITM/ Endpoint DLP concern and create a
specific use case.
Objectives
• Complete the details for your company description with requested information
• Create a use case for you own organization
Company Description
Name: Your Organization’s Name _____________________________________________________________
Company Purpose (mission): _________________________________________________________________
Business (ITM) Concern: _____________________________________________________________________
Risk Personas:
• ________________________________________________________________________________________
• ________________________________________________________________________________________
• ________________________________________________________________________________________
• ________________________________________________________________________________________
Assets
Data assets – where critical data resides
• ________________________________________________________________________________________
• ________________________________________________________________________________________
• ________________________________________________________________________________________
• ________________________________________________________________________________________
Risky Behaviors
What to detect
• ________________________________________________________________________________________
• ________________________________________________________________________________________
• ________________________________________________________________________________________
• ________________________________________________________________________________________
Actions
What to do when use case triggers
• ________________________________________________________________________________________
• ________________________________________________________________________________________
• ________________________________________________________________________________________
• ________________________________________________________________________________________


Lesson 3: User Management
Introduction
This lesson describes and demonstrates adding console users and managing their access policies.
31

User Management
This illustration shows where User Management fits in the implementation of Insider Threat Management.
This lesson reviews the steps and fields to complete in order to create and configure a user and access
policies.

Allowing Email Domains

Only users whose email domains are allowed, can be added.
1. Select Settings under Account in the left navigation bar to enable the provider.
2. Click ... next to the provider to open the drop-down menu.
3. Select Allow Email Domains and the dialog box opens.
4. List the domains you want to add, separated by a comma (,), for example, observeit.com,
proofpoint.com, then click Done.
Now users can be added with the emails domains you defined. The allowed domains display next to the
IdP in the list of providers.

User Management
Add Users
1. Select Users under User Management in left navigation bar.
2. Enter the email of the user you want to add in the ‘Add user by email’ field.
3. Click Add User
The user is then added to the list.

Access policies are a list of roles and privileges assigned to a user. Roles are a set of privileges.
Proofpoint recommends that you assign a role to each user. The system contains several pre-defined
roles.
Use privileges to add an additional capability to an assigned role. For example. you might assign a user
the Configuration Administration role with the ability to modify account configuration including identity
providers, users, and settings as well as endpoint agent configurations and policies. In addition, you
might also assign the Activity View privilege, giving the user the ability to view all monitored activity as
part of the Insider Threat Console.
Assigning Access Policy
1. From Users, click the line of specific user for Details
2. Click Actions and choose Access Policies from the drop-down list
3. Choose High Level Access or Granular Access
4. Review list and select policy or policies to assign
5. Click Done

User Management
Adding Groups
1. From the Proofpoint Information and Cloud Security Platform, select the Administration app. Select
User Management > Groups and the list of current groups appears.
2. Click Add Group and when prompted in the fields, provide an Alias and optionally a Description and
then click Save.
3. The group is added to the list.
Assigning the Group Membership and Policy
Once you've added a group, you can
• Assign access policies
• Assign members from the list of users
1. Click on the group you want and the Details window opens.
2. To edit the description, select the Details tab and click Edit.
3. To assign access policies, select the Access Policies tab and click Edit. Select the access policies
you want to assign to all members of the group.
4. Click View to see the list of capabilities for a policy. Click Edit to set an expiration for the access
policy.
5. Click Done to save.
a. To assign the members to a group, select Members and click Edit. Select the users, groups and
personas you want to assign as members of the group and click Done to save.
b. To assign groups to the group, select the Assignment tab and click Edit. Select the groups that
you want to add to the group and click Done to save.

Adding Personas
User Management > Personas and the list of current personas appears.
2. Click Add Persona and when prompted in the fields, provide an Alias and then click Save.
Editing the Persona
You can review/modify the persona, including the access policies assigned to the persona, the groups the
persona is assigned to and which users can switch to the persona.
1. Select the Persona you want from the list to display the details.
2. To modify the Alias of the persona, from the Details tab, in the General area, click Edit.
3. To modify the access policies of the persona, from the Details tab, in the Access Policies area, click
Edit
4. To modify which groups the persona is a member of, from the Groups tab, in the Groups area, click
Edit.
5. To modify the trust relationships of the persona, in the Trust tab, click Edit to review or modify the
users or members of groups who are allowed to switch to the persona.
Deleting the Persona
To delete a persona, do the following
1. Select the Persona you want from the list to display the details.
2. From the Actions drop-down menu, select Delete.
3. When prompted, click Delete to confirm.

User Management
This feature is available by request, contact your Proofpoint representative.

Access Requests are used to request and approve trust relationships to a persona. This feature is useful
for investigations and working with Proofpoint Support to understand the Proofpoint Information and
Cloud Security Platform
Incoming and outgoing access requests can be reviewed from the Access Request view.
• To view Access Requests from the Proofpoint Information and Cloud Security Platform, select the
Administration application. Select User Management > Access Request and the Access Request
view displays.
Requesting Access - Outgoing Request Use Case
As an Analyst, you want to investigate a user at your company. You want the Administrator to let you use a
Persona with the some of the same capabilities as the user you will be investigating.
Since the persona will have only some of the capabilities of the user you are investigating, you create a
custom access policy before you send the access request. You'll need to create and send an Access
Request so that the Admin will give you the capabilities you need to investigate.
1. From the Proofpoint Information and Cloud Security Platform, select the Administration application.
Select User Management > Access Request and the Access Request view displays.
2. Select the Outgoing tab.
3. Click Request Access and the Access Request area displays.
4. In the Access tab, General area, complete the following:
• Trusting Tenant: The tenant you are requesting access to.
• Reason: Brief description explaining why you want access.
• Reason Approver
• Org Approver
The Reason, Reason Approver and Org Approver will be included in the Request Message in the
Access View.
5. In the Access tab, Persona area, complete the following:

• Suggested Persona: Click to show the available personas. This persona has access policies
assigned to it.
• If you use a persona, anyone with access to that persona has the same access policies as assigned
to it.
• If you want to create a new persona, type the name in this field.
• Start Date/Time and End Date/Time: Enter the start and end timeframe for the trust relationship. (If
you do not want to set a timeframe, clear the field)
In the Access tab, in the Persona area, you can change the access policies assigned the Suggested
Persona you selected.
a. Select Add Access Policies. A list of all access policies displays. This list includes Proofpoint
predefined and custom access policies.
b. Select the policies you want and click Add.
In the Trusts tab add any users and groups that you want to gain access to the assigned persona. By
default, the requesting user displays and you can add any other users and/or groups.
In the Notifications tab, select the tenant that will respond to the request. Also add any users that you
want to be notified of this request. Notification is usually sent to relevant approvers so they are aware that
a request has been submitted.
• Click Submit Request.
Working with Proofpoint Support - Incoming Request Use Case
Your company would like your Proofpoint support representative to take a look at some issues and help
create some useful rules and alerts. For security and privacy reasons, the support representative requests
access to some activities using a support persona.
When you receive the access request, you can edit it and accept or reject it.
User Management > Access Requests. Select the Incoming tab to see any new requests.
2. Click ... next to the request you want and click Respond.
3. The Access Requests details display. Review them. You can edit the request. For example, you can
change the time frame in the Time area and the capabilities by clicking Add Access Policies.
4. Click Accept to accept the request.

User Management
You can assign policies from the Proofpoint predefined access policies or create a custom policy.
Proofpoint Predefined Access Policies: Examples of predefined policies include Full Administration which
assigns full access to all system capabilities and resources, Activity View which assigns view-only access
to all monitored activity and List View which assigns only the ability to view lists. Proofpoint predefined
access policies cannot be modified.
Custom Access Policies: You define the set of capabilities you want to you assign to specific users or
groups. Custom access policies can be created and modified by a console user with sufficient privileges.
For information about setting up and using custom access policies, see Custom Access Policies.
You can assign multiple policies to a user or group.
Inheriting Access Policies
Access policies can be assigned directly to a user or a group and you can assign more than one policy to
a user or group
Users inherit access policies from a group if the user is a member of that group.
For example, a user is assigned Console User View policy with the ability to view users and their
policy assignments. That user is added to a group that has been assigned Activity Exploration policy
with the ability to view and explore all monitored activity as part of the Information Protection Platform.
The user still has Console User View policy capabilities and in addition, inherits Activity Exploration
policy and all its capabilities.
By default, assignments are set to never expire.
If needed, you can set an expiration date for an access policy to indicate when it will no longer apply.
Access Policies View
You view and manage access policies from the Administration app in the Proofpoint Information and
Cloud Security Platform, in the Access Policies view.
Select User Management > Access Policies and the list of Access Policies displays.
The list includes name and description of the access policy and when the access policy was created and
modified. In the Created By column, you can see whether the access policy is a Proofpoint predefined
access policy or a custom access policy.

In the Users view, select View Activities from the Actions drop-down list next to the user whose activities
you want to see.
The Exploration view for the selected user displays.

User Management
The list of User Activities shows up in EXPLORATIONS.

Explorations let you explore data and further filter it to display what you want to follow. Use data
explorations to search for risky behaviors and activities.

When you set up an authentication method such as O365 then you would use those credentials for
authentication.
If not using OAuth/SAML for authentication, then you would need to set up and generate a password for
the user.
To update User information, click Users in the left navigation bar. Click the specific user from the list of
users and select Edit.
Make changes as required in the dialog box that appears. Note the password requirements listed. Also,
note that you can set the Password Expiration time using the drop-down menu. Expiration time ranges
from one to 365 days.

User Management
Exercise 3: Adding Users and Assigning Access Policies
Scenario
Central Healthcare’s Insider Threat Management team consists of direct team members and external
constituents who may require access to the application, its configuration, and output. This lab has you
build three new users to support this need and target each users needs within the Console.
Objectives
• Add three new Users to the console to reflect the users who will access the solution in your
environment:
• ITM Administrator
• ITM Analyst/Assistant Admin
• HR Analyst
• Review Console User Audit Activities
User1 - Full Admin User User2 – Restricted Admin User3 - Analyst
Full access to all system Ability to configure various Read Only access to the Console.
capabilities and resources. functions within the tool.
Exercise 3-1: Add Users

1. From the console, select Users below User Management.
2. In the “Add user by email” field in the upper right corner of the screen enter the email address of your
first user:
BillG-<your student username>-<date as mmddyy>@proofpointtraining.com
• Like: “BillG-student01-100722@proofpointtraining.com”
3. Click Add User.
second user:
JimM-<your student username>-<date as mmddyy>@proofpointtraining.com
5. Click Add User.
third user:
MarilynM-<your student username>-<date as mmddyy>@proofpointtraining .com
7. Click Add User.

Exercise 3-2: Assign Access Policy to your newly created Users

1. Locate and click on your first newly added User in the list of Users. This opens a new window on the
right where you can perform various Actions on the User account.
2. From the Actions drop-down list on the right, select Access Policies. This will open the “Add Access
Policies” dialogue box.
3. Below the High Level Access tab, assign BillG the Full Administration role.
4. Click Done.
5. Repeat this process (Steps 1 through 4) for each additional User and assign the following roles to the
remaining two Users:
a. JimM: Assign this User the Configuration Admin role below the High Level Access tab and select
Alert and Activity Management below the Granular Access tab.
b. MarilynM: Assign this User the Activity Exploration role below the High Level Access tab..
Exercise 3-3:Review Console User Login Activity

1. Within the Users Table of the Administration App, locate and select the user
jstanton@proofpoint.com
2. From the Actions drop down on the right, select View Activities. This will place you in the Analytics
App and generate an Exploration which will reveal the Audit based Activities for this Console User.
3. If No Activities Found appears, click the first item in the Filters section. When the Filter by list
appears on the right, change the Relative Time to 30d and click Done.
4. Within the results table on the bottom right, notice each of the User Activities listed as Activity
Category of Audit, as seen in the second column.

User Management


Lesson 4: Agent Realms
Introduction
This lesson describes the purpose and use of Agent Realms. It also demonstrates how to create and
configure an Agent Realm.
49

Agent Realms
For more information on Agent Realms click HELP and enter Agent Realms, click Agent Realms in ITM
Administration documentation list.

This illustration shows where an Agent Realm fits in the implementation of Insider Threat Management.
This lesson reviews the steps and fields to complete in order to create and configure an Agent Realm.
From the console you also assign Agent Policies to the Agent Realm. Then the console associates the
Agent policies to the Endpoint.

Agent Realms
The agent realm configuration is stored in the installation configuration file. An agent realm contains:
• Endpoints (agents) that are attached to the agent realm
• Agent policies that are assigned to the agent realm. An agent realm must be assigned at least one
recording policy. By default, a default account policy is assigned to an agent realm. You can add and
assign other recording policies to an agent realm. An agent realm can have more than one recording
policy.
• Retention period for all collected data
Retention
• The solution retains ingested data based on the retention tier the customer is entitled to (has
purchased). Customers can choose from one of the following retention tiers – 7, 14, 30, 45, 60, 90, or
max days. Data is available in the ITM platform as long as it is within the retention period. Data older
than the retention period is purged from the platform, on a rolling basis.
Advanced Settings - Agent Realms
The following advanced settings define general Agent behavior:
• Configuration policies
• Visibility
• Recording
• Storage
• Device triggers
• File activity monitoring
• Processing
You may not see all the settings since some features may need to be turned on by Proofpoint.


Agent Realms
To view existing Agent Realm, from the Proofpoint Information Protection Platform, select the
Administration app, Then from the Endpoints group, select Agent Realms. The Agent Realms view
displays showing existing Agent Realms.
The Agent Realms view shows the following columns:
• Alias – Realm name
• Region – Geographic location of realm
• Collector Kind – What gathers incidents
• ITM Retention – Maximum retention of agent realm data for ITM
• EDLP Retention – Amount of time agent realm data is retained for DLP
For additional information you can click each of the following
• Down chevron to view Realm Policies
• Circle i to view recent Realm activity
• Three dots (...) to view the Information menu

You must set up at least one Agent Realm before you can deploy the Agent.
1. From the Agent Realms pane, click Add Realm in upper right.
This opens the New Agent Realm input panes: General, Advanced Settings, and Assign Policies tabs.
2. Enter a name for the new realm in the Alias field.
The name is required.
You can only use lowercase characters, dashes, and underscores.

Agent Realms
Resource Group
Choose your correct Resource Group from the drop-down list.

Collector Kinds
Select the type of feed used to forward captured user activity.
• Agent: Data from direct attached Agents
• Enterprise Feeder: Data from Enterprise
• Generic Feeder: Link to a generic feeder

Agent Realms
Data Retention
Data retention has two options from which to choose. Each has the same options in their drop-down
menu.
• EDLP Retention: Amount of time the agent realm is retained for DLP.
• ITM Retention: Amount of the agent realm is retained for ITM.
Choose Maximum, 7, 14, 30, 45, 60, or 90-day retention periods for each type of retention.

Data retention has two options from which to choose. Each has the same options in their drop-down
menu.
• EDLP Retention: Amount of time the agent realm is retained for DLP.
• ITM Retention: Amount of the agent realm is retained for ITM.
Choose Maximum, 7, 14, 30, 45, 60, or 90-day retention periods for each type of retention.

Agent Realms
The configuration files setting allows you to encrypt your configuration files. This provides another layer of
protection for the configuration files, as these contain potentially sensitive data, should a laptop be lost or
stolen or compromised.

Proofpoint recommends that you enable the two settings shown here: Prevention Enabled and Microsoft
Information Protection (MIP) enabled.
Enabling Prevention will block file transfer from the managed endpoint to an inserted USB drive.
Microsoft Information Protection (MIP) Enabled allows for detection and this value gets pulled into the
metadata. It can then be leveraged for all the functionality that looks at the metadata. Conditions, rules,
and explorations can leverage those labels in the metadata. These MIP labels can be used as a starting
point.

Agent Realms
These settings allow for the recording of screenshots on Agents. You can also automatically grant
permission to capture screenshots on MacOS devices by enabling the setting here.
Only ITM offers the recording option.

Agent Storage is where you set the amount of storage for your Agent Realm. This screen shows the
default setting for time in seconds and size in megabytes.
These settings limit recording storage per Agent - for buffered data (such as offline and Activity Replay).
The limit is determined by whichever comes first.
Agent cache refers to storage used by agent when in an offline state. The Agent caches the data locally
when the Endpoint is offline. These settings determine how much cache storage is available. These
default settings are usually adequate. You might change these available amounts if a user is offline (no
internet access) for an extended period.

Agent Realms
Enabled - Turn on/off File Activity Monitoring. By default, this is on.

Tracking Duration - Number of days files are tracked in seconds.
Tracking File Count - Number of files tracked

Enable Content Scanning - Turn on/off. By default, this is off.

When enabled you will configure Scan Triggers, DLP Detectors, and Detector Sets. You also have the
option to Enable Snippets.
You can use content scanning to scan files and detect when users are attempting to exfiltrate sensitive
information, such as credit card information, banking routing numbers and national identity numbers.

Agent Realms
Enable End User Notifications - Turn on/off end user notifications. By default, this is off.
When turned on, the custom notification will be shown on every prevented endpoint activity as configured
by your prevention rules.
End-user notifications display when an endpoint activity is blocked by a prevention rule. You can
customize the end-user notification with the logo and the text for the message subject and body that you
want. You can use the available variables such as file name, rule name and IP when you compose the
text.
End user notifications are defined per Agent Realm. When you configure a customized end-user
notification, it will display for all endpoint activity blocked by all prevention rules in the Agent Realm. (If
you do not configure a customized end-user notification, the default notification generated by the
operating system displays.)

Student Notes
Allows you to set security key for Agent Uninstall

Agent Realms
Enabled - Turn on/off Enable Agent Auto Upgrade. By default, this is on.
The Auto Updater will be in progress, and you will not see the results until the maximum delay time plus
the time it takes for the Auto Updater to check the policy. You can review, monitor and modify the
Endpoint Update Policies.
The Endpoint Update Policies view lists each policy and its details. By selecting a policy you see its last-
known status, review and modify the details of the policy and manage Agent Realm assignments and
priorities.
An account policy must be assigned to each agent realm. You can assign multiple recording policies to
an agent realm. By default, the default account policy is automatically created and assigned to each
agent realm.
To assign existing policies to an agent realm, from the New Agent Realm screen, select Assign Existing
Policies.
The Assign Existing Policies screen displays.
Select the policies you want to assign to the agent realm and click Assign.

An account policy must be assigned to each agent realm. You can assign multiple recording policies to
an agent realm. By default, the default account policy is automatically created and assigned to each
agent realm.
1. To assign existing policies to an agent realm, from the New Agent Realm screen, select Assign
Existing Policies.
The Assign Existing Policies screen displays.
2. Select the policies you want to assign to the agent realm and click Assign.

Agent Realms
Exercise 4: Creating an Agent Realm
Scenario
Central Healthcare has a single headquarters location where the ITM Application is deployed. As a
starting point for the use of the application, the ITM team has determined that only a single Agent Realm is
required to meet their goals and objectives around how and what the app will record on an Endpoint. This
lab will address this goal.
Objectives
• Add an Agent Realm to your Account
• Specify the Data Retention Period for your new Agent Realm to 45 days for DLP and 60 days for ITM
• Configure Recording settings for your new Agent Realm to allow screenshots but not automatically
grant MacOS permission to capture screenshots
• Accept defaults for other settings
Exercise 4-1: Add an Agent Realm to your account

1. Within the ITM SaaS console, navigate to the Administration view.
2. On left navigation bar, select Agent Realms below the heading Endpoints.
3. In the upper right corner of the view, click Add Realm.
4. Below the General tab, populate the following values:
a. Alias: <Your student ID>-realm-<date as mmddyyyy>, like: student12-realm-07132023
b. Resource Group: US1
c. Feed Type: Agent
d. DLP Retention: Maximum
e. ITM Retention: Maximum
5. Below the Advanced Settings Tab, enable the items indicated with an asterisk * and enter values as
indicated (use slider to enable)
a. Configuration Files
• Encryption Enabled *
b. Processing
• Prevention Enabled *
• Microsoft Information Protection (MIP) Enabled *
• True File Type Detection Enabled *
• True File Type Custom Mapping
c. Recording (ITM only)
• Screenshots Allowed *
• Automatically Grant Permissions to Capture Screenshots (MacOS)

d. Agent Storage
• Limit - Time (Seconds) 604800
• Limit - Size (MBs) 512
• Encryption Enabled *
e. File Activity Monitoring
• Enabled: Enabled
• Tracking Duration 2592000
• Tracking File Count 10000
f. Interaction
•Enable Content Scanning (Leave Disabled for now. We will revisit this later in the class
lessons.)
g. End User Notifications
• Enable End User Notifications (Leave this Disabled)
h. Endpoint Update
• Enable Endpoint Update*
6. Click Next and Save to complete your new Agent Realm.

Agent Realms


Lesson 5: Agent Policies
Introduction
This lesson explains the value of Agent Policies. It teaches how to create an Agent Policy and to
differentiate the Default Account Policy from Agent Policies. It also teaches how to attach an Agent Policy
to an Agent Realm.
75

Agent Policies
configuration file.
From the console you also assign Agent Policies to the Agent Realm. Then the console associates the
Agent policies to the Endpoint (establishes the relationship).

Agent Policies
• Agent policies define what the agent captures. Agent policies are assigned to agent realms so that
you can configure settings and apply these settings to the endpoints in multiple agent realms
simultaneously.
Default Account Policy
• A default account policy is configured for each account and assigned to each Agent Realm. If no
other account policies are added, the default account policy is applied to all users. You can edit the
default policy and change the settings.
• By default, the Default Account Policy is set for DLP Only.
• The default account policy includes settings for metadata capture and user interface options.
Screenshots are not enabled and collection activity is not available.
• If you want to change the default policy to include screenshots and collections activity, you must be
entitled for ITM. Toggle off DLP-Only, so you can see the additional options.
Additional Agent Policies
• You can create additional Agent Policies for specific Agents with specific settings, and you can assign
multiple Agent Policies to an Agent Realm. When more than one Agent Policy is assigned to an Agent
Realm, you can prioritize their order so you can further define which settings are applied to which
agents.

Agent Policies
In the General area, complete the fields described below.

• Alias: Name for the Agent policy (Mandatory)
• Description: Optional description of the Agent policy
Scroll down to select the signal types:
• Data Loss Prevention (DLP) Only: Includes file related events only
• Insider Threat Management (ITM): Includes DLP signals and endpoint events
Your signal selection displays in the upper-right corner of the screen.
For each Agent Realm policy you define
• To which endpoint(s) and activities the agent policy applies
• To what settings the agent policy applies
Within the Details settings
• You use an if/then logic to set up the policies
• Select which settings apply when the if/then condition is met
• Include Window title, mouse clicks, image scale, and more

A default account policy is configured for each account and assigned to each agent realm. If no other
account policies are added, the default account policy is applied to all users. You can edit the default
policy and change the settings.
By default, the Default Account Policy is set for DLP Only.
The default account policy (DLP-only) includes settings for metadata capture and user interface options.
Screenshots are not enabled, and collection activity is not available.
If you want to change the default policy to include screenshots and collections activity, you must be
entitled for ITM functionality. Toggle off DLP-Only, so you can see the additional options.

Agent Policies

Select Add Policy to create a new policy.

You can also access Add Policy from Agent Realms by clicking to select an Agent Realm and selecting
Edit >Assign Policies. In the Agent Policies section, click Add Policy.
.

Agent Policies
General Tab
1. You must enter an Alias or Name for the Agent Policy.
2. Enter a description to make it easy to identify the policy from a list.
3. Choose the Signal Type, either DLP (file related events) or ITM (DLP events and endpoint events). You
can also change Signal type by clicking the grey button at the upper right. It toggles from DLP to ITM.
4. Click Next or select Details.

The Details area displays showing the If/Then conditions.

For Full ITM and mixed-mixed mode (Endpoint DLP and ITM), turn off DLP Only at the top of the Details
screen and then you can enable screenshots and collection options..
In the Details area, you define to which endpoint(s) and activities the agent policy applies.
You configure an agent policy using if/then logic.
To define the details, from the Agent Policies view, select Add Policy for a new policy or select Edit from
the menu next to the relevant agent policy. To open the menu, click the agent policy.
To define the details for a New Agent Policy, you click each of the blue buttons:
• Select Category
• Select Settings
• Select Add Prevention Rules

Agent Policies
From the IF section on the left-side of the screen, click Select Category. This allows you to select the
categories and values for the recording policy. For example, include for all users with the username =
administrator.
When you click Select Category, the ‘MATCHING CRITERIA Choose Property’ panel opens.
The available categories display in the ‘MATCHING CRITERIA Choose Property’ panel. Select the
Category you want and then relevant Values for that category display.
You can continue adding categories to your agent policy using the And/Or options.

From the THEN section on the right-side of the screen, click Select Settings. This allows you to select the
settings and values for the policy. For example, include items from Metadata Capture, User Interface,
Screenshots, and Collection settings.

Agent Policies

Are these users in my realm – how did they get there?

1. Click Select Category. Choose Property dialog box appears.
2. Click to select Property for this rule. Choose Values appears.
3. Check to select Values to apply to the rule, in this illustration it will be user names.
4. Click Done.

Agent Policies
On the right-side of the screen, in the Then.area, select the settings that will apply when the IF condition
is met. Click Select Settings to choose the settings.
The available settings display.
Select the relevant settings.
You can continue to define the settings using the And/Or options.
Click Done. The summary of the agent policy displays.

This information on Settings can be found in the ITM online documentation at

ITM / Endpoint DLP Admin > Agent Policies > Setting up Agent Policies > Account Policy Details

Agent Policies
You can create additional agent polices for specific agents with specific settings, and you can assign
multiple agent policies to an agent realm. When more than one agent policy is assigned to an agent
realm, you can prioritize their order so you can further define which settings are applied to which agents.
When you have more than one Agent Policy, you can define the priority order for the recording policies for
an Agent Realm. This order determines which settings will be enabled and turned on per Agent Policy.
You set the priority of the Agent Policies in the Agent Realm view. Priorities are set from low to high.
A default account policy is assigned to each account. The default account policy is always the lowest in
the priority list.
If you create another Agent Policy, its priority is always higher than the default account policy.
By default, a new Agent Policy will inherit all the settings from the Agent Policy directly below it in the
priority list.

Exercise 5: Creating Agent Policies
Scenario
Through the use of other applications, Central Healthcare’s ITM Team has recognized that a subset of
their users continue to visit restricted Websites and utilize forbidden Applications and would like deeper
visibility into these activities. The Agent Policies you’ll build here will address this goal.
Objectives
• Create and order a stack with two additional Agent Policies that apply a specific Recording
configuration based on the following criteria
Risky Applications Risky Websites
Wireshark Unileaks.org
Surfshark Openleaks.org
TOR Browser BitTorrent.com
Policy should invoke Policy should invoke
Default Settings Default settings
Keyboard Logging Screen Recording (ITM only)
Multi Display Image Capture Grayscale Recording (ITM only)
Color Images Multi Display Image Capture
• For Agents which do not meet the criteria above, screen shots and keyboard logging are not required
by default
Exercise 5-1: Create two additional custom Agent Policies

First Policy
1. Within the ITM SaaS console, navigate to Administration.
2. On the left navigation, select Agent Policies below the heading Endpoints.
3. In the upper right corner of the view, click Add Policy.
4. Below the General tab, populate fields with the following values:

Agent Policies
a. Alias: <student ID>-<date as mmddyy>-risky-applications like: student0-100722-risky-

applications
b. Description: This policy will capture a subset of deployed Agents based on the use of specific
predefined applications on the Endpoint.
c. Signal Types: Insider Threat Management (ITM)
5. Click Next in the lower right.
6. Below the Details tab, populate the following values:
a. Below the IF statement, click Select Category.
b. From the Choose Property dialogue box, select Executable Name.
c. From the Choose Values Executable Name dialogue box, type each of the values listed below
into the Search field, individually, and click Add it as new value on the right of this field. You
won’t find these in the list of known executables
• Wireshark.exe
• Surfshark.exe
• TOR Browser
d. Click Done
7. Below the THEN statement, click Select Settings and select the items below indicated with an
asterisk * and enter values as indicated
a. Metadata Capture
• Enabled *
• Remote Access Enabled
• File Activity Monitoring *
• Capture Application/Website Open/Still-In-Use
• Min interval to capture Application/Website Still-In-Use (hrs)
b. User Interface
• Window Title Enabled *
• Mouse Enabled *
• Keyboard Enabled
• Layout Multi Display*
c. Screenshots
• Enabled *
• Image Grayscale *
• Image Depth
• Image Scale
• Image Quality
8. Click Done.
9. Below the THEN field, enable each of the selected settings.
10. Verify values and settings match list above and click Save.
Second Policy
1. In the upper right corner, click Add Policy
2. Below the General tab, populate the following values:

a. Alias: <student ID>-<date as mmddyy>-risky-websites, like: student01-100722-risky-websites

b. Description: This policy will capture a subset of deployed Agents based on the Endpoint User
browsing specific Risky web sites on the Endpoint.
c. Signal Types: Insider Threat Management (ITM)
3. Click Next in lower right.
4. Below the Details Tab, populate the following values:
a. Below the IF statement, click Select Category
b. From the Choose Property dialogue box, select URL Domain.
i. Type each of the values listed below into the Search field, individually, and click Add it as
new value on the right of this field. You won’t find these in the list of known URL Domains
• unileaks.org
• openleaks.org
• BitTorrent.com
ii. Click Done
c. Below the THEN statement, click Select Settings and select the items indicated with an asterisk *
and enter values as indicated
i. Metadata Capture
• Enabled *
• Remote Access Enabled
• File Activity Monitoring *
• Capture Application/Website Open/Still-In-Use
• Min interval to capture Application/Website Still-In-Use (hrs)
ii. User Interface
• Window Title Enabled *
• Mouse Enabled *
• Keyboard Enabled *
• Layout Multi Display *
iii. Screenshots:
• Enabled *
• Image Grayscale
• Image Depth* 4
• Image Scale * 50%
• Image Quality * 75%
iv. Efficient Capturing
• Add Last Activity Capture
5. Click Done.
6. Below the THEN field, enable each of the selected settings and add Screenshots values.
7. Verify values and settings match list above and click Save.

Agent Policies
Exercise 5-2: Assign and order your Agent Policies to your Agent Realm
1. Within the ITM SaaS console, navigate to Administration.
2. On the left navigation menu, select Agent Policies below the heading Endpoints.
3. Locate your Risky Applications agent policy in the table of Agent Policies and click Assign to
Realm.
a. From the Assign to Realm, POLICY: <student id>-<date>-RISKY-APPLICATIONS dialogue,
select your Agent Realm
b. Click Assign in the lower right.
4. Locate your Risky Websites agent policy in the table of Agent Policies and click Assign to Realm.
c. From the Assign to Realm, POLICY: <student id>-<date>-RISKY-WEBSITES dialogue, select
your Agent Realm
d. Click Assign in the lower right.
5. Confirm that your two new custom Agent Policies and the Default Account Policy are assigned to your
Realm correctly.
6. On the left navigation, select Agent Realms below the heading Endpoints.
7. Locate your <student ID>-realm-date within the table and select it.
a. On the right, select the Policy Priorities tab and click Edit.
b. In the Edit Agent Realm:<student ID>-realm-date dialogue box, in the Agent Policies table,
locate your Risky-Websites Policy and click … on the right.
c. From the popup menu select Move Up to place your ‘Risky-Websites’ Policy above your ‘Risky-
Applications’ Policy.
d. Click Save.


Lesson 6: Agent Deployment
Introduction
This lesson teaches how to download and deploy Windows and Mac Agents for endpoints.
97

Agent Deployment
configuration file. From the console you also assign Agent Policies to the Agent Realm. Then the console
associates the Agent policies to the Endpoint (establishes the relationship).
You must download and install the correct Agent App to the endpoint to access and monitor endpoints.

Downloading the Installation Configuration File

1. From the Proofpoint Information Protection Platform, select the Administration application. Select
Agent Realms.

Agent Deployment
2. In the Agent Realms area, click to select the Agent realm.

3. Select Installation Configuration.
4. From the dropdown list, choose a validity period for the installation configuration and click Download.
This is the period of time that this configuration file is valid.
Options are 1 day, 7 days, 30 days, 6 months, 1 year, and 2 years
The JSON configuration file is downloaded. Save it locally.
You will use this file when installing the Agents (Windows and Mac) and the Enterprise Feeder

1. From the Proofpoint Information Protection Platform, select the Administration app.
2. Select Downloads.
3. From the Downloads list, select the stable version, for example winagentx64-0.x.x.x.zip and click
Download.
4. Save the downloaded .zip file locally
5. Extract the contents of the .zip file to see the following files:
• ITMSaaSBundle-<version>.msi: Agent Setup file
• WinagentInstall.cmd: Executable installation file
• WinagentUninstall.cmd: Executable file for uninstall
• bundleinfo: Text file that describes contents of folder

Agent Deployment
Follow these step to download the agent installation files.

These files are required to deploy the agent.
1. From the Proofpoint Information Protection Platform, select the Administration app.
2. Select Downloads.
3. From the Downloads list, select the stable version and click Download to download the observeit-
cloudagent<version>.tar file.
4. Download the observeit-cloudagent<version>.tar file and then extract the contents to your
desktop or another folder that is easily accessible. This contains the following:
• observeit-cloudagent-OSX-<version>.dmg that contains
• observeit-cloudagent-OSX-<version>.pkg (preinstall and preuninstall scripts)
• IT Viewer macOS 11.x.mobileconfig the configuration profile if you want to push the agent
to the endpoint silently via JAMF or other mass deployment tool. (if using macOS 11 Big Sur)
• IT Viewer macOS 10.x.mobileconfig is the configuration profile if you want to push the agent
to the endpoint silently via JAMF or other mass deployment tool. (for macOS Catalina 10.15
or macOS Mojave 10.14)
• observeit-cloudagent-OSX-<version>.run

Once installed, the Auto Updater continually (once every 10 minutes) checks which Endpoint Update
Policies it should run. If there are multiple policies, with the same conditions, by default, the Auto Updater
will run the last created policy.
The Auto Updater self updates so once it is initially installed, any future updates are automatically
installed. You do not need to download and install new versions.
Auto Updater checks which version is currently installed on the endpoint and whether it matches the
target version in the policy. If the versions do not match, the Auto Updater updates the endpoint with the
target version. If the endpoint is already updated to the target version, Auto Updater does not try to
update it again.
• The Auto Updater can be installed on any supported Windows-based operating system (server or
desktop) that you want to monitor.
• Hardware Requirements:
• Processor: Intel i3 or higher or AMD equivalent
• 4 GB RAM or more
• At least 1 GB free hard disk space
• 100 Mb/1Gb Ethernet adapter (1 Gigabit link speed recommended)
• Software Requirements
• Microsoft Windows Server /2012/2012 R2/2016/2019 (64-bit only), Windows 8/8.1, or Windows 10
(it is recommended that you always use the latest Service Pack for your operating system)
• .NET Framework 4.5.2 must be installed
• When using HTTPS connection, make sure the target endpoints trust your CA digital certificate (or the
self-signed digital certificate) that issues the SSL certificate. To enable the computers that are running
the agent to trust your digital certificate source, you must import the root CA digital certificate (or the
self-signed digital certificate) to each client computer. After importing the digital certificate, the
computer will trust that source and communication through SSL/TLS will be allowed.

Agent Deployment
You can use Auto Updater to not only update existing Agents, but also to Install Agents by following these
steps.
1. Install Auto Updater (MSI wizard)
2. Validate successful installation
3. Create New Endpoint Update Policy
4. Select Endpoint(s) for installation
5. Assign policy to your Realm
6. Monitor status of Updater-based install

Previously endpoint information was accessed from the Endpoint Monitoring and Endpoint Registry
views. These options are still available, however it is recommended that you use the Endpoint Catalog
view since all the information is now in one place. These older views will be removed in the future.
Some of the features of the Endpoint Category include:
• Filtering the view to see exactly what you need
• Viewing endpoint details such as endpoint name, kind and version
• Exporting the data to PDF, JSON or CSV file
• Exploring activities and system activities of the endpoint
• Reviewing details and status of the component (Agent/Auto Updater) for each endpoint
• Managing the log level to include more details
• Review active and inactive endpoints

Agent Deployment
Uninstalling the Windows Agent using the Wizard

You can uninstall the Agent using the wizard.
1. From the files you extracted, run AgentSetup-<version>.msi and the wizard opens.
2. Select to remove the Agent and click Finish.
3. When the uninstall is complete the success message displays. Click Close.
Uninstalling the Windows Agent from the Command Line
You can uninstall the Agent by running WinagentInstall.cmd as administrator.
1. Open WinagentUninstall.cmd with a text editor as shown in the example:
msiexec /x "AgentSetup-<version>.msi" /quiet /norestart /leo "<ObserveIT_setup.txt>"
where:
• AgentSetup-<version>.msi is the Agent Setup file
2. Define the switches and parameters below for your installation:
• Switches:
• /x: uninstall
• /quiet: Quiet mode, install/uninstall with no UI. You must remove this switch when using the
manual (wizard) setup.
3. Left-click WinagentUninstall.cmd and select Run as administrator.
Uninstalling the Mac Agent
The documentation provides detailed instruction to deploy Mac Agent using JAMF for mass deployment.
See ITM SaaS Administration > Mac Agent Installation > Using Mass Deployment to Install/Uninstall the
Mac Agent (JAMF)

Exercise 6: Deploying Agents on Endpoints
Objectives
Deploy ITM Agents to targeted Endpoints using both the Endpoint local, graphical and Console native
Update Policy install methods.
• Download and install the Agent install package locally on a targeted Windows Endpoint using the
graphical MSI Wizard
• Download and install the Auto Updater install package locally on a targeted Windows Endpoint using
the graphical MSI Wizard
• Configure an Agent Update Policy to install a net new Agent to a targeted Windows Endpoint.
Exercise 6-1: Download the Installation Configuration Files

1. Using the directions from Lesson 1, Lab Exercise 1-3, access the MetaConnect web page and access
Endpoint 1.
2. From the Desktop of Endpoint 1, launch the Firefox browser and access our tenant at:
3. Once logged into the Proofpoint Information Protection platform, select the Administration app. On
left hand navigation, below the Endpoints heading, select Agent Realms.
4. Locate your <student ID>-realm-<date as mmddyyyy> in the Agent Realms area and select it.
5. On the right, click Installation Configuration.
6. In the Installation Configuration dialogue, from the Installation Configuration Kind drop-down
menu, select Agent.
7. In the Installation Configuration dialogue, from the Please Choose Validity Period for the
Installation Configuration drop-down menu, select 2 year.
8. Click Download in the lower right. This will save the <your agent realm>_agent_install_config.json file
locally to the Downloads folder on Endpoint 1. Click OK.
9. On this same VM, within the Console, on left Navigation bar, below the Endpoints heading, select
Downloads.
10. On the Downloads page, below the heading Windows (x64), locate the Agent Bundle titled latest-
stable and click Download on the right. select the radio button to Save File. Click OK.
This will save the Agent Bundle zip file locally to Downloads on Endpoint 1.
11. Using the directions from Lesson 1, Lab Exercise 1-3, access the MetaConnect web page and access
Endpoint 2.
12. From the Desktop of Endpoint 2, launch the Firefox browser and access out tenant at:
left hand Navigation, below the Endpoint heading, select Agent Realms.
14. Locate your <student ID>-realm-<date as mmddyyy>in the Agent Realms area and select it in the
table.

Agent Deployment
15. On the right, click Installation Configuration.

16. In the Installation Configuration dialogue, from the Installation Configuration Kind drop-down
menu, select Updater.
17. In the Installation Configuration dialogue, from the Please Choose Validity Period for the
Installation Configuration’ drop down menu, select 2 year.
18. Click Download in the lower right. This will save the <your agent realm>-updater_install_config.json
file locally to Downloads on Endpoint 2. Click OK.
19. On this same VM, within the Console, on left hand Navigation, below the Endpoints heading, select
Downloads.
20. On the Downloads page, below the heading Windows (x64), locate the Auto Updater titled latest-
stable and click Download on the right. This will save the Agent Bundle zip file locally to
C:\Downloads on Endpoint 2.
Exercise 6-2: Use graphical MSI Wizard to install Agent

1. On Endpoint 1, open Windows Explorer and navigate to the Downloads folder.
2. Locate the ‘winbundle-<version>’ file and extract it to the same folder.
3. Once extracted you will see the following files:
a. ITMSaaSBundle-<version>.exe: Agent Setup file
b. WinagentInstall.cmd: Executable installation file
c. WinagentUninstall.cmd: Executable file for uninstall
d. bundleinfo: Text file that defines contents of this folder
e. EULA: License agreement
f. Proofpoint - SaaS ITM open source notices: Listing of related Open Source modules used by
Agent.
4. Install the Agent locally using the MSI Wizard.
a. From the files you extracted, double click ITMSaaSBundle-<version> to run the installer
package. This launches the Install Wizard.
b. In the initial dialogue box seen, select BOTH IT Client Utility and IT Content Analyzer. Click
Install.
c. In the next dialogue, noting the Client Utility install, click Next.
d. Accept the license agreement and click Next
e. Enter the locations for:
• Installation folder: C:\Program Files\IT Client Utility\Client Utility\
• Installation configuration file: Select Browse and navigate to your Agent JSON file
f. Click Next
g. In the next dialogue, select No Proxy.
h. Click Next. The installation of the Agent will run and complete.
i. Click Close.
j. The installation for the Content Analyzer will now run. Once complete, click Close. The Agent has
been successfully installed!
k. Validate the Agent install was successful and is now communicating with the Cloud. On left hand
Navigation, below the Endpoint heading, select Endpoint Catalog.
l. Locate your Endpoint 1 in the table and confirm it’s Actively Reporting and the Component Type
column reflects Agent.

Exercise 6-3: Use graphical MSI Wizard to install the Updater on Endpoint 2
1. On Endpoint 2, open Windows Explorer and navigate to the Downloads folder.
2. Locate the winupdater-<version> file and download and extract it to the same folder.
3. Once extracted you will see the following files:
• UpdaterSetup-<version>.exe: Updater Setup file
• SaasUpdaterSetupInstall: Script for command line installation
4. Install the Updater locally using the MSI Wizard.
a. From the files you extracted, double click UpdaterSetup-<version> to run the installer package.
This launches the Install Wizard.
b. In the initial dialogue box seen, click Next.
c. Accept the license agreement and click Next
d. In the next dialogue, select No Proxy.
e. Click Next.
f. Enter the locations for:
• Installation folder: C:\Program Files\Windows Client Utility\Updater Utility\
• Installation configuration file: Select Browse and navigate to your Agent Updater file
g. Click Next
h. Click Install. The installation of the Updater will run and complete.
i. Click Close.
j. Validate the Updater install was successful and is now communicating with the Cloud. On left
hand Navigation, below the Endpoint heading, select Endpoint Catalog.
• Locate your Endpoint 2 in the table and confirm it’s Actively Reporting and the Component Type
column reflects ‘’.
Exercise 6-4: Use Agent Updater to install an Agent on Endpoint 2

1. On your own PC, log back into the console if you don’t already have an open session.
left hand Navigation, below the Endpoints heading, select Update Policies.
3. On the Endpoint Update Policies page, click Add Policy on the top right.
4. In the ‘New Endpoint Update Policy’ dialogue, in the General settings provide an Alias and
Description of your Policy.
a. Alias: <student id>-<date as mmddyy>-update-policy
b. Description: An Update Policy which will install a net new Agent to a target Endpoint.
5. Click Next.
6. In the Settings dialogue, below the If Endpoint matches… heading, click +Add Row.
7. Click the Select drop-down list, and choose Select Field.
8. In the Select Field dialogue, expand the Endpoint drop-down menu and select Host Name.
9. Below the If Endpoint matches… heading, you’ll now see the Hostname parameter has been
added.
10. Next to the Hostname parameter, choose the In operator, then click Select Values.

Agent Deployment
11. In the Hostname Endpoint dialogue locate your Endpoint 2, select it from the list, and click Done.
12. Below the Then install… heading, choose the following values:
a. Endpoint Bundle Version: Most recent version in list.
b. Content Analyzer: Enable this toggle.
c. Schedule Window: Start – Immediately End – Never
d. Maximum concurrent updates: 5%
e. Schedule Polling Interval (Advanced): 5m
13. Click Next.
14. In the Agent Realms dialogue, click Select Agent Realms.
15. In the Select Agent Realms dialogue, locate your Realm, select it from the list, and click Assign.
16. You will see your Realm associated with this Update Policy. Click Save.
17. Back on the Endpoint Update Policies page, locate your Update Policy and select it.
18. Below the Status tab you’ll be able to monitor the status on the Updater based install that should now
be running.
19. Within this tab, click View all n endpoint events. This will place you in an Exploration view with a filter
set which will show you any/all related events around the progress on the Agent installation.
20. This process can take some time to complete, but eventually you should start to see both events and
updates to the Status tab. Once the Success field indicates the Agent has completed installation on
Endpoint 2, you should now see this Endpoint reflected in the Endpoint Catalog.


Lesson 7: Endpoint File Content Scanning
Introduction
This lesson describes steps for successful implementation and use of Endpoint File Content Scanning.
113
114 Copyright © 2023 Proofpoint, Inc.3

Endpoint File Content Scanning
Endpoint File Content Scanning is a function provided by the embedded Endpoint DLP solution which is
a subset of greater ITM functionality. It is a default functionality of both ITM and Endpoint DLP.
This allows you to scan files on the managed endpoint based upon when any of five trigger activities
occur. These are: Web Upload, Web Download, Copy to USB, Cloud Share Sync, and Document Open.
You create specific Detector Rules to implement this function.

You can use content scanning to scan files and detect when users are attempting to exfiltrate sensitive
information, such as credit card information, banking routing numbers and national identity numbers.
Content scanning is defined per Agent Realm. You can view the results and details of the scanned content
in the Explorations view.
You must set up rules for Endpoint Content Scanning to function. Rules include detectors and data
identifiers to create detector sets. You must identify each of these prior to creating rules. You access
Endpoint File Content Scanning components for rule creation in the Data Loss Prevention application.
Definition
• Endpoint DLP feature that provides visibility into sensitive data within documents
Purpose
• Prevent exfiltration of sensitive documents to USB and Cloud Sync folders
Use
• Whenever any one or combination of the following activities is performed, we can trigger Endpoint
File Content Scanning:
• Web upload
• Web download
• Copy to USB
• Cloud share sync
• Document Open
Admin tasks
• Build Detector Sets made up of detectors and data identifies and add to Realm
• Enable Content Scanning for Agents
• Create content scanning rules

Implementing Endpoint File Content Scanning involves six steps.

1. Step 1 as identified in the Solution Configuration lesson is to identify your goal for Endpoint File
Content Scanning. This is critical.
2. Next build a Detector Set made up of Detectors and Data Identifiers.
3. Third is to assign the Detector Set to your Agent Realms.
4. Deploy Agents with Content Scanning enabled.
5. Build Rules to detect specific risky activities within file content as files are scanned.
6. Generate Alerts when matches are found in the file content.

Data Loss Prevention application opens to Detectors. Here is where you can view and select the key
detectors that you want to trace.
Your agreed upon goal for Endpoint File Content Scanning determines which detectors (what you are
looking for) you want to select for this process.

We’ve identified three types of Data Identifiers. These are the function of content scanning the utility uses
to find the matches.
• Dictionaries
• Extensible – you can build your own dictionaries. This allows you to build your own type of data or
data values you wish to scan for within the particular content.
• Smart IDs
• Default dictionaries with associated code attached to make them more intelligent and better at
what they do. Cannot build your own, nor edit the existing Smart IDs
• Exact Data Matching (EDM)
• Looks for specific language within expressions
Most customers use pre-defined dictionaries and Smart IDs to define their data identifiers. Most start
simple and then expand the solution as they identify the unique needs within their environment over time.
This course does not include the creation of custom dictionaries and recommends you contact Proofpoint
Professional Services should you desire customization from the available default options.

You use detectors available in the tool to define the detector sets. You build a set of detectors that fulfill
your requirements, which will be made up of default data identifiers. You use default dictionaries and
Smart IDs to build the Detector Set that fulfills your requirement.

After selecting Detectors from the Data Detection section of the left navigation bar, follow these steps to
create a new Detector Set.
1. Click Add Set
2. In the General Tab, enter Name and Description, both are required.
3. In the Settings, click Add / Remove to show the pre-loaded detectors. These can be combination of
Smart ID and dictionary or just a Smart ID or just a Dictionary. They have been created focused
around standards and best practices.
• Select Detectors based upon your predetermined goal, such as a concern if files are uploaded or
downloaded, saved to USB or Cloud Share Synced with US Social Security numbers and Credit
Card numbers. This would be considered inherently risky, and we want to detect these data types
when these activities occur.
4. Click Done
5. Click Save
6. View your new Detector Set on the Detector Sets list.

Endpoint File Content Scanning is controlled at the Agent Realm level.

1. Go to the Administration application to enable the function.
2. From the left navigation bar, select Endpoints > Agent Realms.
• Select your specific Agent Realm
• Select Edit and choose the Advanced Settings tab
3. Select Interaction
a. Enable Content Scanning (toggle) to expand it.
When enabled, all agents in the Realm will be Endpoint Content Scanned for the same data and
data types.
b. Select Scan Triggers and click Done.
c. Choose Detector Sets from list. These are Detector Sets that have been previously built. Click
Done.
d. Enable Snippets with toggle. Snippets contain the matched content (plus 20 characters before
and after). Snippets will be reported as part of the Activity and might be included when Activity is
exported to SIEM.
4. Click Save

In the command line installation, set the flag for Content Scanning=1. With the graphical MSI installation,
you are given two choices of components to install: one for Client Utility and second check box for
Content Scanner. Choose these selections during agent install to have content scanning installed on each
of your endpoints.

The last step for Endpoint File Content Scanning is to build rules around these activities so that when
users perform these activities and we get the corresponding match, we generate the Alerts that says one
of these risky activities occurred. Rules can be either New Detection Rule or New Prevention Rule.
You will create a Detection Rule in the Filtering lesson when we are creating other ITM/Endpoint DLP
rules.

Exercise 7: Endpoint File Content Scanning
Scenario
To align and remain compliant with various Compliance Policies, both internal and external, Central
Healthcare needs to scan files for specific content which may reflect Insider Threat Risk behaviors. In this
lab you scan Endpoint Files to determine if they contain sensitive personal information, like Driver’s
License and Social Security numbers.
Objectives
• Build a Detector Set which contains Detectors for both Social Security and Driver’s License numbers
• Update your Agent Realm and enable Content Scanning
Exercise 7-1: Build a Detector Set to Detect Sensitive Content

1. Within the ITM SaaS console, navigate to the Data Loss Prevention App.
2. On left navigation bar, select Data Detection, and then Detector Sets below it.
3. In the upper right corner of the page, click Add Set.
4. Click to select the General Tab:
a. Name your Detector set <your student ID>-<date as mmddyyyy>-Drivers License, Credit Card,
and Social Security numbers.
b. Provide a text based description of what these Detectors will be used for.
c. Click Next.
5. Click the Settings tab:
a. Click Add/Remove.
b. In the Search field on the top right, type: Driver
i. You will see “Driver License: United States” appear in the list. Click the Include box.
ii. Click Done. You’ll now see the Driver License Detector in the Detectors field.
c. Click, Add/Remove.
d. In the Search field on the top right, type: Social
i. You will see “Social Security Number (All): United States” appear in the list. Click the Include
box.
ii. Click Done. You’ll now see the Social Security Detector in the Detectors field.
6. Click Save.
Exercise 7-2: Edit your Agent Realm and Enable Content Scanning
1. Within the ITM SaaS console, navigate to the Administration App.
2. On left navigation bar, below the heading Endpoints, select Agent Realms.
3. Locate and click to select the Agent Realm you previously configured in Lesson 4.
4. Click Edit on the right side of the page.

5. In your Realm, select the Advanced Settings tab.

6. Locate the section of the page with the header Interaction.
7. Below Interaction, click the slider to enable the Enable Content Scanning function.
8. On the right side of the page, click 5 values. This will open the Choose Values Scan Triggers
dialogue box.
9. Click the include box for Name to deselect all the values (if needed), then click Web File Upload.
10. Click Done.
11. Within Interaction, locate “Detector Sets.” On the right, click Choose Values.
12. In the Select Detectors ACTIVE DLP DETECTORS dialogue box, locate the Detector Set you
created in Exercise 7-1, select it, and click Done.
13. The Detector Sets button now reflects “1 value.”
14. Below Detector Sets, locate Enable Snippets.
15. Click the slider to enable Enable Snippets.
16. Click Save.



Lesson 8: Rules and Conditions
Introduction
This lesson teaches how to create Rules and Conditions to limit activities presented. You will create Rules
from the Threat Library, Conditions, and scratch.
129

Filtering
This illustration shows where data filtering fits in the implementation of Insider Threat Management. This
lesson reviews the steps and fields to complete in order to create rules to filter collected data.

The purpose of the Insider Threat Management software is to gather data, present it, and filter the data to
a select set of actionable items. While you can use the tools available in multiple ways, this lesson
presents a simple method to use Insider Threat Management.
We start with a simple goal of identifying Web Uploads.
The system has been gathering data from the endpoints where we installed the Agent apps.
To start the process, we will create Conditions to use within the Rules, create Rules from the Threat Library
templates, then and finally create Rules from scratch.

Filtering
Use Rules to trigger actions such as alerts and sending notifications.

Characteristics of rules include
• Stored in Threat Library and Rules List
• Generate Alerts
• Can be tuned
• Apply to entire account
Contain
• Conditions
• Notification Policies
• Logic statements
Used to trigger actions
• Create critical to low severity alerts
• Send notification when alert triggers
Rule Examples include:
• A trigger for a critical severity alert whenever a File is exfiltrated to a cloud-based storage service and
send a notification to the department manager
• A trigger of a low severity alert whenever a file is copied to a USB that is on a predefined unauthorized
list

After you have created a use case, you can create a rule to identify the behaviors you are seeking. Ensure
that your rule includes exclusions. Add a notification then enable the rule. As you review generated Alerts,
you can continue to refine the rule to ensure the actionable items generated still meet your desired daily
target.

Filtering

The Threat Library is a collection of common out-of-the box threat scenarios based on research with
Computer Emergency Response Team (CERT) institute at Carnegie Mellon, National Insider Threat Task
Force (NITTF), National Institute of Standards and Technology (NIST) standards, customer base, and
third party research firms.
You use the items (templates) to create and build new rules.
Threat Library items are associated with a category to help you navigate and see what is available and
facilitate using and maintaining the items. For a list and description of each item.
If you are a DLP only user, the Threat Library currently provides a limited list of data exfiltration scenarios.
All available scenarios are listed and described in the Threat Library dashboard.
The dashboard includes Publish date, an indication of what has been added/updated. This lets you see
the most recent items added to the Insider Threat Library.

Filtering
The Threat Library contains many rule templates. These make it easy to create a new rule. Select your
template and click Save as Rule. At that point you can use as is or edit the rule to meet your specific
needs.


Filtering
This shows a high-level overview of creating a Rule.

1. Select Administration App
2. Select Policies > Rules
3. Click New Rule
4. Select New Rule Type
5. Generaltab
Enter Name and Description
6. Settings tab
• Define the new rule using if/then logic.
• IF section
• Select starting point
• Categories, In or Not In, Values
• Add Rows and Nested Rows
• THEN section
• Define Alert priority
• Select Notification Policies
7. Click Save
Editing a complex rule follows the same process as editing the simpler rules. You can use Edit to add
more complexity to a simple rule.

To create a new Rule from scratch, follow these steps.

1. Select Administration App
2. Click New Rule
3. Select New Rule Type
• New Detection Rule
• New Prevention Rule

Filtering
4. Select General tab: enter Name (required) and Description (optional)

Start with the IF section, where you can

a. Select Field (when starting from scratch)
b. Select Existing Condition
c. Select from Threat Library (existing rule template to build your rule)

Filtering
5. Start with the IF section)

a. Select Field (Start from scratch)
• Displays the Select Field options (Activites >Categories > action taken (Select Values
options)
• Can add more rows to add more fields
• Use AND statements to refine rule
b. Select Existing Condition (when they exist)
c. Select from Threat Library (existing rule template and build off
d. Add Rows and Nested Rows

As part of creating each row, you decide the logic parameter. Select from the drop-down list.

Filtering
Complete the IF statement by clicking Select Values and choosing from the list.

6. Then section
a. Define Alert severity
b. Select Notification Policies
c. Select Tags
d. Click Save

Filtering

Definition: Criteria you apply to rules and explorations

Purpose: Simplify rule and exploration creation
• Use to create filtering lists
• Starting point for rule or exploration (row)
• Apply one or more condition
• Apply same condition to more than one rule or exploration
Use
• Create new conditions
• Select from existing conditions
• Add
• Edit
• Delete
• Proofpoint provides a library of Conditions
• Saved conditions

Filtering
You can use conditions to set up lists. For example, you might create a list of all users who have recently
given notice or a list of websites users are prohibited from using. You use these lists when creating rules
to trigger alerts as well as in explorations.
A conditions will allow you to:
• trigger an alert when one of users in the risky group browses the Web
• trigger an alert when a web browsing is to a one of the social media sites
• trigger an alert when web browsing is by a specific user and to a specific social media site
So, if you apply the risky users condition to a rule that triggers an alert whenever a file is copied to a USB,
an alert will be triggered when one of the risky users copies a file to USB.
You can see the conditions that have been created in the Conditions table.

This series shows how to create a condition to identify Risky Users.

1. Administration, Policies > Conditions
2. Click New Condition

Filtering
3. General tab: complete Name and Description ‘Risky Users’, Click Next

4. Details tab: Select > Select Field

Filtering
5. From ‘Select Field’ list, select User and then User Name

6. Logic: choose from list of options

Filtering

7. Select Values: select users to include, click Done

8. Click Save when selected values appear in the rule’s row.

Filtering
Your Insider Threat Management system includes pre-defined conditions that you can use but you cannot
edit (created by Proofpoint). You can edit and modify any of the conditions you create. You can also
delete those conditions you created.


Filtering
After you create a rule you automate the Alerts and Notifications generated. You can continue to refine the
rule to ensure the actionable items generated still meet your desired daily target.

You can add rows to your rule at initial creation or later via editing. Your additional rows can be at the
same level as an existing row or nested beneath a row. This organization controls how the rule gets
executed.

Filtering
Refining rules follow the same process as creating rules. Select your starting point, the applied logic, and
the specific values to filter on.

Rule monitors Active Directory (AD)

Rule runs against changing AD Group
Generates Alert when Activity matched
IF
1. Select Field > User > Groups
2. Logic = In
3. Select Values
• Queries AD and returns list of groups
4. Click selected group > Done
5. Click Save

Filtering
You can create quite complex rules. Most customers do not start with highly complex rules. Rather the
initial rules are relatively simple until the customer works with the Insider threat Management System for
several months. As time progresses, the need for complex rules becomes apparent to identify and alert
on specific activities.

6. Logic: choose from list of options

Filtering

Follow these steps to create an Endpoint File Content Scanning detection rule.
1. Select Administration App > Policies > Rules
2. Click New Rule
3. Click New Detection Rule
4. General Tab
a. Enter Name
b. Enter Description of new detection rule

Filtering
5. Continue with Settings Tab

a. Click Select
b. Choose Select Field
c. Select Detector from list
d. Click Indicator/Detector Name

6. Click Select Values

• Check to select Detectors from the list that appears.
• Note: Detectors must have been attached at Realm level
7. Click Done

Filtering
Your chosen Detectors show in the rule line after IN

8. Select Alert Severity Level
• Critical
• High
• Medium
• Low
9. Click Save

If a user in that Realm were to upload file that contains a Social Security number, the system generates an
Alert that looks like what is shown here.
Web file upload was the activity that occurred and was detected by the Content Scanning Test Rule where
user matched on Social Security number.
In the Details section, you can see the snippet in the Conditions that matched detailed information.

Filtering
Exercise 8: Build Conditions and Rules
Scenario
Based on the goals and objectives which Central Healthcare seeks to support with this application, the
ITM Teams has determined that Data Exfiltration via Web Upload activities are of primary concern and
focus. This lab focuses on building various Rules to evaluate this significant User activity in this
environment.
Objectives
• Create a Condition that identifies External Websites.
• Edit an existing template, from the Threat Library, to alert whenever a User uploads a document to an
External Website
• Build a custom Prevent Rule, to Block Web File Upload Activity to an External Website
• Build a custom Prevent Rule, to Block Web File Upload Activity to an External Website based on an
Endpoint File Content scan result
Exercise 8-1: Build a custom Condition to define External Websites

Create a Condition that identifies External Websites by excluding your domain.
1. Navigate to the Administration app.
2. Click Definitions on left navigation.
3. Click to select Conditions.
4. In the upper right of the page, click New Condition.
5. Below General settings, give your Condition a Name, like: External Websites-<your student ID>-
<date as mmddyy>.
6. Enter a Description if you choose.
7. Click Next.
8. Below IF, choose Select Field from the Select drop-down menu.
9. From the Select Field dialogue box, expand Files/Resources and select Resource URL from the list.
10. Change the In drop down to Does Not Contain. Click Select Values next to the In drop-down menu.
11. Within the Resource URL – FILES/RESOURCES dialogue box, enter the value mydomain.com in
the Search field at the top.
12. On the right of this field, click Add it as a new value. You will see the value appear below Selections
(1).
13. Click Done.
14. Click Save.
15. View your new Condition in the Table of Conditions.

Exercise 8-2: Edit an existing template from the Threat Library for new Rule
Create a Rule from an existing Rule Template to detect an Alert when a user uploads a document to an
external website.
1. From the console, navigate to the Administration app.
2. Click Policies on left side navigation.
3. Below Policies, select Threat Library.
4. Locate the Rule titled, Exfiltrating any file to the web by uploading and select it in the table.
5. Click Save as a Rule, on the right.
6. When the New Rule: Exfiltrating any file to the web by uploading pane opens, select … (dots) on
the right of the IF section, and select Convert to Rows.
7. Below the Primary Category In Web File Upload row, click +Add Row.
8. Click Select, and click Select Existing Condition.
9. In the Select Existing Condition dialogue box, type external in the Search field.
10. Locate and select your External Websites Condition from the list. You will see this parameter added
to the Rule.
11. Click Save. View your new custom Rule in the table of Rules
Exercise 8-3: Create Prevent Rule to Block file upload to External Website
Create a Prevention Rule to detect and block when a user uploads a document to an external website.
2. Click Policies on left side navigation bar.
3. Below Policies, click Rules.
4. On the Rules pane, on the right, click New Rule.
5. In the New Rule Type dialogue, click New Prevention Rule.
6. In the New Rule: dialogue box, below the General Tab, enter the following Name for your rule:
Prevent Web File Upload to External Website-<studentID>-<date as mmddyy>
7. In the Description field, add a text based description of your Rule, if you’d like.
8. Below the Settings Tab, on the left, within the IF field click Select Values.
9. In the Protocols – Devices dialogue box, select Web File Upload.
10. In the IF field, click, +Add Row. Click Select.
11. Click Select Prevention Condition from the drop-down list.
12. In the Select Prevention Condition dialogue box, locate your External Websites Condition and select
it. You now see the additional parameter added to your Prevent Rule: Condition Is External Websites.
13. Below the Settings Tab, on the right within the THEN field, click to select the radio button for Block.
14. On the lower right, click Next.
15. Below the Agent Policies Tab, locate one of the Agent Policies you created in lab exercise 5, and
click the box next to it to select it.
Should you see a message - One or more selections requires configuration at the Realm level Check
Configuration, check your Agent Realm to ensure Prevention has been enabled.

Filtering
16. Click Save.
Exercise 8-4: Block File External Website Upload on File Content Scan
Create a Prevention Rule to detect and block document upload by a user to an external website based on
an Endpoint File Scan result.
2. Click Policies on left side navigation.
3. Below Policies, click Rules.
4. On the Rules page, on the upper right, click New Rule.
5. In the New Rule Type dialogue, click New Prevention Rule.
6. In the New Rule: dialogue box, below the General Tab, enter the following Name for your rule:
Prevent Web File Upload to External Website Based on Scan Result-<studentID-<date as mmddyy>
7. In the Description field, add a text based description of your Rule, if you’d like.
8. Below the Settings Tab, on the left, within the IF field click Select Values.
9. In the Protocol – Devices dialogue box, select Web File Upload from the list.
10. Within the IF field click, +Add Row. Click Select.
11. Click Select Field. From the Select Field dialogue box, click Detector. In the drop-down menu, click
Indicator/Detector Name. You’ll now see the additional parameter added to the Rule.
12. On the left, below IF, to the right of Indicator/Detector Name In, click Select Values.
13. In the Detectors – DETECTOR NAME dialogue, locate the Detectors you have previously configured
in Exercise 7-1 and click each to select them from the list.
14. Click Done. You’ll now see the additional parameter added to the Rule.
15. Below this new parameter, on the left below IF. Click +Add Row.
16. Click Select and choose Select Prevention Condition from the drop-down list .
17. In the Select Prevention Condition dialogue box, locate your External Websites Condition in the list
and select it. You now see the additional parameter added to your Prevent Rule: Condition Is External
Websites.
18. Below the Settings Tab, on the right within the THEN field, ensure the radio button for Block is
selected.
19. On the lower right, click Next.
20. Below the Agent Policies Tab, locate one of the Agent Policies you created in Exercise 5, and click
the box next to it to select it.
Should you see a message - One or more selections requires configuration at the Realm level Check
Configuration, check your Agent Realm to ensure Prevention has been enabled.
21. Click Save.


Lesson 9: Notifications, Tagging, and Alerts
Introduction
This lesson teaches how to add notification policies to rules and configure rules to generate the desired
Alerts. It also demonstrates how to identify incidents with Alerts and Notification. It also teaches how to
create and use Tags.
175

Alerts and Tagging
This illustration shows where data filtering fits in the implementation of Insider Threat Management. This
lesson reviews the steps and fields to complete in order to add Notification, Alerts, and Tags to Rules.

Rules generate Alerts. You can create Notification Policies and add them to rules to send notifications
when a Rule generates an Alert.

Alerts and Tagging

Definition
• Defines who gets notification of alert and delivery mechanism
Purpose
• Inform users when an alert is triggered
Use
• Ensure certain people see alerts
Admin tasks
• Create, Edit, Delete Notification Policies
• Add notification to Rules
• Set up Webhooks
• Slack, Outlook Groups, Splunk Clouds, Microsoft Teams, other 3rd party apps

Alerts and Tagging
Notification policies are created in the Administration app.

1. From the Proofpoint Information Protection platform, select the Administration app. Select
Integrations > Notification Policies.
2. Click New Notification Policy.
3. Type the Name of the New Policy and click Next
4. Enter the notification subject and Message text
5. Optionally choose to enable End User Justification.
6. Screen shows options to either add Webhooks or Email. Click Add for either or click Save to open a
panel to add either Webhooks or email addresses. With Save, the policy is saved and a panel opens
on the left where you can select the type of notification and define the policy.
Once you select the type of notification (email or webhook, provide the details.
7. Click Done.
Note: Email can be added as either Text or HTML with the drop-down menu. Wait for emails to appear in
list before clicking Done.

Justifications can be used with prevention rules to offer the user the option of continuing a prevented
action by selecting a response. When a justification is selected, the action is allowed. If you want to use
justifications, you must first create a default justification for the Agent Realm. Justifications are turned on
in the End User Notifications area in the Advanced settings of the Agent Realm. Here you define the
Default Block message a user sees when an action is blocked by a prevention rule.
In the Default Prompt area, you must define a default justification by selecting one or both of the
following:
• Click Add New Justification and select from one or more of the predefined justifications
You can select one or more Justifications from the list.
• Select Allow user to enter freeform text reply
Use the justifications from the Justification page in notification policies that are used with prevention
rules. Default Justification is by Realm but can be set up as a notification with justification at the rule level.
1. From the Administration application, select Integrations > Notification Policies.
2. Create the message you want and turn on Allow user to respond, to define the response that you
want to appear in the end user notification.
3. In the Label above selection textbox, add text that you want to display above the justification.
4. In Justifications section, click Add/Edit to add/edit justifications from the list of justification that you
want included in the notification. These include custom justifications you created and standard
justifications added by Proofpoint.
5. If you want the user to add freeform text, select Allow user to enter freeform text reply and enter the
text you want to prompt the user in the Label textbox.
You can set up a notification with justification at the rule level. In that case, the user is prompted for the
justification when the action that is defined in the rule occurs. You can select:
• Prompt the user to provide a justification and the default justification you defined for the Agent
Realm will be used
• Block and assign the end user notification that includes a customized justification you want to use

Alerts and Tagging
Webhooks are user-defined HTTP callbacks. The problem they intend to solve is "pushing" information to
you. Push, as a server-based resource, doesn’t know where or who to push to. Webhook is an
architectural pattern that aims to solve this issue.

1. Select Add webhooks and from the drop-down list, select the platform you want
2. Click the link for detailed instructions.
3. When you complete the instructions, you'll receive a URL. Copy the URL and click Save
4. The webhook is added and relevant notifications will be sent to your chosen platform.
5. Click Done

Alerts and Tagging
1. From New Policy pane General tab, select Automated (Webhook/Email)

2. Select Add webhooks

Alerts and Tagging
3. Select the platform you want

4. Click the link for detailed instructions

Alerts and Tagging
5. Complete the instructions to receive a URL

6. Copy the URL and click Save to add webhook and relevant notifications
7. Click Done


Alerts and Tagging
Tags are labels you can create and assign to selected information. These tags make it easier for analysts
to identify and categorize important information.

A tag is an identifier that can be attached to rules, conditions, activities, alerts, and other things to group
these things under a common name. Then you can create an investigation easily out of it.
The User Interface has a Tag Management area where you can create a tag, such as high risk or data
exfiltration. During Exploration you can assign the tag to individual alerts. You can also tag rules that
generated this alert. You can then group all these items under the common name with a filter in an
Exploration. There are pre-set tags with the system.
Once items have been tagged, you can then use tags in a filter in Explorations. Then Activities show up
that have the common tag.

Alerts and Tagging
All tags can be viewed from the Proofpoint Information Protection platform console in the in the
Administration app. Select Tag Management.
To see details about where a tag is used, click on it. In the example the tag is used 57 times in the Threat
Library. By clicking on the arrow, you leave Tag Management and go to the relevant view.

Follow these steps to create a tag.

1. Select Tag Management
2. Click New Tag
3. Name tag, select color
4. Click Save

Alerts and Tagging
All tags can be viewed from the Proofpoint Information Protection platform console in the in the
Administration app. Select Tag Management.
1. Choose tags from list
2. Add new tags as needed
3. Click Done to save
Assigned tags appear on tag list with count
4. Click tag to view tagged Explorations

You can use tag management throughout your work. You can apply the same tag to activities, rules,
conditions you create, explorations and alerts to help you identify and categorize.
For example, you're creating several rules to monitor a group of employees you are watching. To make it
easier to find those rules in the Rules list, you can tag each rule, in this example, watched group.
Add tag to rules
1. Select rule to tag
2. Click Add Tags
3. Select tag
4. Click Done
5. Use Filter by to locate items such as rules, explorations, conditions, alerts, and items in Threat
Library.

Alerts and Tagging

The installed Agent App on the Endpoint generates Activities and Screenshots. Filters and Conditions
determine what gets shown in an Exploration. These can be filtered and then viewed within Explorations.
Activities and Screenshots also get fed into the Rule engine and the Rule Engine then generates Alerts.
These Alerts include what a monitored user did as well as screenshots of the activities.

Alerts and Tagging
To see the Alerts, from the Proofpoint Information Protections Platform, select the Analytics app and
then from the side menu, select Alerts.
Alerts are displayed in graphic and table format so you can easily identify what is happening. You can
view and analyze the alert details with intuitive data visualizations.
Definition
• Warning triggered by defined rule
Purpose
• Monitor and investigate suspicious activity wit
Use
• Monitor potentially risky user activities
Admin tasks
• Set severity level
• Low, medium, high, or critical
• Enable relevant screenshot
• Select Filter by
• All Endpoints or DLP only

To see the Alerts, from the Proofpoint Information Protections Platform, select the Analytics app and
then from the side menu, select Alerts.
view and analyze the alert details with intuitive data visualizations.

Alerts and Tagging
view and analyze the alert details with intuitive data visualizations by clicking on the alert.

The alerts table lets you see a list of all the alerts and edit the columns to see specific information. The
alerts are listed chronologically.
By clicking on a row, you can see the details of the alert.
The details vary depending on the alert channel.

Alerts and Tagging
You can select to show/hide a summary of all alerts. By clicking on a rule, you can see all the relevant
alerts.

You can choose to group common alerts. This means that when the same exact alert happens
consecutively, it is grouped with the previous alert.
To group alerts, click ... at the top of the table and select Group Common Alerts from the menu.
Each bar indicates the number of alerts that are grouped with this item. For example, when you see two
bars there are two grouped alerts. These two alerts are exactly the same; that is, the same activity, the
same users, the same URL domain, etc.
To ungroup the activity and see the other activities, select Ungroup Common alerts from the menu.

Alerts and Tagging
The timeline lets you see all activities in chronological order detailing each action taken in the sequence
they were performed. The timeline shows how users access, move and manipulate files and data. This
way you can see and understand what happened before and after an alert or a specific user activity and
understand the context.
By default, when you open the timeline you see the list of user activities on the left and summary and
details area for the selected user activity on the right. The histogram at the top provides a quick visual
view of when user activity occurred. From the left-side, you can select Show Filters where you can filter
what you see.

From the left-side of the timeline view, you can select Show Filters to view available filters to limit what you
see.

Alerts and Tagging
The timeline view includes the icons shown here to indicate user activity type.

The File Timeline shows the history of the file you are investigating. You access this view from the Details
panes of the identified activity.

Alerts and Tagging
This shows recommended steps to investigate an Alert - from vewing Alerts to distributing information
gathered to the appropriate individuals.

Exercise 9: Build Notification Polices and Tags, Review

Alerts
Scenario
Although the ITM team at Central Healthcare is small, each of its members, as well as external
constituents, will have access to the Alert output of the tool. Therefore, a keen understanding of Alert
functions and capabilities are required. Based on their Acceptable Use Policy, they have identified the
need to send End User Notifications if and when a user violates any policy contained therein when
performing certain Endpoint behaviors.
Objectives
• Configure and enable an Agent Realm level End User Notification.
• Build an Endpoint Notification Policy, including Justifications, and apply it to your Prevent Rule.
• Test each of the Rules configured in Lesson 8.
• Review the Alert Data and use the various Workflow functions with it.
• Create a tag and tag your existing Rule, Condition, and Alerts to present like objects together based
on the assigned Tag.
Exercise 9-1: Create and Enable End User Notification on Agent Realm
1. From the console, navigate to the Administration view.
2. Click Endpoints on left navigation menu.
3. Below Endpoints, select Agent Realms.
4. In the Agent Realms table, locate the Agent Realm you created in Exercise 4 and select it from the
table.
5. On the right, click Edit.
6. Below the Advanced Settings tab, locate the End User Notifications field, and enable Enable End
User Notifications. Locate the field titled Default Block.
7. On the left, in the box beside Subject, change this value to:This is the Realm level Default Block
Message.
8. On the left, in the Message box (inserting variables as noted), craft your End User Notification as
follows:
• Type: A Web File upload to an External Website has been detected.
• On a new line, type: The Rule that was triggered was –
• Insert the cursor after the dash (-) and click +Rule Name in the Variables list.
• Your Message will now reflect: The Rule that was triggered was – [[Rule Name]]
• Insert another line and type: The File involved in the Activity was –
• Insert the cursor after the dash (-) and click +File Name(s) in the Variables list.
• Your Message will now reflect: The File involved in the Activity was –[[File Name(s)]]

Alerts and Tagging
9. In the Default Prompt section, locate the field with Reason for Action within it.
10. Edit this value by typing: Policy Violation
11. Click box to Allow user to enter freeform text reply.
12. Click Save.
Exercise 9-2: Create an Endpoint Notification Policy for your Prevent Rule
2. Click Integrations on the left navigation menu.
3. Click Notification Policies below it.
4. On the upper right of the page, click New Notification Policy.
5. On the NEW POLICY page, add a value in the Name field: Prevent Rule Notification Policy-
<studentid>-<date>
6. Below the Type heading, click the Endpoint radio button.
7. Click Next.
8. On the left of the page, locate the Subject field and update the value with: Scan Result has Sensitive
Content - Upload Blocked.
9. In the Message field:
• Type: An Endpoint File Scan has occurred.
• On a new line, type: The Rule that was triggered was –
• Insert the cursor after the dash (-) and click +Rule Name in the Variables list.
• Your Message will now reflect: The Rule that was triggered was – [[Rule Name]]
• Insert another line and type: The File involved in the Activity was –
• Insert the cursor after the dash (-) and click +File Name(s) in the Variables list.
• Your Message will now reflect: The File involved in the Activity was –[[File Name(s)]]
10. Within the End User Justification section, enable the Allow user to respond toggle.
11. Locate the Label above selection field and type: Upload Justifications
12. Locate the Justifications heading and click Add New Justification.
13. In the Justifications dialogue box, below Select Values, locate and select the following values from
the list:
• I have obtained prior approval to perform this action
• The recipients are approved for sharing this content
• This action is part of an established business process
• The data in this file is not confidential
• This action is allowed as part of my role
14. Within the Search Values field, type: This is my unique Justification-<studentid>-<date as
mmddyy>
15. Click, Add it as a new value
16. In the New Justification dialogue box, click Save.
17. In the Justifications dialogue locate your custom Justification and select it from the list.

18. Click Done and Save.

Apply this Notification Policy to your End Point File Content Scanning Rule you configured in Exercise 8-4.
20. Click Policies on the left navigation menu.
21. Click Rules below it.
22. From the list of Rules, locate your Rule created in Exercise 8-4 and select it.
23. On the right side of the page click Edit.
24. In the Edit Rule dialogue, click the Settings tab.
25. Below THEN, select the radio button for: Prompt the user to provide a justification.
26. Click +Assign End User Notification.
27. From the Select Notification Policies dialogue, below Select Values, locate your Notification Policy
created in this exercise and select it from the list.
28. Click Save.
Exercise 9-3: Test Your Rules to Generate Live Alerts

2. Click Policies on the left navigation menu.
3. Click Rules below it.
4. Locate your Rule from the list created in Exercise 8-3 title, Prevent Web File Upload to External
Website-<studentID-<date as mmddyy>
5. Ensure that this Rule is Enabled.
6. Locate your Rule from the list created in Exercise 8-4 titled, Prevent Web File Upload to External
Website Based on Scan Result-<studentID-<date as mmddyy>
7. Ensure that this Rule is Disabled.
8. Like you did in Exercise 1-3, navigate to the Desktop of one of your VM Endpoints where you
previously installed the Agent.
9. On the Desktop of the Endpoint, locate Firefox and launch the browser.
10. In the browser, navigate to, https://dlptest.com/
11. At the top of the Home page, select HTTPS POST from the choices.
12. On the Desktop of the Endpoint, locate the file titled,Content Scanning Test
13. Drag this file into the field on the page titled, “Drop a file here or click to upload.”
14. Click, Submit.
15. The End User Notification you configured in Exercise 9-1 will be displayed on the Endpoint Desktop.
16. Return to the Console and back to the Rules page.
17. Locate your Rule from the list created in Exercise 8-4 titled, “Prevent Web File Upload to External
Website <studentID-<date>”.
18. On the right, ensure that this Rule is Disabled.
19. Locate your Rule from the list created in Exercise 8-4 titled, Prevent Web File Upload to External
Website Based on Scan Result-<studentID-<date>.

Alerts and Tagging
20. On the right, ensure that this Rule is Enabled.

21. Return to the Endpoint Desktop again.
22. On the Desktop of the Endpoint, locate the file titled, Content Scanning Test
23. Drag this file into the field on the page titled, Drop a file here or click to upload.
24. Click, Submit.
25. Verify that the End User Notification you configured within your Notification Policy in Exercise 9-2 is
displayed on the Endpoint Desktop.
26. Within the Notification, select a Justification of your choice and click Submit. Note that your upload
Activity is now permitted.
27. You will now have one Active Alert you can review in a following Exercise.
Exercise 9-4: Review and Perform Workflow functions on Generated Alerts

1. From the console, navigate to the Analytics view.
2. Click Alerts on the left navigation menu.
3. At the top of the page, Click the Region Time Source filter.
4. In the Filter By dialogue below the Time heading, below the Over the last…, click 30d.
5. Click Done. You now see 30 days of Alerts in the table.
6. To the immediate right of the Time filter, click +.
7. In the Filter By dialogue, locate the User drop-down list and click it.
8. Below the User drop-down list, locate User Name and click it.
9. In the Select Values dialogue, locate your studentID (Administrator) from the list and select it.
10. Click Done. The Alerts you generated in Exercise 9-3 are now displayed in the table. You will see your
studentID listed as the endpoint-hostname.
11. To begin interacting with an Alert, select it from the table.
12. First Assign the Alert. On the right of the page, with your Alert selected, just below the Assignee
heading, click Unassigned.
13. From the Select drop-down list, locate your student ID and click it. The Assignee value now reflects
your studentID.
Update the Status of your Alert(s).
14. With your Alert selected, locate the Column tilted, WORKFLOW Status.
15. Select the New value from the drop-down list and change it to In Progress. Note the Status update to
your Alert.
16. With your Alert selected in the table, on the right scroll down slightly to reveal the Summary, Details,
History, and Comments tabs.
17. Click the Comments tab.
18. Within the field titled Write a comment…, click and enter the following value: Alert Status updated to
In Progress.
19. Click the History Tab.
20. Notice that both your Status Update and Alert Assignment are seen here.
21. Click the Summary Tab.

22. Below the Origin heading, locate the User heading.

23. Below the User’s name, click Open Timeline.
24. Within the Users Timeline subview, notice you can now see the users Activities before, during, and
after the Activity that generated this Alert for deeper context of the users Activities around the time of
the Alert.
25. Close the new browser tab launched by the last step.
26. Back below the Summary tab, locate the Files/Resources heading.
27. Below the Activity this Alert is tied to, review the Source and Target values to understand more details
about the file involved in the Activity. If the File involved was a Tracked File, you could access the File
Timeline subview. However, the file involved in your Alerts was a Non-Tracked file so this subview is
not available
28. To see the File Timeline subview, go back to the top of the page, locate your filter for User Name,
mouse over it, and click the X to delete it. You will now have just a filter for 30 days in place.
29. Click the + to the immediate right of the Time filter.
30. In the Filter by dialogue, locate the Activity heading and click it.
31. From the drop-down list below Activity, locate Categories and click it.
32. In the Select Values dialogue, locate File Tracking, select it from the list and click Done.
33. In the table of update Alerts, select one then navigate back to the Summary Tab again.
34. Scroll down to the Files/Resources heading.
35. Notice that within the Target field, you now see File Timeline to the right of the File Details
parameter.
36. Click File Timeline.
37. The File Activity Details subview is launched. Here you can review any/all associated Activities
performed on the Tracked File from Entry to Exit points chronologically.
38. To review the results of the Endpoint File Scan while uploading a file, clear the filter you just added in
the last step and replace it with your studentID, like in steps 6-10. Verify your test Alerts are now seen
in the table.
39. Select the Alert titled, “Prevent Web File Upload to External Website Based on Scan Result-
<studentID>-<date>”.
40. On the right, navigate back to the Summary tab.
41. Scroll down and locate the Indicators and Matches heading.
42. Below this heading you’ll see and entry titled, “Social Security Number (All): United States.
43. Click the + to the left of this value.
44. The value of the Social Security number located by the File Scan is now shown.
Exercise 9-5: Tag Configured/Generated objects

2. Click Definitions on the left navigation menu.
3. Click Tags below it.
4. On the right of the page, click New Tag.
5. In the New Tag dialogue, within the Name field, type:, “<studentID>-<date as mmddyy>-My Tag.”

Alerts and Tagging
6. Assign a Color of your choice.

7. Click Save. Your new tag will be seen in the table of Tags.
Apply your Tag to your various configuration objects.
8. Navigate back to the Rules page and repeat the following steps for both of your Rules.
9. Locate your Rule, select it from the list, and click Edit, on the right.
10. In the General Section, click , Add Tags.
11. Within the Add/Edit Tags dialogue, locate your Tag, select it, and click Done.
12. Your Tag is now seen on the Rule.
13. Navigate back to Conditions page and repeat steps 10-12 to Tag your Condition.
14. Navigate back to the Alerts page, locate your Alerts in the table.
15. Select your Alert from the page.
16. On the right, click the Summary Tab.
17. Below the Activity heading, locate Tags and click Add Tags.
18. Within the Add/Edit Tags dialogue, locate the Tag you configured in exercise 9-5, select it from the
list.
19. Click Done. Your custom Tag now appears on the Alert.
20. Repeat this for both of your Active Alerts.


Lesson 10: Explorations
Introduction
This lesson shows how to create a simple Exploration to identify selected activities. It demonstrates how
to use Exploration filters to limit the activities displayed. It also explains how a refined Exploration can
serve as the basis for creating a rule.
217

Explorations
This illustration shows where an Exploration fits in the implementation of Insider Threat Management. This
lesson reviews the steps and fields to complete in order to create and configure an Exploration.

The purpose of the Insider Threat Management software is to gather data, present it, and filter the data to
a select set of actionable items. While you can use the tools available in multiple ways, this lesson
presents a simple method to use Insider Threat Management.
We’ll start with a simple goal of identifying Web Uploads with an Exploration.
The system has been gathering data from the endpoints where we installed the Agent apps.
To start the process, we will create a simple Exploration to locate the Web Upload actions. We will then
continue to work to review and refine the exploration prior to implementing conditions and rules.

Explorations
You can create explorations for user activities and system events. You can filter the data by rules,
conditions, and you can use the items in the Threat Library. In addition, the agent detects exfiltration
attempts that were blocked by a prevention rule and can display this as an activity category.
You can create your own custom explorations or use the available templates.
Some examples of explorations include:
• USB copy activity: View all users who have copied files to their USB device
• Suspicious users: View all activities in all channels (endpoint, email, cloud) for a group of users, for
example those planning to leave the company
• Upload files to Web: View all users who have uploaded files to their personal webmail
• Download files from the Web: View all users who have downloaded a file from share/cloud drives
• Exfiltration attempts: View file exfiltration attempts that were blocked by a prevention rule

Explorations are extremely powerful and quick queries that you build out based on the information
collected. They are structured in a way to be intuitively understood by users.
To create an Exploration, follow these steps.
1. Define exploration goal
2. Create and run Exploration (conduct the search)
• Use output from exploration to analyze the data set of activities
3. Analyze output
• Number of Activities
• Common output (risky or not)
4. Modify exploration to identify actionable activities
• Filter until reasonable number of Activities (10-15 per day)
5. Save Exploration
• Re-run Exploration to identify any additional activities for action
After you set up your exploration, the results will display and you can define what you want to see.
You can export activities to CSV, JSON, or PDF files.
.

Explorations

The first step of an exploration is to define your goal – what do you want to identify? Insider Threat
management collects large numbers of activities. To make your exploration meaningful, you must narrow
it to just the actionable items. You want to collect those items where you can take action within a
reasonable time, such as within the day.

Explorations
You can create your own custom explorations or use the available templates.
These templates target activities Proofpoint has found most customers focused on monitoring and
investigating (interested in).
Note: Be aware that when you create an Exploration from a Template, the system automatically saves
the Exploration.

Steps to create new Exploration from Template.

1. Open Analytics App
2. Select EXPLORATIONS tab
3. Select Templates tab at top
4. Extend view to show Tags and Actions (…) columns
5. Choose template (scroll over its Description for detail) and click …
6. Select Save as new
7. Enter Name for New Exploration in pane that appears (defaults to template name also creates a
duplicate under Active Explorations)
8. Click Save
9. Select Active tab to view new Exploration
10. Click new Exploration to open in EXPLORATIONS to add or delete filters

Explorations

Click New Exploration which opens EXPLORATIONS screen.

1. Select Analytics app
2. Select EXPLORATIONS > New Exploration
3. View number of Activities shown

Explorations
4. Click the pencil (or dots > Edit) to modify selected filter.
Number of activities changes with each edit.
5. Click + to add filters
Select from ‘Filter by’ list

Choose from the Filter by lists to add filters to your Exploration to limit the number of Activities.
The Data Dictionary contains a table to help you locate your desired filter. The Data Dictionary assists you
in mastering the ‘Filter by’ menus (currently 29 menus) not alphabetical, no partial entries on search, and
search is limited to current list, sub lists not included with each search.
Use the Data Dictionary to identify and help locate options to filter your Exploration. Data Dictionary is
currently still work in progress and thus unreleased.
https://documentation.observeit.com/SAAS/product_overview/data_dictionary.htm
Items in the “Data you can filter by” column hold additional ‘filter by’ items
• This list of items is dynamic based on Activities collected

Explorations
This section describes the entities and fields used in the Proofpoint Information and Cloud Security
Platform. The JSON path is also included.
Note: This is a partial list of fields. More fields will be added.
Note: The fields here the most commonly used fields. Other fields included in the Proofpoint Information
and Cloud Security Platform may not be described here.
Note: You may not see all the fields listed here when you view Proofpoint Information and Cloud
Security Platform. What you see depends on your entitlements.
Note: This dictionary uses the term observed system and observed entity. These refer to the system that
is monitored by Proofpoint security system. For example, Office 365 Cloud Application monitored
by CASB, Windows Laptop monitored by PFPT Endpoint Agent, Email Gateway monitored by
PFPT email security (PPS)
Note: Signals refer to types of activity monitored by the security system.

6. Review Results

Explorations
7. Replace Untitled with name of exploration

8. Click Save New

Goal – Web Upload detection

• How many web uploads occurred in environment in past week?
+ > ‘Filter by’ Activity > Categories > Web File Upload
• Look for commonalities
Identify non-risky web sites (internal websites)
• Exclude non-risky from the search
+ > Activity > Website > URL Domain > pfpt.sharepoint.com
Select Excludes at top of list
Click Done

Explorations
Get to sanctioned versus risky activities

Identify where you want alerts – actionable items
Duplicate criteria set as a rule (Administrative interface)
You can modify an exploration to identify actionable activities and save the Exploration.
You can export activities to CSV, JSON or PDF files.


Explorations
Click the dots (…) under Actions to view options. Choices include:
• Show Exploration in Dashboard, displays below standard Exploration graphics
• Duplicate when you want to use existing Exploration as base for a new one
• Add/Edit tags – these can be modified at any time
• View/Edit Details for information on this Exploration
• Archive – you can Archive and unarchive Explorations and view them with the Archive tab

Click the dots (…) at top of Exploration to view options. Choices include:
• Remove from dashboard
• Duplicate when you want to use existing Exploration as base for new one
• View/Edit Details for information on this Exploration
• Archive - you can archive and unarchive Explorations and view them with the Archive tab

Explorations
Follow the steps shown on the slide to add Tags to your Exploration.

Access View/Edit Details for additional information on this Exploration.

Explorations
Select Archive where you can Archive and unarchive Explorations and view them.
This is where you can delete an existing Exploration. Delete is a two-step process where you first archive
the Exploration, then you can delete it.

You can change the view between a list view and a graphic view. In these views you can sort and filter the
information.

Explorations
The results of your Exploration show both activities and alerts. Alerts have color-coded icons to indicate
their severity.

Exploration results show Activity Details

• Status
• Screen recorded by agent
• Summary. Details, History, and Comments
• View Activity, user, endpoint, files/resources, process/application, tags, file rename, rules
• Actions
• Open Timeline, Add Comments, Add Tags, Export Activities, View JSON

Explorations
Click to see drop-down menu to change item status. The status shows on each item in Explorations and
in the Alerts listing.

Click the Summary tab to view key information about the selected activity. This includes:
• Activity – why is it in this list
• User – Aliases (how listed) as well as link to timeline for this activity
• Endpoint – name of the endpoint where activity occurred (link to Timeline)
• File/Resources – Path to stored files
• Process/Application – what triggered this activity’s selection
• Tags – where you can add tags to this item
• File Rename – action that triggered this item (with File Timeline link)
• Rules – What in a rule triggered this item’s selection
• Extension – what file extensions involved

Explorations
From the Summary information, click Open Timeline to see activity before and after the activity of
concern.

Access File Timeline from the Summary tab. Here you can view the file history.
File Activity Details shows the history of the file in question. It shows dates, times, actions taken, and
locations.

Explorations
Click each field to view additional information. Most Common fields include:
• Activity
• User
• Workflow
• Endpoint
• Process/Application
• User Interface
• Files/Resources
• Agent
• Indicator
• Feed
• Entity/Application
• Components
• Data
• Event

Send button functions as Done. Send button becomes enabled when you insert a comment.

Explorations
Exercise 10: Build Explorations using Templates and

Custom Steps
Scenario
To support Central Healthcare’s goals and objectives around various activities, having quick, easy access
to Endpoint user activities of these types is of utmost importance. This lab will focus on building the
configuration function which fulfills this requirement.
Objectives
• Build an Exploration, using a Template, that will show which User uploaded a file named “Commission
Sales Agreement.”
• Build a custom Exploration to determine which user attempted to copy a file to a USB drive but was
blocked.
• Build an Exploration using a default template to determine the MIP Classification label of a file
attempted to be copied to a USB storage device.
• Build a custom Exploration to determine new file names which were applied to specific files.
Exercise 10-1: Exploration from template to view Web Upload activities

2. Click Explorations.
3. Select Templates tab.
4. Click the box to select the Template titled “Web File Uploads: Past Week.”
5. Click Save as new, at center top.
6. Save as New Exploration opens. Enter Name: <Username>-<date as mmddyy>-Web File Uploads:
Past Month.
7. Click Save
8. Click Active tab at top of view.
9. Locate your newly created Exploration on the page and click it. This puts you in the Explorations view
with the template filters in place.
10. Mouse over the 1st filter on the left for REGION TIME SOURCE and click the pencil..
11. In the Filter By dialogue, below the Over the last… heading, click 30d.
12. Click Done.
13. Add a filter to your Exploration by clicking + next to the “Web File Upload” filter at the top of the page.
14. In the ‘Filter by’ view, expand Files/Resources and click Name.
15. In the list of files, locate “commission sales agreement.docx” and select it.
16. Click Done

17. Within the activity located by this search, note the User Name value. Record it here.
______________________________________________________________________________________
18. Click Save.
Exercise 10-2: Custom Exploration identifying whose copy to USB blocked

3. Click New Exploration in upper right.
4. Locate the 1st filter in your Exploration titled, Region Time Source, and click the pencil to update the
timespan of the filter.
5. In the Filter By dialogue, below the Over the Last… heading, click 30d.
6. Click Done. You should now see about 1500 +/- Activities in results.
7. To the right of your 1st filter click the + to add another filter.
8. In the Filter By dialogue box, locate and expand Activity and click Categories.
9. From the list of Categories, select File Write Blocked, then click Done
The activity shows the details of what occurred.
10. Click anywhere on the Activity line to open the Alert details.
11. Select Summary tab and scroll down.
12. Below the File Write Blocked heading note the value provided indicating the name of the file that was
blocked.
Exercise 10-3: Determine MIP label of attempted file copy to USB

2. Click Explorations in left navigation bar.
3. Click Templates at the top.
4. Locate and select the Template titled “Copy to USB: Past Week.”
5. At the top right of the page, then Save as new.
6. At the top left of the page, click on the existing title and rename it <student ID>-<Date>-Copy to USB:
Past Week.
7. Click Save.
8. Modify the first filter for time and change the value to 30 days.
9. Click Done at the bottom right.
10. Add a filter to your Exploration by clicking + next to the “Copy to USB” filter at the top of the page.
11. In the Filter By dialogue, locate and click Files/Resources to expand it and click Classification
Labels.
12. In the Classification Labels dialogue select confidential.
13. Click Done.
14. Within the activity located by this search, note the value within the FILES/RESOURCES - NAME
column. Scroll over CONFIDENTIAL for more detail.

Explorations
Exercise 10-4: Determine new file names applied to specific files

3. Click New Exploration.
4. Modify the first filter for time and change the value to 30 days.
5. Add a filter to your Exploration by clicking + next to the time period filter.
6. In the Filter By dialogue, locate and click Activity and click Categories.
7. In the Categories dialogue, locate and select File Rename, then click Done.
8. The Activities panel should now reveal the file names via the “FILES/RESOURCES – NAME” column.
9. Make note of the new file name which was applied to the file in question which also contained a MIP
label of Confidential.
_________________________________________________________________________________________


Lesson 11: Dashboard Setup and Interpretation
Introduction
This lesson teaches how to configure and navigate your Dashboard and use its information.
255

Dashboard Setup and Interpretation
The dashboard provides insight into the following.

• What are my users doing with my data?
• Can I quickly detect concerning behavior?
• How quickly and easily can I respond and investigate?
The Platform brings Security, Flexibility, and Scalability
The platform collects details about how users are interacting with data on their endpoints. It doesn’t just
alert IT and security teams about risky data movement. It also provides context through a timeline that
shows how users access, move and manipulate files and data. Security teams can quickly see links
between:
• User interaction with files or data (such as cut, copy, paste, rename, move)
• File name, extension and size - Data classification label information (using Microsoft Information
Protection labels)
• File and data tracking (including its origin, intermediate location and destination)
• Exfiltration channel (including domain name and URL if the data was moved through a web-based
channel) - Contents of data on the operating system’s clipboard

From the Analytics App, click Dashboard in the left navigation bar. This takes you to the view of the top six
items, as defined by the system, for Analysts to monitor.
Click Select Widgets to set default view to other options. Choose the six you wish to see when you open
your Dashboard and click Save.

ITM & DLP: displays information about ITM and Endpoint DLP alerts and events as well as cloud events.
You can see graphs of (standard/preconfigured/canned) analytics as well as any explorations that you
have configured
Definition
• User interface for analysts
Purpose
• Presents quick look at activities on endpoints by region
Use
• Shows top things for analysts to monitor
User tasks
• Customize desktop view
• Modify the result order, select most or least
• Choose the chart type, select bar, pie, or table
• Save Explorations to dashboard

You can customize each of the six common charts at the top of Explorations to serve your needs best.
Click Select Widgets to set default view to other options. Choose the six you wish to see when you open
your Dashboard and click Save. Click the Settings gear to change the default result order and the chart
type.

As you create your own Explorations, you can choose to display each on the dashboard. They display
below the standard charts. You can remove each of these from your dashboard when you choose.

To quickly investigate an item further, you click on that item in the selected chart. This opens the
Explorations page where you can continue your investigation.

Exercise 11: Review Dashboard functionality and Use
Scenario
You’ve been concerned by feedback from a manager that employees seem to be spending
disproportionate amounts of time browsing the Internet. Using the Dashboard, select and access User
Activity of interest and concern and navigate the workflow of the Dashboard.
Objectives
• To focus these findings and make them available for quick review, edit the presentation of the
Dashboard objects
• You want to be able to review these findings with your colleague easily so, add your custom
Exploration to the Dashboard
Exercise 11-1: Access and navigate to select items on the Dashboard

2. Click Dashboard on left navigation menu.
3. Locate the dashboard widget titled Most Used Applications.
4. Within the graph, locate and select the most used application. This will drop you into the Exploration
view with criteria pre-assigned.
5. To determine which user used this application most, within the Activity Summary section of the page,
select Edit Columns.
a. When the Group by Columns dialogue box opens, select User, then below that heading, User
Name. Click Done.
• The endpoint users who used this application now show in the Activity Summary section.
b. Click Count ? at top of the Activity column here to order the count. The user that most used this
application is now shown at the top of the list.
c. Click the user at the top of the list in the User column, within Activity Summary. (galen.erso or
carol.brown).
• This user’s activities with the selected application now show in the Filtered Activities section
of the page.
Exercise 11-2: Edit the Dashboard objects to change the presentation

2. Click Dashboard on the left navigation menu.
3. Locate the Dashboard widget titled, Most Used Websites for Browsing/Download.
4. Click the gear icon in the upper right corner of the object.
5. This toggles the view and allows you to change how the data is presented within the graph. Change
the Result Order value from Most to Least. Notice the presentation of the data is now reversed and
the title of the graph also reflects this change.

6. Click the gear icon in the upper right corner of the object, again.
7. This toggles the view and allows you to change how the data is presented within the graph. Change
the Chart Type from Bar graph to circle graph. Notice the presentation of the data is now presented
with a circle versus bar graph.
8. Set each of the six standard Dashboard Widgets to your preferences.
Exercise 11-3: Add your custom Exploration to the Dashboard page

2. Click Explorations on left navigation menu.
3. Click the Active tab at the top of the page.
4. Locate one of the Explorations you built in a previous exercise.
a. In the upper right corner of the Exploration, click …
b. In the dialogue box that opens, click Show in Dashboard. Note a value is added within the
Exploration reflecting “Dashboard.”
5. Click Dashboard on the left navigation menu.
6. Scroll to the bottom of the page and notice your Exploration now appears on the page below the
default graphs.



Lesson 12: System Monitoring and Support Services
Introduction
This lesson teaches system best practices, how to resolve common support issues, and what to do when
contacting Technical Support.
267

System Monitoring and Troubleshooting

Best practices include the following.

• Monitor entitlements, system health, and system usage
• Review Policies for potential problem situations
• Follow up on system Warning messages as they appear
• Report issues to Proofpoint support as needed with proper details
• Collect all required information when opening a support ticket
• Identify current entitlements on training system (your system)

In order to know exactly how your account is configured, review the entitlements. To see the entitlements,
from the Proofpoint Information Protection platform, select the Administration app and then select
Settings.
• Entitlements are based upon your organization's licenses and include
• Entitlement status of Proofpoint CASB
• Entitlement status of Proofpoint Email DLP
• Entitlement status of SaaS metadata feed for exporting data to external S3 bucket
• Maximum retentions per product
• Status of the entitlement, such as active or expired
• Average activity per user per day for endpoint products
• Visual storage capacity for endpoint ITM SaaS

Statistics show what your organization is ingesting and using. From the Statistics view, you can take a
look at your account at a point in time as well as historically. This view lets you understand the activity rate
and if applicable, screenshot storage, and you can compare this with your account entitlements.
To view the account statistics, from the Proofpoint Information Protection platform, select the
Administration app. Select Account > Statistics.
At the top of the Statistics, you can set the time period you want to see (last 7 days, last 14 days, last 30
days, last 90 days, and all time).
The statistics view shows activity for all channels:
• Endpoint channel: Endpoint DLP, ITM Specific and Endpoint Health
• Cloud channel: CASB
• Email channel: Unified Alerts

When you select an activity from Activities by time area, it then shows in the Activity Ingestion Rate
graph in the Details area, so you can see ingestion over the selected time period.
View common warning messages
• Regarding usage
• Regarding stale session
Gather information
• Incident ID
• Details
Complete recommended procedures for each. Copy details for Support, if you cannot clear.

Identify potential problem situations

Identify and resolve intersecting and overlapping policies
1. Identify the Agent Realm to review
2. Click dots and select Edit
3. Select Agent Policies tab
4. Click dots and select Edit for each
5. Review General and Details tab per policy
**Remember policies read from top down. Thus, DLP, at top will prevent screen captures of ITM policy at
bottom.

Customers who are authorized support contacts (ASC), or limited access role, and have a login
(credentials) for the Proofpoint Customer Success Center (PCSC) can access the community.
1. Customers with these credentials access the community from the PCSC login page. (The community
is located behind the login.)
2. Logging in directs the user to their personalized community homepage.
3. The community organizes information by both product and topic. You can also navigate quickly to the
information you are looking for by using the Product Quick Links, the Explore by Product drop-down
menu, or by searching key terms.


1. Identify problem policies

• Collect and review JSON files
• Agent Realms > Click to select Realm >Actions > View Details >option to Export.json
• Rules > Click to select Rule > Dots > View as JSON > Export.json
2. Edit Realm
• Check retention policy and time
• Endpoints > Agent Realms> click to select realm >Installation Configuration
3. Advanced Settings
• Endpoints > Agent Realms>Click to select Realm > Edit > Advanced Settings > Configuration
Files > Encryption enabled (on/off)

DLP only does not show in the Edit Agent Realm policy list – have to look at each policy
The policy above overrides policies below.
1. Identify and click the Agent Realm to review
2. Click dots per policy and select Edit
3. Review General and Details tab per policy
**Remember policies read from top down. Thus, DLP, at top will prevent screen captures of ITM policy at
bottom.

Agent Real
1. Edit Realm
• Check retention policy and time
2. Advanced Settings
• Endpoints > Agent Realms> Dots >Edit > Advanced Settings > Configuration Files > Configuration
Files > Encryption enables (yes/no)
Advanced Settings per Realm
1. Policies > Agent Policies > Dots (per policy) >
• Disabled encryption gives more access to configuration files on the Agent
• Dump with key performs decryption
2. Review policy stack
a. Realm Policies flow top to bottom
b. If top says capture only metadata- will override lower policies (no screen captures)
c. Default (DLP only) for policy creation -no screen shots or web browsing

Can edit Retention period per Agent Realm

• Once activity is collected cannot change retention period
• This point forward retained for new time period, not for previous activities
• Cannot extend existing retention period for data already collected in Realm
• Each activity coming into system has time-stamp (keep alive until)

Concern when working with master installation config (for VDI, for example, Citrix)
Each set at installation – after which config file becomes invalid
• May want short to protect access to tenant, etc.
• SaaS Agent required installation file for each provision
• After time expires, need to build new master image for agent installs
Install the Agent from the Wizard in AgentSetup-<version>.msi or from the command line in
WinagentInstall.cmd
1. On the master image machine, install the ObserveIT Windows agent.
2. To install using the Wizard when you run AgentSetup-<version>.msi, check Install for a master
image when prompted.
3. To install using the command line, set the parameter ITX_MSTR_IMAGE to true in
WinagentInstall.cmd. This is a system environment variable and it must be set to true for the master
image.
4. After the Agent is installed, configure the master image on your VDI infrastructure, such as Citrix,
Microsoft or other to create the number of VDIs.

When you see one of these warning message, be sure to collect information for Support team.

When not seeing information collection from Endpoints, collect the following with Endpoint Catalog.
• Check for last activity and last heartbeat
• If running – shows latest version Endpoint is running
• Verify pre-set filter has not been set


Before you open a case

• Identify your Proofpoint Authorized Support Contact
• Prepare summary of issue
• Collect relevant details
• Record time issue occurred
• Identify steps to reproduce issue, if possible
• Collect critical information it-utility.exe (Agent) download JSON query (back end)
Open a case
• Follow steps for Proofpoint Customer Success Center
After the call
• Follow best practices defined in call
• Complete customer satisfaction survey

You must be an Authorized Support Contact (ASC) to access the Proofpoint support community and
open a support case. If you are not an ASC, you can reach out to an ASC at your organization or contact
your account team. Your Account Manager designates the initial ASC. That individual receives credentials
and instructions to access the Proofpoint Customer Success Center portal in a Welcome letter. An ASC
can add additional ASCs within the Support Center portal
1. As Authorized Support Contact log in to the PCSC portal
2. Select the Case tab
3. Create New ‘Support Case’ by completing the following items
• Case Record Type
• Blocked Sending IP (PDR)
• Email Classification Errors (FN/FP)
• Insider Threat Management Support Case (default for ITM customers)
• Request for Enhancement
• Support Case
• Support Contact: Add/Update/Remove
• Training Request
• Product Type – High-level information to help categorize and expedite your question/problem.
• Component – Further identify the nature of your question/problem leads to a quicker resolution.
• Subject – Provide a concise statement of your question or problem.
• Description – Provide a detailed description of the question/problem including background, history,
observations, and steps you have taken to resolve the situation. Also include recent changes to your
Proofpoint system or other systems that may affect it as well as any other information that you think
will contribute to resolving the case.
• Attachments – Add files you believe will help troubleshooting. Please include items such as
screenshots, log files, spam messages and system configuration files (e.g. filter.cfg). (25MB
attachment size limit or use Proofpoint Secure Share)

The “must gather” is now a live document and available on the Community Pages. Use this when
contacting Technical support to know what to collect and how to collect it.

This table provides the definitions of case severity to use as you open a case

Collect all the following when creating a support ticket

• Browser information (e.g, Chrome 85)
• Any error messages that were generated by the UI - use the “copy details” or “download” option to
export and save content
• Capture screen shots showing the issue, while highlighting problems that are seen on the UI
• For any issue around explorations or incidents, always include an exported event/incident. Can ask
the customer to redact any potential sensitive information.
• for rule issues - export the rule definition to JSON
• Export agent settings from the relevant realm:
• Using the browser developer tools, capture the network tab, showing whether any API calls failed - hit
F12 on Chrome or Firefox
Agent - collecting logs and configuration:
Windows:
Make sure to run any command as admin (start->cmd->right click->run as admin)
Run it-utility.exe with appropriate arguments (explained later in this lesson)
Mac:
Enable debug logs (1), restart the agent(2-3), reproduce the problem and collect all data (4-6)
1. sudo /etc/omonitor/oitcons -d 7 Level
2. sudo /etc/omonitor/oitcons -shutdown
3. sudo /etc/omonitor/oitcons -launch
4. sudo /etc/omonitor/oitcons -policy -dump > /etc/omonitor/tmp/policy.json
5. sw_vers > /etc/omonitor/tmp/sysver
sudo tar czf IT_`cat /etc/omonitor/version`.`date "+%Y%m%d%H%M%S"`.tar.gz /etc/omonitor/log /etc/
omon

it-utility.exe can dump important information file, change log level or decrypt configs at run-time, without
stopping or restarting agent and windows service.
Files decryption is also could be done by Security - Files Decryptor
In order to run utility you may need to get Agent Instance Id (See SAAS Agent Security) and put it as -i (-
-id) argument. The second way is to run utility as SYSTEM user without -i (--id) argument.
To Execute command arguments use pattern: [PATH TO OBSERVEIT/CLOUD]/it-utility.exe [VERB] -
[SHORT-OPTION] [VALUE]
Example: C:\Observit\it-utility.exe log -l info -i xxxxxx-yyyy-aaaa-bbbb-zzzzzzz
Run utility as SYSTEM user
In order to avoid getting Instance ID or perform register/unregister you need to run utility as SYSTEM
user:
1. Download PsExec utility from https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
2. Open command line with Administrator privileges
3. Go to PsExec directory and type psexec -i -s cmd to run cmd as SYSTEM user
4. Then in the new command line window go to Client Utility directory and start using utility

This table shows the arguments and explanations for using it-utility.exe. We will practice some of these in
this class.

Log Retrieval and Logs Retrieved to be added in Agent Version 2.4 (will not work with earlier versions)
1. Click on Agent
2. Change trace level to 1 hour, 1 day, 3 days, or 1 week
3. Wait (check on last heartbeat – 10 minutes from then)
Retrieval will capture everything that is in logs folder for time period selected. (dump command)
Agent traces collected and saved for up to 2 weeks
Can be accessed through person to back end to collect this or customer must collect from console and
send to Support.

From Explorations, click activity.

Open Actions drop-down menu.

Note that the bundle number is not the same as the number for items within the bundle.

Since policies are not limited to a single Condition, you can use to test a rule.


Use Persona to act as user when pursuing an investigation. Can be assigned to internal investigator or set
for use by Proofpoint technical support.



Exercise 12: Utilize the it-utility.exe utility
Scenario
Central Healthcare’s ITM Team is small. When working with Proofpoint Technical Support, they need to be
efficient with these interactions. Gaining an understanding of Support’s needs when working with them
will help maintain this efficiency.
Objectives
• Increase the Agent’s trace level output to gather troubleshooting data for related Support case.
• Use the it-utility.exe utility to change the Agent’s Log level
• Perform a dump of the Agent’s Log file, with increased debug output level, for inclusion in your
Support case.
• Use the it-utility.exe utility to dump internal agent data from a managed Endpoint.
• Gather output file(s) for inclusion in Support case.
Exercise 12-1: Increase the Agent’s trace level output

2. Click Endpoints on left navigation menu.
3. Below Endpoints click Endpoint Registry.
4. Locate and select the Endpoint from the table where issues are occurring. This open Details on the
right.
5. Click View Details. This reveals the JSON code that shows information about the selected Endpoint.
a. Near the bottom of this code snippet locate the value for “instanceId” and make note of the long
alpha-numeric string seen here. This is the unique Identifier for this managed Endpoint in the
system.
b. ___________________________________________________________________
6. Using RDP, access the desktop of the endpoint in question.
7. Launch a command prompt on the endpoint.
8. Navigate via the command line to the directory where the Agent is installed. By default this would be:
C:\Program Files\IT Client Utility\Client Utility.
• cd C:\Program Files\IT Client Utility\Client Utility
9. Use the following command to increase the log level of the Agent to “debug.”
a. it-utility.exe log -l debug -i <instance ID of Endpoint gathered in step 5>.
b. You will see the output :
[appsettings.json] Log Level changed from 'Error' to 'Debug'
[servicesettings.json] Log Level changed from 'Error' to 'Debug'
Log Level changed...

10. Now repeat the action/activity on the Endpoint which causes the current issue. This will gather
relevant debug data into the Agent’s log file.
Exercise 12-2: Perform a dump of the Agent’s Log file at debug level
1. On the Desktop of the problematic Endpoint, open a command prompt.
2. Navigate via the command line to the directory where the Agent is installed. By default this would be:
C:\Program Files\IT Client Utility\Client Utility.
• cd C:\Program Files\IT Client Utility\Client Utility
3. Navigate to your C drive on the Agent Endpoint via Windows Explorer.
4. Create a Folder at the root of C: named “Agent Debug.”
5. Use the following command to dump the Agent’s log file for inclusion in your Support case:
a. it-utility.exe dump -d all -t "c:\Agent Debug" <instance ID of Endpoint gathered in step 5 of last
exercise>
b. This will dump the Agent’s log file to C:\Agent Debug.
c. The output will look similar to this:
All files were dumped to:
c:\Agent Debug\dumpConig145016_14072021.zip
c:\Agent Debug\dumpLog145016_14072021.zip
6. Navigate to C:\Agent Debug and gather the zip files created. Be SURE to attach this to the related
Support case for review.
7. Remove the Agent Debug folder from its location once the zip files have been gathered.
8. If the Agent’s trace level shows debug, change it back to the default Error level by issuing this
command:
a. ./it-utility.exe log -l error -i <instance ID of Endpoint gathered in step 5 of last exercise>.
b. The output will look like this:
[appsettings.json] Log Level changed from 'Debug' to 'Error'
[servicesettings.json] Log Level changed from 'Debug' to 'Error'
Log Level changed...


Lesson 13: Challenge Labs
Introduction
This lesson contains several problems that reflect situations you may encounter. You will work to solve
each problem using what you learned in class.
303

Challenge Labs

You may use any materials for reference to solve the problems presented here.
Your instructor will provide problem solutions upon request.

Challenge Labs


ITM SaaS StudentGuide-AA

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ITM SaaS StudentGuide-AA

Uploaded by

Copyright:

Available Formats

Insider Threat Management

for Administrators and Analysts- Level 2

Release February 2023

Insider Threat Management for Administrators and Analysts - Level 2

2 Copyright © 2023 Proofpoint, Inc.

Copyright © 2023 Proofpoint, Inc. 3

4 Copyright © 2023 Proofpoint, Inc.

Copyright © 2023 Proofpoint, Inc. 5

6 Copyright © 2023 Proofpoint, Inc.

Tracked files – Files downloaded to endpoint

Copyright © 2023 Proofpoint, Inc. 7

8 Copyright © 2023 Proofpoint, Inc.

Copyright © 2023 Proofpoint, Inc. 9

10 Copyright © 2023 Proofpoint, Inc.

This slide shows Professional Services default implementation process.

Copyright © 2023 Proofpoint, Inc. 11

On your system you will see the above login screen.

12 Copyright © 2023 Proofpoint, Inc.

Click Administration to configure or modify settings for this account.

Copyright © 2023 Proofpoint, Inc. 13

Exercise 1: Accessing Insider Threat Management and

Student Student ID Email Address Endpoint 1 Endpoint 2

Student 1 student01 student01@proofpointtraining.com 10.25.25.101 10.25.25.201

Student 2 student02 student02@proofpointtraining.com 10.25.25.102 10.25.25.202

Student 3 student03 student03@proofpointtraining.com 10.25.25.103 10.25.25.203

Student 4 student04 student04@proofpointtraining.com 10.25.25.104 10.25.25.204

Student 5 student05 student05@proofpointtraining.com 10.25.25.105 10.25.25.205

Student 6 student06 student06@proofpointtraining.com 10.25.25.106 10.25.25.206

Student 7 student07 student07@proofpointtraining.com 10.25.25.107 10.25.25.207

Student 8 student08 student08@proofpointtraining.com 10.25.25.108 10.25.25.208

Student 9 student09 student09@proofpointtraining.com 10.25.25.109 10.25.25.209

Student 10 student10 student10@proofpointtraining.com 10.25.25.110 10.25.25.210

Student 11 student11 student11@proofpointtraining.com 10.25.25.111 10.25.25.211

Student 12 student12 student12@proofpointtraining.com 10.25.25.112 10.25.25.212

Instructor instructor instructor@proofpointtraining.com 10.25.25.11 10.25.25.12

14 Copyright © 2023 Proofpoint, Inc.

Exercise 1-1: Access ITM and log in with email address

4. Click Administration to access the Administration application.

Exercise 1-2: Access Documentation

Copyright © 2023 Proofpoint, Inc. 15

Exercise 1-3: Access your Student Endpoints.

16 Copyright © 2023 Proofpoint, Inc.

Copyright © 2023 Proofpoint, Inc. 17

18 Copyright © 2023 Proofpoint, Inc.

20 Copyright © 2023 Proofpoint, Inc.

Copyright © 2023 Proofpoint, Inc. 21

22 Copyright © 2023 Proofpoint, Inc.

Use Case 1 (Example)

Copyright © 2023 Proofpoint, Inc. 23

24 Copyright © 2023 Proofpoint, Inc.

Copyright © 2023 Proofpoint, Inc. 25

26 Copyright © 2023 Proofpoint, Inc.

Exercise 2: Create Use Cases

Exercise 2-1: Use cases for Central Healthcare

Central ITM Concerns Risk Personas Data Assets Risky Actions

Copyright © 2023 Proofpoint, Inc. 27

Central ITM Concerns Risk Personas Data Assets Risky Actions

28 Copyright © 2023 Proofpoint, Inc.

Exercise 2-2: Create Use Case for Your Organization

Copyright © 2023 Proofpoint, Inc. 29

30 Copyright © 2023 Proofpoint, Inc.

32 Copyright © 2023 Proofpoint, Inc.

Copyright © 2023 Proofpoint, Inc. 33

Allowing Email Domains