Terminology

An event is anything that occurs in an application.

An activity is a monitored File Access Manager event, such as the execution or modification of a file on a file system, enriched with security attributes (such as details of the executing user from the Active Directory).

The system sends an alert when an activity violates a File Access Manager real-time rule. File Access Manager can issue alerts within the system or send them to other systems, such as SIEM for monitoring.

Note:  Each Collector Installation guide contains specific installation and configuration instructions.

The Activity Monitor is a software module that monitors and collects events from an application. Each application type has a specific activity monitor. Most File Access Manager Activity Monitors work in an agentless architecture, and can monitor and capture events without having to install anything on the application itself.

The Event Manager is a service, installed by the File Access Manager Server Installer, which:

1. Pulls events from RabbitMQ.

2. Uses Data Enrichment Connectors (DECs) to enrich events with security attributes.

3. Evaluates discard and alert rules.

4. Saves events to Elasticsearch.

Note: The previous name for a DEC was Whitebox Policy Connector (WPC).

The Data Enrichment Connector (DEC) is a software module that facilitates communication between File Access Manager and an organizational/security system. File Access Manager enables the definition of multiple DECs and uses them to enrich monitored activities with information retrieved from various organizational systems, such as Human Resources or Security Infrastructure.

File Access Manager offers DECs for many commonly used systems including:

• Active Directory

• SailPoint IdentityIQ

• LDAP

• SQL DB