Help Center

Quick Start

File Auditing

File Analysis

Data Risk Assessment

Endpoint DLP

Cloud Protection

Administrative settings

General settings

Release notes

Troubleshooting

Guides

Third-party software Contact us

Alert configuration

Alerts help stakeholders and administrative users stay on top of critical events in the organization's file storage environment. ManageEngine DataSecurity Plus allows you to create and manage web console and email notifications.

For precise control over alert configuration, DataSecurity Plus supports two types of alerts:

  • Global alert profiles, which can be configured for all or a combination of servers.
  • Server-specific alert profiles, which are configured individually for specific servers.

Together, these help IT technicians detect access anomalies efficiently while still preventing alert fatigue. Alerts can be created and modified only by administrative technician accounts.

Further, responses can also be automated along with a triggered alert to mitigate the potential damage caused by an incident. These will also be discussed on this page.

Creating and editing alerts

A) Global alerts

Upon installation of DataSecurity Plus, several built-in global alerts will be automatically activated. These alerts can be configured for events across all configured servers and domains. For more information on them, refer to this page.

Creating global alerts

To create a global alert:

  • Select File Audit from the application drop-down.
  • Go to Configuration > General Settings > Alert Configuration.
  • Ensure you are in the Global Alerts tab and click Add Global Alerts in the top-right corner of the tab.
  • Enter a suitable name and description for the alert profile.
  • Click the + icon next to the Selected Servers field and choose the servers that you wish to apply this profile to.
  • To apply this profile to any new servers that might be added to DataSecurity Plus in the future, check the box next to Apply profile to new servers.
  • Classify the alert with an appropriate severity level.
  • If you want to configure a threshold-based alert, i.e., to trigger an alert when the number of events occurring within a given duration exceeds a specified value:
    • Check the Threshold limit box.
    • Configure the number of events from a source beyond which the alert should be triggered. For example, 1700 Events = in 2 Minutes = by Same User.

    Otherwise, skip this step.

  • To automate a response action when the alert is triggered, provide the path to a script file in the Script file path field. You can choose from the built-in scripts or create your own. All script files, including custom-created ones, should be located in the <installation_directory>/bin/alertscripts folder for DataSecurity Plus to execute them.
  • Under Arguments, choose additional parameters to be used by the script file.
  • To send an email notification to a stakeholder:
    • Check the Email Notifications box and click the edit icon to open the Email Settings popup.
    • To notify the owner of the file or the user who triggered the alert, click Add and select the respective option in the drop down.
    • Assign a Priority level to the email.
    • Personalize the email by providing a Subject and Message. By using the Add option next to each, you can include alert details such as the name of the user, the client, IP, and more.
    • If necessary, you can limit the number of emails that will be sent to each recipient by configuring an appropriate value in the Send a maximum of section. For example, if you have configured a threshold-based alert for 10,000 access events in one minute, and you set this field as Send a maximum of =1 email(s) in = 1 Hour(s), after the initial alert, one email will be sent every subsequent hour if the unusual access trend continues.
    • Click Save.
  • In the Criteria section, you will have two tabs to narrow down the events that trigger an alert:
    • Use the Include section to select the entities you want to create an alert for.
    • Select the Exclude tab to exempt alerting for trusted entities.
  • Click Save to create the new alert.
Note: Exclude filters will be given precedence over Include filters.

Modifying global alerts

To modify an existing global alert:

  • Select File Audit from the application drop-down.
  • Go to Configuration > General Settings > Alert Configuration.
  • Ensure you are in the Global Alerts tab.
  • From the table's Actions column, click the edit icon next to the alert you want to update.
  • Update the required details.
  • Click Save, then click OK.

B) Server-specific alerts

When earlier installations (prior to build 6060) are updated to the latest build, existing custom alerts will be moved to the Server Specific Alerts tab. When a server is selected in the Server Name field of the tab, the two tables will show the list of alerts specific to that server as well as the global alerts that have been applied in the server.

Creating server-specific alerts

To create a server-specific alert:

  • Select File Audit from the application drop-down.
  • Go to Configuration > General Settings > Alert Configuration.
  • Click the Server Specific Alerts tab.
  • In the Server Name field choose the server in which you want to customize the alert.
  • Click Add Server Alerts in the top-right corner of the tab.
  • Enter a suitable name and description for the alert profile.
  • Classify the alert with an appropriate severity level.
  • If you want to configure a threshold-based alert, i.e., to trigger an alert when the number of events occurring within a given duration exceeds a specified value:
    • Check the Threshold limit box.
    • Configure the number of events from a source beyond which the alert should be triggered. For example, 1000 Events = in 1 Minute(s) = by Any Source.

    Otherwise, skip this step.

  • To automate a response action when the alert is triggered, provide the path to a script file in the Script file path field. You can choose from the built-in scripts or create your own. All script files should be located in the <installation_directory>/bin/alertscripts folder for DataSecurity Plus to execute them.
  • Under Arguments, choose additional parameters to be used by the script file.
  • To send an email notification to a stakeholder:
    • Check the Email Notifications box and click the edit icon to open the Email Settings popup.
    • Provide the email addresses that you wish to send the alert email to. Separate the addresses with commas. Ensure that there are no spaces in the email addresses.
    • To notify the owner of the file or the user who triggered the alert, click Add and select the respective option in the drop down.
    • Assign a Priority level to the email.
    • Personalize the email by providing a Subject and Message. By using the Add option next to each, you can include alert details such as the name of the user, the client, IP, and more.
    • If necessary, you can limit the number of emails that will be sent to each recipient by configuring an appropriate value in the Send a maximum of section. For example, if you have configured a threshold-based alert for 10,000 access events in one minute, and you set this field as Send a maximum of =1 email(s) in = 1 Hour(s), after the initial alert, one email will be sent every subsequent hour if the unusual access trend continues.
    • Click Save.
  • In the Criteria section, you will have two tabs to narrow down the events that trigger an alert:
    • Use the Include section to select the entities you want to create an alert for.
    • Select the Exclude tab to exempt alerting for trusted entities.
  • Click Save to create the new alert.
Note: Exclude filters will be given precedence over Include filters.

Modifying server-specific alerts

To modify an existing global alert:

  • Select File Audit from the application drop-down.
  • Go to Configuration > General Settings > Alert Configuration.
  • Click the Server Specific Alerts tab.
  • From the table's Actions column, click the edit icon next to the alert you want to update.
  • Update the required details.
  • Click Save, then click OK.

Automated alert responses

Users can instruct the File Audit module to execute a response action when an alert is triggered. For this, a desired script file must be linked in the Script file path field while configuring alerts. These can be PowerShell, VBScript, executables, and batch files, but must be present within the <installation_directory>/bin/alertscripts folder.

These automated, versatile responses help you perform remedial actions the instant a security incident is detected, reducing the damage that is caused.

To target these commands at specific entities in your network, configure one or more Arguments to provide the necessary input in the commands. The selected parameters will be replaced in the command by the corresponding value from the alert event. The below arguments can be used:

Argument What it refers to Example (How these will be displayed in the alert notification)
Username The sAMAccountName of the user who performed the action. Sebastian
User SID The SID of the account that generated the event. S-1-5-21-1798521379-1002
Server Name The name of the file server where the file is located. DSPDEMO, FS01, etc.
Local Path The location of the file or folder in which the action was performed. C:\Program Files (x86)\ManageEngine\DataSecurity Plus\file.txt
Process Name The name and full path of the process that carried out the file action. The Process Name will be collected only for file actions generated locally in the file server. C:\Windows\System32\cmd.exe
Old Share Path The old location/UNC path of a shared file in the network, before the action was performed in it. If the action is neither Move nor Rename, the Old Share Path and New Share Path will be the same. \\DSPDEMO\Shared\Org\Guidelines.html
New Share Path The new location/UNC path of a shared file in a network. When a Move or Rename action triggers an alert, the New Share Path shows the new location of the file after the completion of the action. \\DSPDEMO\Alternate\Guidelines.html
Client IP The IP address of the client machine where the file action was generated. It may be either IPv4 or IPv6. fe80::70c2:7c81:c35f:29c7%12, 192.168.0.33
Host Name The name of the client host machine where the file action was generated. dspdemo
Sample email notification

The DataSecurity Plus installation package contains some built-in scripts for commonly used response actions. Some of these are:

Script file name Script action Applicable arguments Sample use case
disableADaccount.ps1 Disables AD accounts. User SID Can be used to disable the source user account of the file change that triggered the alert.
disableNetwork.ps1 Disables network access in machines. Client IP, Host Name, or Server Name Can be used to disable network access in the source machine of the file change that triggered the alert.
triggerShutdown.bat Shuts down computers or servers. Client IP, Host Name, or Server Name Can be used to shut down the source machine of the alert-triggering file action. In case of a ransomware attack or data breach, the Server Name argument can be used to stop the spread of the incident by shutting down the affected server.

For example, if you want to disable a user who is mass deleting files, the alert configuration will look similar to this:

Threshold limit: 50 Events in = 1 Minute(s) by = Same User

Script file path: C:\Program Files (x86)\ManageEngine\DataSecurity Plus\bin\alertScripts/disableuser.bat

Arguments: User SID

Tip: Scripts are by far the most underrated response strategy. You can run scripts to shut down servers, stop user sessions, disable accounts, isolate servers from the network, and much more. Do you require assistance in customizing a script? Contact our support team.

You can disable an alert to temporarily stop it from being triggered. To disable an alert:

  • Select File Audit from the application drop-down menu.
  • Go to Configuration > General Settings > Alert Configuration.
  • If you want to disable a server-specific alert, select that server in the Server Specific Alerts tab. Otherwise, stay in the Global Alerts tab.
  • From the table, select the checkbox next to the alert(s) you wish to disable.
  • Click the disable icon at the top of the table.

The selected alert(s) will be disabled.

To delete an alert permanently:

  • Select File Audit from the application drop-down menu.
  • Go to Configuration > General Settings > Alert Configuration.
  • Select the tab corresponding to the type of alert you wish to delete.
  • From the table, select the checkbox next to the alert(s) you wish to delete.
  • Click the delete icon at the top of the table.
  • Click OK to confirm the action.

The selected alert(s) will be deleted.

For more information on configuring alerts in DataSecurity Plus, refer to this guide.

Topics in this page:

Don't see what you're looking for?

  • Visit our community

    Post your questions in the forum.

     

  • Request additional resources

    Send us your requirements.

     

© 2022 Zoho Corporation Pvt. Ltd. All rights reserved.