Configuring alerts in the Endpoint DLP module

Editing alerts

To view and edit alerts in the Endpoint DLP module, follow the steps below:

• Select Endpoint DLP from the modules drop-down.
• Go to Configuration > Audit/Alert Profiles > Alert Configuration. Here, you will find preconfigured alerts in the File Integrity Monitor, Removable Storage, Printer, Clipboard, Email Client, Web, File Share, and Network Share categories.
• Click the edit icon option next to an alert profile to see its parameters.
• In the Criteria section, use the following tabs to narrow down the criteria that trigger an alert:
• 4.1. Use the Include tab to select the entities you want to create an alert for.
• 4.2. Use the Exclude tab to exempt trusted entities from the alert.
• 4.3. Use the Threshold tab if you want to configure a threshold-based alert (i.e., to trigger an alert when the number of events occurring within a given duration exceeds the specified value). Click Enable and configure the number of events from a source beyond which the alert should be triggered (for example, 1700 = Events in: = 2 = Minutes by: = Same User).
• 4.4. Use the Response tab to do the following:

4.4.1. To send an email notification to a stakeholder:

• Click Email > Enable email notification.
• Provide the email addresses that you wish to send the alert email to. Separate the addresses with commas. Ensure that there are no spaces in the email addresses.
• Assign a Priority level to the email.
• Personalize the email by providing a Subject and Message. By using the Customize option next to each, you can include alert details such as the User Name and Source.
• If necessary, you can limit the number of emails that will be sent to each recipient by configuring an appropriate value in the Send a maximum of section. For example, if you have configured a threshold-based alert for 10,000 access events in one minute, and you set this section to Send a maximum of = 1 = mail(s) in = 1 = Hour(s), after the initial alert, one email will be sent every hour if the unusual access trend continues.

4.4.2. To automate a response action when the alert is triggered:

• Click Script > Enable Script.
• In the Script Files field, select the script of your choice. You can choose from the built-in scripts or create your own.
Note: All script files, including custom-created ones, should be located in the <installation_directory>\bin\alertScripts folder for DataSecurity Plus to execute them.
• In the Arguments field, select the arguments in the intended order of execution.
Note: The Sample command-line format of the script text box illustrates the sequence in which the arguments will be executed.

4.4.3. To block USB devices (applicable only for Removable Storage profiles):

• From the Response tab, click Block USB > Enable block USB.
• Select Block all external storage devices if you want to block all USB devices from being used on the source machine. Select Block only the source device if you want to block the USB device that triggered the alert.

4.4.4. To enable the move and delete responses (applicable only for Clipboard profiles):

• From the Response tab, click Move/Delete > Enable Move/Delete.
• Select Delete if you want to delete an entity. Otherwise, select Move and provide the Destination Path to which you want to move the entity that triggered the alert.

4.4.5. To enable the user prompt (applicable only for Email Client profiles):

• From the Response tab, click User prompt > Enable User prompt.
• Select Allow or Block to warn users about policy violations.
Note: The Move response supports only the following UNC formats:

\\MachineName\HiddenDriveShare\

\\MachineName\Share\Folder\

Example 1: To move a file to the folder Myfolder on drive C on server S01, configure the destination path as \\S01\C$\Myfolder.

Example 2: To move a file to the folder Myfolder in the share Myshare on server S01, configure the destination path as \\S01\Myshare\Myfolder.

Tip: Scripts are by far the most underrated response strategy. You can run scripts to shut down servers, stop user sessions, disable accounts, and do much more. Do you want to request a custom response? Contact our support team.
• Once you have chosen one or multiple responses, click Save.
Note: Exclude filters will be given precedence over Include filters.

For example, to disable a user account through which ransomware is encrypting file extensions on the server, configure an alert using the details below:

Include: User Object = In = ALL

Action = In = File Extension Change

File Type Category = In = Ransomware Encrypted Files

FIM Folder = Equals = True

Script Files: disableADAccount

Arguments: User Name

Automated alert responses

Users can instruct the Endpoint DLP module to execute a scripted response action when an alert is triggered. For this, you must link the desired script file in the Script Files field while configuring alerts. The script files can be PowerShell files, VBScript files, executables, and batch files. These automated, versatile responses help you perform remedial actions the instant a security incident is detected, reducing the damage caused.

To target these commands at specific entities in your network, configure one or more Arguments to provide the necessary inputs in the commands. The selected parameters will be replaced in the commands by the corresponding values from the alert event.

Arguments and their descriptions

The arguments below can be used based on the alert profile configured.

Example of a notification email for a triggered alert

Default script responses

The DataSecurity Plus installation package contains some built-in scripts for commonly used response actions. Some of these are listed below:

*The below services need to be enabled in the machine where DataSecurity Plus is installed for the successful execution of certain script files.

• Windows Remote Management
  • Type Services in the Start Menu and open the Services window.
  • Select the Windows Remote Management (WS - Management) service.
  • In the left pane of the window, under Services (Local), click Start the service.
• RSAT: Active Directory Domain Services and Lightweight Directory Services Tools
  • Type Apps & features in the Start Menu.
  • Select Optional features and click Add a feature in the top-left corner.
  • Type RSAT: Active Directory Domain Services and Lightweight Directory Services Tools in the search bar, select it, and click Install.

Generating a password for alert scripts

We recommend generating an encrypted password for your script files, which is used for authentication when executing the intended scripts. To set a password, follow these instructions:

• Navigate to [installation_directory]\bin\alertScripts > helper folder.
• Execute the generatePassword.bat script to set up authentication.
• In the Windows PowerShell credentials request window, enter your PowerShell credentials beside the User name and Password fields to generate an encrypted password. Ensure that you give the correct password to authenticate the server.
• Click OK.
Note: The files relating to password generation will be generated in the helper folder in the [installation_directory]\bin\alertScripts path. For proper functioning of the generated password script file, we recommend that you do not move the helper folder and its files from this location.

Disabling alerts

You can disable an alert to temporarily stop it from being triggered. To disable an existing alert:

• Select Endpoint DLP from the modules drop-down.
• Go to Configuration > Audit/Alert Profiles > Alert Configuration.
• On the Alert Profile page, within the Actions column, you'll find a green icon indicating the target alert's active status. Click the green icon to disable that alert.