Help Center

Contact us

How to configure alerts in DataSecurity Plus

Configure alerts and responses in DataSecurity Plus by following the module-specific instructions below. For further assistance, please email us at support@datasecurityplus.com.

Alerts and responses in File Audit

Customize the default alerts or configure new alerts in File Audit by following the steps below:

To define an Alert Profile, navigate to File Audit > Configuration > Settings > Alert Configuration. Alternatively, you can click the New Alert Profile button in the Alerts tab.

Alert option Description
Alert details
  1. Check the box to enable a Threshold Limit.
  2. Select the minimum number of events after which the alert should be triggered. Specify the interval within which the minimum number of events has to occur.
  3. Set the source based on users, processes, or another source.
Alert criteria

Specify the events that will trigger the new alert by applying filters in the Criteria section. You can define the criteria using the Include or Exclude options.

In the Include tab:

  1. Select the parameter for which you need to set the alert condition from the drop-down. Example: Action
  2. Select the operator from the middle drop-down. Depending on the parameter you choose, the operator will be auto-populated. Example: In
  3. Provide the value for the parameter based on which the alert will be triggered. Example: Rename

Use the + option to add more inclusion criteria.

Similarly, you can trigger an alert by defining the exclusion criteria in the Exclude tab.

These users, file paths, or other entities configured will be overlooked while monitoring file servers.

Alert responses

When an alert is triggered, you can:

  • Enable email notifications: Be notified via email as soon as an alert is triggered. Specify the maximum number of emails sent to your inbox to avoid email fatigue.
  • Customize script responses: Create scripts and define argument parameters to initiate responses as soon as an alert is triggered or choose from default scripts located in <installation_directory>ManageEngine\DataSecurity Plus\bin\scripts.

Note: If you're defining multiple inclusion criteria, all the conditions must be satisfied for an alert to be triggered.

Exclusion criteria overrides inclusion criteria. For instance, if you specify a particular File Name under the Exclude tab, file access events will be monitored for all other files, leaving out that particular file.

Setting email responses in File Audit Alert Configuration

In the email settings in the Alert Profile, you can customize the following:

Recipient

Emails can be sent to:

  1. Any specific email address.
  2. Owners: The creator of the file.
  3. Callers: The user whose actions have triggered the alert.
Priority

The priority flagged in the email can be set to:

  1. Normal.
  2. High.
Subject

The subject of the email can be set to:

  1. Any customized text.
  2. Alert information variables provided in the drop-down. (Click Add to view the drop-down.)
Message

The message can include:

  1. Any customized text.
  2. Alert information variables. (Click Add to view the alert information variables.)
Email limit

You can restrict the number of alert emails by defining the maximum number of emails for the desired time interval.

Alerts and responses in File Analysis

Customize the default alerts or configure new alerts in File Analysis by following the steps below:

To define an Alert Profile, navigate to File Analysis > Configuration > Settings > Alert Configuration.

Alert option Description
Alert details

Define the Alert Name, Alert Description, and Severity.

Alert sources

There are two sources from which alerts can be generated:

  1. File Metadata: For alerts focused on file security, and other file properties.
  2. Disk Usage: For alerts focused on file storage and drive size growth.
Alert criteria

Specify the events that will trigger the new alert by applying filters in the Criteria section. You can define the criteria using the Include or Exclude options.

In the Include tab:

  1. Select the parameter for which you need to set the alert condition from the drop-down. Example: Drive Letter
  2. Select the operator from the middle drop-down. Depending on the parameter you choose, the operator will be auto-populated. Example: Does not equal
  3. Provide the value for the parameter based on which the alert will be triggered. Example: C:\

Use the + option to add more inclusion criteria.

Similarly, you can trigger an alert by defining the exclusion criteria in the Exclude tab.

These file names, file paths, or other entities configured will be overlooked while monitoring file servers.

Alert responses

In the Response tab, configure the follow-up actions that will be initiated immediately after an alert is triggered. Check the boxes to enable the options before configuring them. You can:

In the Include tab:

  1. Enable email notifications: Be notified via email as soon as an alert is triggered. Specify the maximum number of emails sent to your inbox to avoid email fatigue.
  2. Customize script responses: Create scripts and define argument parameters to initiate responses as soon as an alert is triggered.
  3. Move or delete folders or files: Move files or folders to a specific location or delete them at your discretion.

Use the + option to add more inclusion criteria.

Similarly, you can trigger an alert by defining the exclusion criteria in the Exclude tab.

These file names, file paths, or other entities configured will be overlooked while monitoring file servers.

Note: If you're defining multiple inclusion criteria, all the conditions must be satisfied for an alert to be triggered.

Exclusion criteria overrides inclusion criteria. For instance, if you specify a particular File Name under the Exclude tab, file access events will be monitored for all other files, leaving out that particular file.

Alerts and responses in Data Risk Assessment

Create alerts based on policies, file owners, and other criteria using the steps below:

To define an Alert Profile, navigate to Risk Analysis > Discovery Policy Configuration > Alert Profile.

Alert option Description
Alert details

Define the Alert Name, Alert Source, Description, and Severity.

Alert criteria
  1. In the Include tab, set the desired criteria with the drop-downs.
  2. Example: Policy, Equals, and GDPR in the respective drop-down filters.

  3. To receive an alert when two or more criteria are met, set the AND function.
  4. To receive an alert when at least one of two or more criteria is met, set the OR function.
Alert responses

In the Response tab, configure the follow-up actions that will be initiated immediately after an alert is triggered. Check the boxes to enable the options before configuring them. You can:

  1. Enable email notifications: Be notified via email as soon as an alert is triggered. Specify the maximum number of emails sent to your inbox to avoid email fatigue.
  2. Customize script response: Create scripts and define argument parameters to initiate responses as soon as an alert is triggered.

Alerts and responses in Endpoint DLP

Customize the default alerts to track users' endpoint activity by following the steps below.

To customize an Alert Profile, navigate to Endpoint DLP > Configuration > Audit/ Alert Profiles > Alert Configuration.

Alert option Description
Alert selection

Click the Alert Profile tabs to view the available alerts.

Alert details

The Alert Name, Alert Source, Description, and Severity are predefined.

Alert Profiles

Alert Profiles in Endpoint DLP vary based on the source of the alerts. Refer to the individual profile details mentioned below. To modify the alerts, click the edit icon next to the individual alert.

Alert criteria

Specify the events that will trigger the new alert by applying filters in the Criteria section. You can define the criteria using the Include or Exclude options.

In the Include tab:

  1. Select the parameter for which you need to set the alert condition from the drop-down.
  2. Select the operator from the middle drop-down. Depending on the parameter you choose, the operator will be auto-populated.
  3. Provide the value for the parameter based on which the alert will be triggered.

Use the + option to add more inclusion criteria.

Similarly, you can trigger an alert by defining the exclusion criteria in the Exclude tab.

These users, file paths, or other entities configured will be overlooked while monitoring file servers. Follow the steps below to customize various alert sources and responses available in the Endpoint DLP module.

File Integrity Monitor

These alerts can be used to track sensitive file changes, user activity, or indicators of ransomware attacks.

Define alert responses as required in the Response section. You can choose to dispatch email notifications and/or execute scripts.

Example:
Include: Action, In, Modify
Exclude: Computer Account, In, AdminPC
Threshold: 10 Events, 1 Minute, Any Source
Response: Enable email notification

Removable Storage

These alerts are triggered when file events are initiated in USB drives.

Define alert responses as required in the Response section. You can choose to dispatch email notifications, execute scripts, block all USB devices from being used in the source machine, or block the USB device that triggered the alert.

Example:
Include: Action, In, File Copied
Exclude: User Object, In, John
Threshold: 50 Events, in 2 Minutes, by Same User
Response: Block all external storage devices

Print

These alerts monitor print requests.

Define alert responses as required in the Response section. You can choose to dispatch email notifications and/or execute scripts.

Example:
Include: Action, In, File Copied
Exclude: User Object, In, John
Threshold: 30 Events, in 30 Minutes, by Same User
Response: Enable Script

Clipboard

This alert detects critical file copy and paste events.

Define alert responses as required in the Response section. You can choose to dispatch email notifications, execute scripts, or move or delete the files.

Example:
Include: Action, In, File Copied
Exclude: User Object, In, John
Threshold: 30 Events, in 2 Minutes, by Same User
Response: Enable Move/Delete

Email Client

These alerts monitor outgoing emails for potential data leaks.

Define alert responses as required in the Response section. You can choose the User prompt in Active Responses to warn users about policy violations, and/or choose from the Passive Responses, which include dispatching email notifications and executing scripts.

Example:
Include: User Object, In, Mel
Exclude: User Object, In, John
Threshold: 5 Events, in 2 Minutes, by Same User
Response: Enable User prompt, Block

Web

This alert is triggered on the potential upload or download of critical files.

Define alert responses as required in the Response section. You can choose to dispatch email notifications and/or execute scripts.

Example:
Include: Process Name, Contains, Chrome.exe
Exclude: User Object, In, John
Threshold: 20 Events, in 2 Minutes, by Same User
Response: Enable email notification

File Share

This alert is triggered when access anomalies are detected in shares.

Define alert responses as required in the Response section. You can choose to dispatch email notifications and/or execute scripts.

Example:
Include: Action, In, File Extension Change
Exclude: User Object, In, None
Threshold: 10 Events, in 1 Minute, by Same User
Response: Enable email notification

Alert responses

In the Response tab of each Alert Profile, configure the follow-up actions that will be initiated immediately after an alert is triggered. Check the boxes to enable the options before configuring them. You can:

  1. Enable email notifications: Be notified via email as soon as an alert is triggered. Specify the maximum number of emails sent to your inbox to avoid email fatigue.
  2. Customize script responses: Create scripts and define argument parameters to initiate responses as soon as an alert is triggered.
  3. Block USBs (only available in the Removable Storage Alert Profiles).
  4. Move or delete files (only available in the Clipboard Alert Profiles).
  5. Send a prompt to and/or block users from sending emails with files classified as restricted or sensitive (only available in the Email Client Alert Profiles).

Note: If you're defining multiple inclusion criteria, all the conditions must be satisfied for an alert to be triggered.

Exclusion criteria overrides inclusion criteria. For instance, if you specify a particular File Name under the Exclude tab, file access events will be monitored for all other files, leaving out that particular file.

How to set default or custom script responses

DataSecurity Plus supports script response actions to be executed immediately when an alert is triggered. Default scripts are available for use in the following location: <installation_directory>ManageEngine\DataSecurity Plus\bin\scripts.

You can also write custom scripts to suit your requirements. To write a script:

  1. Mention the application software that will execute the script.
  2. Include the full path of the script file.
  3. Choose the parameters to define the script in the Arguments drop-down.

Note: Select the parameters in the Arguments drop-down in the right order to run the script smoothly. For instance, refer to the steps below:

Step 1: Specify script file path.

Step 2: Choose the first argument.

Step 3 - Choose the second argument.

PowerShell script instance

Powershell.exe -file "D:\DataSecurityPlus scripts\trigger-shutdown.ps1"

Argument 1: Client IP

VB script instance

Csscript "D:\DataSecurityPlus scripts\trigger-shutdown.vbs"

Argument 1: Client IP "

Note: If you want to add more arguments while configuring custom scripts, select the arguments consecutively as indicated above.

For further queries and assistance, please contact us at support@datasecurityplus.com.

Don't see what you're looking for?

  • Visit our community

    Post your questions in the forum.

     
  • Request additional resources

    Send us your requirements.