In ‘Alert configuration’, the ‘Main’ tab groups the different triggers of the Alert rule. This tab is different regarding the type of the alert you want to define: additional criteria will be available when defining a 'Mass access' alert.
'Single access' alert
First, you have to enter a name for the alert. This name will appear later in the ‘Alert’ hub tile.
The ‘Enabled’ switch permits to enable/disable this alert.
Then you can define different filters, grouped by categories:
The What filters
- Access Status: specify if the alert will be for successful or unsuccessful access attempts, or both.
- Object type: specify if the alert will trigger for access on files and/or folders.
Access type: specify the type of access events on which the alert will trigger:
- (Select All): All types of access events will initiate the alert.
- Delete: A user tried to delete a file/folder.
- Ownership: A user tried to take ownership on the file/folder
- Permissions: A user tried to change the permissions on the file/folder.
- Write: A user tried to modify a file.
- Execute: A user tried to execute an executable file.
- Read: A user tried to open a file in ‘Read’ mode.
- System: An attempt to read or write the System Access Control List (SACL), i.e. the audit entries of the file/folder. (Pre-Vista only).
- Write attributes: A user tried to modify a file attribute (like Read-only or Hidden checkboxes).
- Rename: A user tried to rename a file (available if using Vista/Windows Server 2008 onwards).
- Move: A user tried to move a file /folder (available if using Vista/Windows Server 2008 onwards).
- Other: Composite events, where an event can be a combination of several access events - e.g. Write and read or Delete and read, etc. (Windows 2003 Server only)
Take note that the event is generated for an attempted access. If a user attempts to delete a file on a monitored folder, you will be alerted of a ‘Delete’ event with a status ‘Denied’.
The Who filters
- Domain: filter accesses for a specific Active Directory domain.
- Group: filter accesses for members of a specific Active Directory group.
- User: filter accesses generated by a specific Active Directory user.
An advanced syntax allows you to exclude or include multiple users in the Group and User fields. See below for more details.
- Groups without users are not allowed (e.g., a group of machines).
- Groups of sub-domains or parent domains are not supported.
- If the service just (re-)started, it needs some time to build the list of groups. As a consequence, during this timelapse, any selection will be denied (generally a matter of seconds).
The Source filters
- Client IP Address: specify the IP address of the machine from which the access has been performed (if the access is performed through the network).
- Client name: specify the name of the machine from which the access has been performed (if the access is performed through the network).
- Process: specify the name of the process generating the access attempt (if the file/folder is accessed locally).
'Mass access' alert
This type of alert allows to notify mass access events performed by a same user and thus to alert on bulk file copying (significant number of read accesses performed during a short period of time) and bulk file deletion or movement.
This alert type proposes the same criteria as those available when defining a 'Single access' alert and described previously. However it adds a frequency criterion with which a same user performed a same type of access.
- Threshold: Number of accesses fulfilling the criteria defined in this tab beyond which the alert will be triggered if achieved over the defined time period.
- Time period: Rolling time period during which the number of accesses corresponding to the criteria defined in this tab is counted.
- Latency period: Time period during which the alert will be temporary disabled once triggered. Enter '0' as value to disable the latency period. Take note that disabling the latency period means that the alert will be triggered for each event exceeding the set threshold.
Include or exclude users
User and Group filters can be used to include or exclude users from the results. To include more than one user or group, separate entries with commas. To exclude an user or a group, enter the minus sign before the group name or the user name.
All accesses of Sales and Marketing group members will be displayed.
Accesses of Everyone except Marketing group members will be displayed.
Inclusion + exclusion example
All accesses of Sales group members will be displayed, except for users also members of Managers group.
If there are no common members between Sales and Managers groups, it will include all Sales members. If all members of Sales are members of Managers, no data will be displayed.