Match Criteria for User Activity Rules

The following table lists the match criteria for user activity rules.
Match Criteria
List of activities to monitor. For example, activities can include Create, Edit, Delete, Authorize, Upload, Join, or more. You can include multiple activities in a rule.
Cloud Apps
List of accessible applications to scan. By default, all cloud apps you added to the Aperture service are scanned, but you can restrict scans to specific apps.
The count and frequency of the activity that will trigger a policy violation. For example, ten (or more) times a week, or two (or more) times per day.
User (Actor)
Users whose perform the activities. By default, all users in all domains are included. Alternatively, you can:
  • Email Address— Include an email addresses for each user to monitor. Use commas to separate each address in the list.
  • Domain—Include (or exclude) a subset of users based on domains. Use commas to separate each domain in the list.
The Name and Type of target for the user activity. For example, a target could be any user activity that impacts a Super Admin (target name) Password (target type). Or, any user activity associated with a Client List (target name) Report (target type).
You can Add a Target to include multiple targets in a policy rule. For example, activities that add Users (target) to Teams (target), or activities that share Links (target) with Users (target) would include two targets in the rule.
The location where the activity occurs. Choices include:
  • Any Country (default)—Activities in all countries.
  • Specific Countries—Activities in specific countries. You can select multiple countries from the list.
  • Any Country Except—Activities in all countries, except the ones you select.
IP Address
The IP address where the activity was initiated. Choices include:
  • Any IP Address—Activities initiated from any IP address.
  • Specific IP Addresses—Activities initiated from specific IP addresses.
  • Any IP Address Except—Activities initiated from all IP addresses, except the ones you specify.
Use commas to separate multiple IP addresses.
Allows you to specify whether the Aperture service should trigger one of the following actions to automatically remediate incidents or log the event as a risk.
  • Send Admin Alert
  • Log Only

Related Documentation