Help Center
Quick Start
- Overview
- System requirements
- Minimum privileges required
- Default port configuration
- Installing DataSecurity Plus
- Uninstalling DataSecurity Plus
- Starting DataSecurity Plus
- Launching DataSecurity Plus
- Configuring your solution
- Licensing details
- Applying a license
File Auditing
- About File Auditing
- Domain configuration
- File server configuration
- Failover cluster configuration
- Workgroup configuration
Setting up File Audit
Dashboard
Reports
Alerts
Configuration
Storage Configuration
Endpoint DLP
- About Endpoint DLP
Setting up Endpoint DLP
Reports
Alerts
Prevention policies
Configuration
File Analysis
- About File Analysis
Setting up File Analysis
Dashboard
Reports
Alerts
Configuration
Data Risk Assessment
- About Data risk assessment
Setting up Data risk assessment
Dashboard
Reports
Alerts
Configuration
Cloud Protection
- About Cloud Protection
- Gateway Server Configuration
- Certificate Authority Configuration
- Gateway Configuration in Endpoint
- Manage Certificate Trust Store
- Threat Analytics Database
- Manage Banned Applications
- Manage Authorized Applications
- Gateway Server Failover
- Global Insight
- Application Insight
- User Insight
- Shadow Application Insight
- Banned Application Insight
- Cloud Access Reports
- Application Reports
- Shadow Cloud Application Reports
- Banned Cloud Application Reports
- File Upload Reports
Setting up Cloud Protection
Dashboard
Reports
Storage Configuration
Administrative settings
- Technician configuration
- Email configuration
- Notification filters
- Manage agent
- SIEM integration
- Business hours configuration
General settings
Release notes
2021
2020
2019
2018
2017
2016
2015
Troubleshooting
Guides
- How to Migrate/Move DataSecurity Plus
- How to apply SSL certificate
- How to automate DataSecurity Plus database backup
- How to set alerts in DataSecurity Plus
Alert configuration
Alerts help stakeholders and administrative users stay on top of critical events in the organization's file storage environment. ManageEngine DataSecurity Plus allows you to create and manage web console and email notifications.
For precise control over alert configuration, DataSecurity Plus supports two types of alerts:
- Global alert profiles, which can be configured for all or a combination of servers.
- Server-specific alert profiles, which are configured individually for specific servers.
Together, these help IT technicians detect access anomalies efficiently while still preventing alert fatigue. Alerts can be created and modified only by administrative technician accounts.
Further, responses can also be automated along with a triggered alert to mitigate the potential damage caused by an incident. These will also be discussed on this page.
Creating and editing alerts
A) Global alerts
Upon installation of DataSecurity Plus, several built-in global alerts will be automatically activated. These alerts can be configured for events across all configured servers and domains. For more information on them, refer to this page.
Creating global alerts
To create a global alert:
- Select File Audit from the application drop-down.
- Go to Configuration > General Settings > Alert Configuration.
- Ensure you are in the Global Alerts tab and click Add Global Alerts in the top-right corner of the tab.
- Enter a suitable name and description for the alert profile.
- Click the + icon next to the Selected Servers field and choose the servers that you wish to apply this profile to.
- To apply this profile to any new servers that might be added to DataSecurity Plus in the future, check the box next to Apply profile to new servers.
- Classify the alert with an appropriate severity level.
- If you want to configure a threshold-based alert, i.e., to trigger an alert when the number of events occurring within a given duration exceeds a specified value:
- Check the Threshold limit box.
- Configure the number of events from a source beyond which the alert should be triggered. For example, 1700 Events = in 2 Minutes = by Same User.
- To automate a response action when the alert is triggered, provide the path to a script file in the Script file path field. You can choose from the built-in scripts or create your own. All script files, including custom-created ones, should be located in the <installation_directory>/bin/alertscripts folder for DataSecurity Plus to execute them.
- Under Arguments, choose additional parameters to be used by the script file.
- To send an email notification to a stakeholder:
- Check the Email Notifications box and click the edit icon to open the Email Settings popup.
- To notify the owner of the file or the user who triggered the alert, click Add and select the respective option in the drop down.
- Assign a Priority level to the email.
- Personalize the email by providing a Subject and Message. By using the Add option next to each, you can include alert details such as the name of the user, the client, IP, and more.
- If necessary, you can limit the number of emails that will be sent to each recipient by configuring an appropriate value in the Send a maximum of section. For example, if you have configured a threshold-based alert for 10,000 access events in one minute, and you set this field as Send a maximum of =1 email(s) in = 1 Hour(s), after the initial alert, one email will be sent every subsequent hour if the unusual access trend continues.
- Click Save.
- In the Criteria section, you will have two tabs to narrow down the events that trigger an alert:
- Use the Include section to select the entities you want to create an alert for.
- Select the Exclude tab to exempt alerting for trusted entities.
- Click Save to create the new alert.
Otherwise, skip this step.
Modifying global alerts
To modify an existing global alert:
- Select File Audit from the application drop-down.
- Go to Configuration > General Settings > Alert Configuration.
- Ensure you are in the Global Alerts tab.
- From the table's Actions column, click the edit icon next to the alert you want to update.
- Update the required details.
- Click Save, then click OK.
B) Server-specific alerts
When earlier installations (prior to build 6060) are updated to the latest build, existing custom alerts will be moved to the Server Specific Alerts tab. When a server is selected in the Server Name field of the tab, the two tables will show the list of alerts specific to that server as well as the global alerts that have been applied in the server.
Creating server-specific alerts
To create a server-specific alert:
- Select File Audit from the application drop-down.
- Go to Configuration > General Settings > Alert Configuration.
- Click the Server Specific Alerts tab.
- In the Server Name field choose the server in which you want to customize the alert.
- Click Add Server Alerts in the top-right corner of the tab.
- Enter a suitable name and description for the alert profile.
- Classify the alert with an appropriate severity level.
- If you want to configure a threshold-based alert, i.e., to trigger an alert when the number of events occurring within a given duration exceeds a specified value:
- Check the Threshold limit box.
- Configure the number of events from a source beyond which the alert should be triggered. For example, 1000 Events = in 1 Minute(s) = by Any Source.
- To automate a response action when the alert is triggered, provide the path to a script file in the Script file path field. You can choose from the built-in scripts or create your own. All script files should be located in the <installation_directory>/bin/alertscripts folder for DataSecurity Plus to execute them.
- Under Arguments, choose additional parameters to be used by the script file.
- To send an email notification to a stakeholder:
- Check the Email Notifications box and click the edit icon to open the Email Settings popup.
- Provide the email addresses that you wish to send the alert email to. Separate the addresses with commas. Ensure that there are no spaces in the email addresses.
- To notify the owner of the file or the user who triggered the alert, click Add and select the respective option in the drop down.
- Assign a Priority level to the email.
- Personalize the email by providing a Subject and Message. By using the Add option next to each, you can include alert details such as the name of the user, the client, IP, and more.
- If necessary, you can limit the number of emails that will be sent to each recipient by configuring an appropriate value in the Send a maximum of section. For example, if you have configured a threshold-based alert for 10,000 access events in one minute, and you set this field as Send a maximum of =1 email(s) in = 1 Hour(s), after the initial alert, one email will be sent every subsequent hour if the unusual access trend continues.
- Click Save.
- In the Criteria section, you will have two tabs to narrow down the events that trigger an alert:
- Use the Include section to select the entities you want to create an alert for.
- Select the Exclude tab to exempt alerting for trusted entities.
- Click Save to create the new alert.
Otherwise, skip this step.
Modifying server-specific alerts
To modify an existing global alert:
- Select File Audit from the application drop-down.
- Go to Configuration > General Settings > Alert Configuration.
- Click the Server Specific Alerts tab.
- From the table's Actions column, click the edit icon next to the alert you want to update.
- Update the required details.
- Click Save, then click OK.
Automated alert responses
Users can instruct the File Audit module to execute a response action when an alert is triggered. For this, a desired script file must be linked in the Script file path field while configuring alerts. These can be PowerShell, VBScript, executables, and batch files, but must be present within the <installation_directory>/bin/alertscripts folder.
These automated, versatile responses help you perform remedial actions the instant a security incident is detected, reducing the damage that is caused.
To target these commands at specific entities in your network, configure one or more Arguments to provide the necessary input in the commands. The selected parameters will be replaced in the command by the corresponding value from the alert event. The below arguments can be used:
| Argument | What it refers to | Example (How these will be displayed in the alert notification) |
| Username | The sAMAccountName of the user who performed the action. | Sebastian |
| User SID | The SID of the account that generated the event. | S-1-5-21-1798521379-1002 |
| Server Name | The name of the file server where the file is located. | DSPDEMO, FS01, etc. |
| Local Path | The location of the file or folder in which the action was performed. | C:\Program Files (x86)\ManageEngine\DataSecurity Plus\file.txt |
| Process Name | The name and full path of the process that carried out the file action. The Process Name will be collected only for file actions generated locally in the file server. | C:\Windows\System32\cmd.exe |
| Old Share Path | The old location/UNC path of a shared file in the network, before the action was performed in it. If the action is neither Move nor Rename, the Old Share Path and New Share Path will be the same. | \\DSPDEMO\Shared\Org\Guidelines.html |
| New Share Path | The new location/UNC path of a shared file in a network. When a Move or Rename action triggers an alert, the New Share Path shows the new location of the file after the completion of the action. | \\DSPDEMO\Alternate\Guidelines.html |
| Client IP | The IP address of the client machine where the file action was generated. It may be either IPv4 or IPv6. | fe80::70c2:7c81:c35f:29c7%12, 192.168.0.33 |
| Host Name | The name of the client host machine where the file action was generated. | dspdemo |
The DataSecurity Plus installation package contains some built-in scripts for commonly used response actions. Some of these are:
| Script file name | Script action | Applicable arguments | Sample use case |
| disableADaccount.ps1 | Disables AD accounts. | User SID | Can be used to disable the source user account of the file change that triggered the alert. |
| disableNetwork.ps1 | Disables network access in machines. | Client IP, Host Name, or Server Name | Can be used to disable network access in the source machine of the file change that triggered the alert. |
| triggerShutdown.bat | Shuts down computers or servers. | Client IP, Host Name, or Server Name | Can be used to shut down the source machine of the alert-triggering file action. In case of a ransomware attack or data breach, the Server Name argument can be used to stop the spread of the incident by shutting down the affected server. |
For example, if you want to disable a user who is mass deleting files, the alert configuration will look similar to this:
Threshold limit: 50 Events in = 1 Minute(s) by = Same User
Script file path: C:\Program Files (x86)\ManageEngine\DataSecurity Plus\bin\alertScripts/disableuser.bat
Arguments: User SID
Tip: Scripts are by far the most underrated response strategy. You can run scripts to shut down servers, stop user sessions, disable accounts, isolate servers from the network, and much more. Do you require assistance in customizing a script? Contact our support team.
You can disable an alert to temporarily stop it from being triggered. To disable an alert:
- Select File Audit from the application drop-down menu.
- Go to Configuration > General Settings > Alert Configuration.
- If you want to disable a server-specific alert, select that server in the Server Specific Alerts tab. Otherwise, stay in the Global Alerts tab.
- From the table, select the checkbox next to the alert(s) you wish to disable.
- Click the disable icon at the top of the table.
The selected alert(s) will be disabled.
To delete an alert permanently:
- Select File Audit from the application drop-down menu.
- Go to Configuration > General Settings > Alert Configuration.
- Select the tab corresponding to the type of alert you wish to delete.
- From the table, select the checkbox next to the alert(s) you wish to delete.
- Click the delete icon at the top of the table.
- Click OK to confirm the action.
The selected alert(s) will be deleted.
For more information on configuring alerts in DataSecurity Plus, refer to this guide.