Managing Alert Rules
To access and manage alert rules, navigate to Compliance > Alert Rules.
Select an alert rule to edit it.
Editing an Alert Rule
To edit a rule:
Modify the relevant parameters in the General, Scope, Filters, Triggers, and Response sections of the Rule Criteria as needed.
Note
Administrators can define and customize response options using the administrative client.
Duplicating an Alert Rule
To duplicate an alert rule:
- Select Duplicate from the Actions menu on the alert rule you wish to duplicate.
- The Duplicate Alert Rule screen appears with all the definitions of the original rule pre-filled.
- Make any necessary changes.
Note
Duplicating a discard rule creates a new rule with definitions similar to the existing discard rule.
Deleting an Alert Rule
To delete an alert rule:
- Select Delete from the Actions menu on the alert rule you want to remove.
- A confirmation prompt appears asking if you are sure you want to delete the rule.
Scope
The Scope setting allows you to define the relevant targets for running an alert rule.
-
Scope Inclusion: This enables users to specify the application type, application, or specific business resource where the alert rule should be applied.
-
Scope Exclusion: This allows users to exclude specific application types, applications, or business resources from the rule’s scope.
Note
If the same resource is selected for both inclusion and exclusion, the resource will be excluded, as exclusions always take precedence over inclusions.
- Resource Scope Selection: Users can choose to apply the rule to a specific subfolder by checking the Including subfolders checkbox.
Example:
If the business resource “Sensitive folder” contains a subfolder named “Non-sensitive folder,” and the user deselects the Including subfolders checkbox, the rule will apply only to the main resource, Sensitive folder, and exclude the subfolder Non-sensitive folder.
Filters
Note
If an application has a Data Enrichment Collector (DEC), the attributes of that DEC will also be displayed. However, if you select multiple applications from the same application type and they share the same DEC, only the common DEC attributes will be shown. If there are no common DECs, only the attributes relevant to the selected application type will be displayed.
Filter Criteria
Filter criteria allow users to define suspicious behavior based on specific parameters.
The available filter attributes depend on the Scope you select:
If no scope is selected, or if applications from different application types are chosen, only the following default attributes will be available:
- Action Type
- Category
- Domain
- Event Date
- Event Time
- Path
- User Name
If a specific application type or a single application is selected, or if multiple applications from the same application type are chosen, only the attributes relevant to the selected application type will be displayed.
Users can also load saved queries from Forensics > Activities Queries by selecting Load Query. This displays a list of all saved queries.
Query Behavior
When a query is loaded, all information in the Rule Criteria section (Scope and Filters) is replaced with the loaded query filters.
If a query cannot be loaded, an error message displays.
Queries Not Available
- Queries on alerts (only queries on activities can be loaded)
- Mismatched queries
- Queries involving users from multiple domains
Response
The Response section allows users to define the actions to take when an alert is triggered. For example, when a new permission is added to a sensitive resource, all Data Owners of that resource can be notified via email.
Response Options
A response may include one or more of the following actions:
-
Email: Send notifications to specific email addresses, and/or to the Data Owners of the resource.
Note
The Data Owners option is available for Single Activity Alerts, but not for Threshold Alerts.
-
Syslog: Send the alert information to a Syslog server.
-
User Exit: Trigger a custom user-defined exit process.
Setting Up an Alert Response
- Create or edit a Response object in the Administrative Client.
- Select Advanced Settings to choose additional response options.
Note
The Administrative Client is required to define and customize response options.
Default Response
The File Access Manager Alert Response is an automatic default. This ensures the alert is retained in the database, and users cannot opt out of this response.
Resource-based Alert Rules
Data Owners can activate Resource-Based Alert Rules (pre-configured alert rules) from the Resource > Alerts screen.
Administrators can manage these Resource-Based rules created by Data Owners through the Compliance > Alert Rules section, where they can perform the following operations:
- View the rule
- Modify the rule’s name and description
- Change the rule’s status (activate or deactivate)
- Delete the rule