Help Center

Third-party software Contact us

Configuring alerts in the File Analysis module

You can trigger email notifications, execute scripted actions, and move or delete files and folders as responses to alerts on configured drives. However, these alert-triggering events will only be found during scheduled File Analysis scans, not in real time.

Creating alerts

To configure alerts in the File Analysis module, follow these steps:

  • Select File Analysis from the modules drop-down.
  • Go to Configuration > Settings > Alert Configuration.
  • Click the Create Alert button in the top-right corner.
  • Provide a suitable name for the alert.
  • From the Alert Source drop-down, select File Metadata or Disk Usage.
  • Describe the new alert with the required information.
  • In the Criteria section, use the following tabs to narrow down the criteria that trigger an alert:
    • 7.1. Use the Include tab to provide details on when to trigger an alert.
    • 7.2. Use the Exclude tab to exempt trusted entities from the alert.
    • 7.3. Use the Response tab to configure certain capabilities:
      • 7.3.1. To send an email notification to a stakeholder:

        • Click Email > Enable email notification.
        • Provide the email addresses that you wish to send the alert email to. Separate the addresses with commas. Ensure that there are no spaces between the email addresses.
        • Assign a Priority level to the email.
        • Personalize the email by providing a Subject and Message. By using the Customize option next to each, you can include alert details such as the name of the user, the client, and the IP.
        • If necessary, you can limit the number of emails that will be sent to each recipient by configuring an appropriate value in the Send a maximum of section. For instance, you can configure it to Send a maximum of = 1 = mail(s) in = 1 = Hour(s), ensuring that one email is sent each hour if the unusual access pattern persists.

        7.3.2. To automate a response action when the alert is triggered:

        • Click Script > Enable Script.
        • In the Script Files field, select the script of your choice. You can choose from the built-in scripts or create your own.
        • Note: All script files, including custom-created ones, should be located in the <installation_directory>\bin\alertScripts folder for DataSecurity Plus to execute them.
        • In the Arguments field, select the arguments you want to pass in the intended order of execution.
        • Note: The Sample command-line format of the script text box illustrates the sequence in which the arguments will be executed.

          For example, to change permissions on a particular drive for stale files that were last accessed over two years ago, configure the alert criteria similar to the details below:

          Include: Last Access Time = Before = 2 = Year(s)

          Drive Letter = Equals = D:\

          Script Files: ChangePermissions (custom script)

          Arguments: Local Path

        7.3.3. To enable the move and delete responses for a specific file:

        • From the Response tab, click Move/Delete > Enable Move/Delete. Select the Delete option if you want to delete an entity if it triggers an alert. If you want to move the entity to a target location, provide the Destination Path under the Move option.
    Note: The Move response supports only the following UNC formats:



    Example 1: To move a file to the folder Myfolder on drive C on server S01, configure the destination path as \\S01\C$\Myfolder.

    Example 2: To move a file to the folder Myfolder in a shared folder Myshare on server S01, configure the destination path as \\S01\Myshare\Myfolder.

    Tip: Scripts are by far the most underrated response strategy. You can run scripts to shut down servers, stop user sessions, disable accounts, and do much more. Do you want to request a custom response? Contact our support team.
  • Once you have chosen one or multiple responses, click Save.

Editing alerts

To modify an existing alert:

  • Select File Analysis from the modules drop-down.
  • Go to Configuration > Settings > Alert Configuration.
  • On the Alert Profile page, click the edit icon next to the alert profile that you want to update.
  • Update the alert criteria based on your requirements and click Save > OK.

Automated alert responses

Users can instruct the File Analysis module to execute a response action when an alert is triggered during a scan. For this, you must link the desired script file in the Script Files field while configuring alerts. The script files can be PowerShell files, VBScript files, executables, and batch files. These automated, versatile responses help you perform remedial actions the instant a potential issue is detected, reducing the damage caused.

To target these commands at specific entities in your network, configure one or more Arguments to provide the necessary inputs in the commands. The selected parameters will be replaced in the commands by the corresponding values from the alert.

Arguments and their descriptions

The arguments below can be used based on the alert profile configured.

Argument What it refers to Example (How it will be displayed in the alert notification)
Drive Letter The name of the drive on which the file resides C:\
Server Name The name of the file server where the files or folders are located DSPDEMO
Last Access Time The most recent time at which the file was accessed 1672305065 [Unix epoch timestamp]
Last Modified Time The most recent time at which the file was modified 1672305065 [Unix epoch timestamp]
Creation Time The exact time at which the user created the file 1671235784 [Unix epoch timestamp]
Local Path The location of the file or folder for which the alert was generated C:\DSPDEMO\testing\ourfile.txt
File Name The name of the file for which the alert was triggered 35118.ISO
File Size The size of the file when the alert event occurred 163840 [In bytes]
Is Hidden The Windows attribute that defines whether the file is hidden or not false
File Type The extension of the file .doc
File Type Category The category to which the file type belongs Microsoft Word Document
Monitor Type Whether the alert was generated for a folder or file FOLDER/FILE

Example of a notification email for a triggered alert

Default script response

The DataSecurity Plus installation package contains this built-in script for a commonly used response action:

Script file name Script action Applicable argument in the UI Sample use case
triggerShutdown.bat Shuts down computers or servers Server Name This can be used to shut down the source machine of the alert-triggering file. In case of a ransomware attack or data breach, the Server Name argument can be used to stop the spread of the incident by shutting down the affected server.

Generating a password for alert scripts

We recommend generating an encrypted password for your script files, which is used for authentication when executing the intended scripts. To set a password, follow these instructions:

  • Navigate to [installation_directory]\bin\alertScripts > helper folder.
  • Execute the generatePassword.bat script to set up authentication.
  • In the Windows PowerShell credentials request window, enter your PowerShell credentials beside the User name and Password fields to generate an encrypted password. Ensure that you give the correct password to authenticate the server.
  • Click OK.
  • Note: The files relating to password generation will be generated in the helper folder in the [installation_directory]\bin\alertScripts path. For proper functioning of the generated password script file, we recommend that you do not move the helper folder and its files from this location.

Disabling and deleting alerts

A) Disabling alerts

To disable an existing alert:

  • Select File Analysis from the modules drop-down.
  • Go to Configuration > Settings > Alert Configuration.
  • On the Alert Profile page, within the Actions column, you'll find a green icon indicating the target alert's active status. Click the green icon to disable that alert.

B) Deleting alerts

To delete an existing alert:

  • Select File Analysis from the modules drop-down.
  • Go to Configuration > Settings > Alert Configuration.
  • On the Alert Profile page, select the alert profiles that you want to delete and click the delete icon. The selected alerts will be deleted.

For more information on configuring alerts for DataSecurity Plus, refer to this guide.

Don't see what you're looking for?

  • Visit our community

    Post your questions in the forum.

  • Request additional resources

    Send us your requirements.