Configuring alerts in the Risk Analysis module
Users can configure an alert to trigger email notifications when content that matches the alert's conditions is found in your data repository. The alert conditions you can configure include the File Name, Location, File Type, File Owner, and Policy. The notifications will be triggered every time DataSecurity Plus finds a file containing content that matches the alert conditions.
The triggered alert notification will include details on the file name, location, risk score, matched policies, number of occurrences within the file, and more.
The default alert profile
You can find and edit the default alert profile by following the steps below:
- Select Risk Analysis from the modules drop-down.
- Go to Configuration > Data Discovery Settings > Alert Profile.
- The Configured Alert Profiles page shows the built-in alert rule offered by DataSecurity Plus.
- Click the edit icon next to the default alert profile.
- Update details such as the data source, severity, description, and conditions for the alert based on your requirements.
- Click Save.
Creating and editing alerts
A) Creating alerts
Alerts allow users to inform stakeholders whenever a file containing high-value content is found. An alert profile can be used to:
- Ensure data subjects' access requests are met.
- Find all the locations where proprietary information is stored.
- Locate employees' or customers' personal information.
To create new alert profiles, follow these steps:
- Select Risk Analysis from the modules drop-down.
- Go to Configuration > Data Discovery Settings > Alert Profile.
- Click the Create Alert button in the top-right corner.
- Name the alert profile and include an appropriate description.
- Select the data source for which you want to configure the alert.
- Choose the alert severity.
- In the Criteria section, use the following tabs to narrow down the criteria that trigger an alert:
- 7.1. Use the Include tab to provide details on when to trigger an alert.
- 7.2. Use the Response tab to configure the actions below:
- Click Email > Enable email notification.
- Provide the email addresses that you wish to send the alert email to. Separate the addresses with commas. Ensure that there are no spaces in the email addresses.
- Assign a Priority level to the email.
- Personalize the email by providing a Subject and Message. By using the Customize option next to each, you can include alert details such as the policy name and file name.
- If necessary, you can limit the number of emails that will be sent to each recipient by configuring an appropriate value in the Send a maximum of section. For instance, you can configure it to Send a maximum of = 1 = mail(s) in = 1 = Hour(s), ensuring that one email is sent each hour when rule-matching content persists.
- Click Script > Enable Script.
- In the Script Files field, select the script of your choice. You can choose from the built-in scripts or create your own.
- In the Arguments field, select the arguments you wish to pass in the intended order of execution.
- Once you have chosen one or multiple responses, click Save.
7.2.1. To send an email notification to a stakeholder:
7.2.2. To automate a response action when the alert is triggered:
For example, to move a particular sensitive file to a different location, configure the alert settings using the details below.
Include: Policy = Equals = PCI DSS
Location = Contains = Sebastian
Script Files: Movefile (custom script)
Arguments: File Name and Location
You can find a report with details about the triggered alerts under Risk Analysis > Reports > Record Details > Alert Records.
B) Editing alerts
To edit existing alert profiles, follow the steps below:
- Select Risk Analysis from the modules drop-down.
- Go to Configuration > Data Discovery Settings > Alert Profile.
- On the Configured Alert Profiles page, within the Actions column, click the edit icon next to the alert you want to edit.
- Update the profile's Include and Response criteria with the required changes.
- Click Save. The alert profile will be modified.
Automated alert responses
Users can instruct the Risk Analysis module to execute a scripted response action when an alert is triggered. For this, you must link the desired script file in the Script Files field while configuring alerts. These script files can be PowerShell files, VBScript files, executables, and batch files. These will be executed based on the defined conditions.
To target these commands, configure one or more Arguments to provide the necessary inputs in the commands. The selected parameters will be replaced in the commands by the corresponding values from the alert event.
Arguments and their descriptions
The arguments below can be used based on the alert profile configured.
Argument | What it refers to | Example (How it will be displayed in the alert notification) |
Policy | The name of the data discovery policy that the data matches | GDPR Policy |
File Name | The name of the file for which the alert was triggered | GDPRdata.txt |
Location | The network path of the file containing the rule-matching content | \\DSPDEMO\Test\Exclude.txt |
File Type | The extension of the file containing the rule-matching content | .txt |
File Owner | The owner of the file containing the rule-matching content | dsp\administrator |
Example of a notification email for a triggered alert
Generating a password for alert scripts
We recommend generating an encrypted password for your script files, which is used for authentication when executing the intended scripts. To set a password, follow these instructions:
- Navigate to [installation_directory]\bin\alertScripts > helper folder.
- Execute the generatePassword.bat script to set up authentication.
- In the Windows PowerShell credentials request window, enter your PowerShell credentials beside the User name and Password fields to generate an encrypted password. Ensure that you give the correct password to authenticate the server.
- Click OK.
Disabling and deleting alerts
A) Disabling alerts
You can disable an alert to temporarily stop it from being triggered. To disable an existing alert:
- Select Risk Analysis from the modules drop-down.
- Go to Configuration > Data Discovery Settings > Alert Profile.
- On the Configured Alert Profiles page, within the Actions column, you'll find a green icon indicating the target alert's active status. Click the green icon to disable that alert.
B) Deleting alerts
To delete an existing alert:
- Select Risk Analysis from the modules drop-down.
- Go to Configuration > Data Discovery Settings > Alert Profile.
- On the Configured Alert Profiles page, select the alert profiles that you want to delete and click the delete icon. The selected alerts will be deleted.
For more information on configuring alerts in DataSecurity Plus, refer to this guide.