Configuring alerts in the File Audit module

Creating and editing alerts

A) Global alerts

Upon installation of DataSecurity Plus, several built-in global alerts will be automatically activated. These alerts can be configured for events across all the configured servers and domains. For more information, refer to this page. You can also create your own global alerts for specific requirements.

Creating global alerts

To create a global alert:

• Select File Audit from the modules drop-down.
• Go to Configuration > General Settings > Alert Configuration.
• On the Global Alerts tab, click Add Global Alert in the top-right corner.
• Enter a suitable name and description for the alert profile.
• Click the + icon next to the Selected Servers field and choose the servers that you wish to apply this profile to.
• To apply this profile to any new servers that might be added to DataSecurity Plus in the future, check the box next to Apply profile to new servers.
• Classify the alert with an appropriate severity level.
• In the Criteria section, use the following tabs to narrow down the criteria that trigger an alert:
• 8.1. Use the Include tab to select the entities you want to create an alert for.
• 8.2. Use the Exclude tab to exempt trusted entities from the alert.
• 8.3. Use the Threshold tab if you want to configure a threshold-based alert (i.e., to trigger an alert when the number of events occurring within a given duration exceeds the specified value). Click Enable and configure the number of events from a source beyond which the alert should be triggered (for example, 1700 = Events in: = 2 = Minutes by: = Same User).
• 8.4. Use the Response tab to do the following:

8.4.1. To send an email notification to a stakeholder:

• Click Email > Enable email notification.
• Provide the email addresses that you wish to send the alert email to. Separate the addresses with commas. Ensure that there are no spaces in the email addresses.
• Select the option Owner if you want to notify the creator of the file, select Caller if you want to notify the user whose actions have triggered an alert, or select both.
• Assign a Priority level to the email.
• Personalize the email by providing a Subject and Message. By using the Customize option next to each, you can include alert details such as the name of the user, the client, and the IP.
• If necessary, you can limit the number of emails sent to each recipient by configuring an appropriate value in the Send a maximum of section. For example, if you have configured a threshold-based alert for 10,000 access events in one minute, and you set this section to Send a maximum of = 1 = mail(s) in = 1 = Hour(s), after the initial alert, one email will be sent every hour if the unusual access trend continues.

8.4.2. To automate a response action when the alert is triggered:

• Click Script > Enable Script.
• In the Script Files field, select the script of your choice. You can choose from the built-in scripts or create your own.
Note: All script files, including custom-created ones, should be located in the <installation_directory>\bin\alertScripts folder for DataSecurity Plus to execute them.
• In the Arguments field, select the arguments in the intended order for the response's proper execution.
Note: The Sample command-line format of the script text box illustrates the sequence in which the arguments will be executed.
• Once you have chosen one or multiple responses, click Save.
Note: Exclude filters will be given precedence over Include filters.

For example, if you want to disable a user who is mass deleting files, the alert configuration will look similar to this:

Include: Action = In = Delete

User Object = In = ALL

Threshold Limit: 50 = Events in: = 1 = Minutes by: = Same User

Script Files: disableADAccount

Arguments: User Name

Modifying global alerts

To modify an existing global alert:

• Select File Audit from the modules drop-down.
• Go to Configuration > General Settings > Alert Configuration.
• On the Global Alerts tab, within the Actions column, you'll find an edit icon for each of the configured alerts. Click the edit icon next to the alert you want to update.
• Update the required details.
• Click Save, then click OK.

B) Server-specific alerts

When earlier installations (prior to build 6060) are updated to the latest build, existing custom alerts will be moved to the Server Specific Alerts tab. When a server is selected in the Server Name field of that tab, both the global alerts and server-specific alerts that apply to the selected server will be displayed in corresponding tables.

Creating server-specific alerts

To create a server-specific alert:

• Select File Audit from the modules drop-down.
• Go to Configuration > General Settings > Alert Configuration.
• Click the Server Specific Alerts tab.
• In the Server Name field, choose the server for which you want to customize the alert.
• Click Add Server Alert in the top-right corner of the tab.
• Enter a suitable name and description for the alert profile.
• Classify the alert with an appropriate severity level.
• In the Criteria section, use the following tabs to narrow down the criteria that trigger an alert:
• 8.1. Use the Include tab to select the entities you want to create an alert for.
• 8.2. Use the Exclude tab to exempt trusted entities from the alert.
• 8.3. Use the Threshold tab if you want to configure a threshold-based alert (i.e., to trigger an alert when the number of events occurring within a given duration exceeds the specified value). Click Enable and configure the number of events from a source beyond which the alert should be triggered (for example, 1700 = Events in: = 2 = Minutes by: = Same User).
• 8.4. Use the Response tab to do the following:

8.4.1. To send an email notification to a stakeholder:

• Click Email > Enable email notification.
• Provide the email addresses that you wish to send the alert email to. Separate the addresses with commas. Ensure that there are no spaces in the email addresses.
• Select the option Owner if you want to notify the creator of the file, select Caller if you want to notify the user whose actions have triggered an alert, or select both.
• Assign a Priority level to the email.
• Personalize the email by providing a Subject and Message. By using the Customize option next to each, you can include alert details such as the name of the user, the client, and the IP.
• If necessary, you can limit the number of emails sent to each recipient by configuring an appropriate value in the Send a maximum of section. For example, if you have configured a threshold-based alert for 10,000 access events in one minute, and you set this section to Send a maximum of = 1 = mail(s) in = 1 = Hour(s), after the initial alert, one email will be sent every hour if the unusual access trend continues.

8.4.2. To automate a response action when the alert is triggered:

• Click Script > Enable Script.
• Click the + icon next to the Script Files field to select the script of your choice. You can choose from the built-in scripts or create your own.
Note: All script files, including custom-created ones, should be located in the <installation_directory>\bin\alertScripts folder for DataSecurity Plus to execute them.
• In the Arguments field, select the arguments you want to pass in the intended order of execution. The Sample command-line format of the script text box illustrates the sequence in which the arguments will be executed.
• Once you have chosen one or multiple responses, click Save.
Note: Exclude filters will be given precedence over Include filters.

For example, if you want to disable network access for any machine when a particular file is deleted, configure the alert settings using the details below:

Include: Action = In = Delete

Current File Name = Contains = EmployeeData

Script Files: disableNetwork

Arguments: Host Name

Modifying server-specific alerts

To modify an existing server-specific alert:

• Select File Audit from the modules drop-down.
• Go to Configuration > General Settings > Alert Configuration.
• Click the Server Specific Alerts tab.
• Within the table's Actions column, click the edit icon next to the alert you want to update.
• Update the required details.
• Click Save, then click OK.

Automated alert responses

Users can instruct the File Audit module to execute a response action when an alert is triggered. For this, you must link the desired script file in the Script Files field while configuring alerts. The script files can be PowerShell files, VBScript files, executables, and batch files. These automated, versatile responses help you perform remedial actions the instant a security incident is detected, reducing the damage caused.

To target these commands at specific entities in your network, configure one or more Arguments to provide the necessary inputs in the commands. The selected parameters will be replaced in the commands by the corresponding values from the alert event.

Arguments and their descriptions

The arguments below can be used based on the alert profile configured.

Example of a notification email for a triggered alert

Default script responses

The DataSecurity Plus installation package contains some built-in scripts for commonly used response actions. Some of these are in the table below:

*The below services need to be enabled in the machine where DataSecurity Plus is installed for the successful execution of certain script files.

• Windows Remote Management
  • Type Services in the Start Menu and open the Services window.
  • Select the Windows Remote Management (WS - Management) service.
  • In the left pane of the window, under Services (Local), click Start the service.
• RSAT: Active Directory Domain Services and Lightweight Directory Services Tools
  • Type Apps & features in the Start Menu.
  • Select Optional features and click Add a feature in the top-left corner.
  • Type RSAT: Active Directory Domain Services and Lightweight Directory Services Tools in the search bar, select it, and click Install.

Generating a password for alert scripts

We recommend generating an encrypted password for your script files, which is used for authentication when executing the intended scripts. To set a password, follow these instructions:

• Navigate to [installation_directory]\bin\alertScripts > helper folder.
• Execute the generatePassword.bat script to set up authentication.
• In the Windows PowerShell credentials request window, enter your PowerShell credentials beside the User name and Password fields to generate an encrypted password. Ensure that you give the correct password to authenticate the server.
• Click OK.
Note: The files relating to password generation will be generated in the helper folder in the [installation_directory]\bin\alertScripts path. For proper functioning of the generated password script file, we recommend that you do not move the helper folder and its files from this location.

Disabling alerts

You can disable an alert to temporarily stop it from being triggered. To disable an alert:

• Select File Audit from the application drop-down menu.
• Go to Configuration > General Settings > Alert Configuration.
• If you want to disable a server-specific alert, select that server in the Server Specific Alerts tab. Otherwise, stay in the Global Alerts tab.
• From the table, select the checkbox next to the alert(s) you wish to disable.
• Click the disable icon at the top of the table.

The selected alert(s) will be disabled.

Deleting alerts

To delete an alert permanently:

• Select File Audit from the application drop-down menu.
• Go to Configuration > General Settings > Alert Configuration.
• Select the tab corresponding to the type of alert you wish to delete.
• From the table, select the checkbox next to the alert(s) you wish to delete.
• Click the delete icon at the top of the table.
• Click OK to confirm the action.

The selected alert(s) will be deleted.