Enable alerts for data deletion (file server)

One symptom of data theft is when a user account reads an unusually large number of files in a short timespan. To capture security incidents, ARM focuses on user-initiated file server events. If these occur in unusually high numbers and additionally in a short period of time, ARM proactively informs all responsible parties.

Create an alert

1. Log in to the Access Rights Manager application.

2. Click Resources in the toolbar.

3. Expand File server. Configured alerts display with a bell symbol.

   

4. Choose an action:

   • Right-click a resource and select Create alert to create a new alert.

   • Right-click a resources and select Manage alerts to customize or delete existing alerts.

5. Under Alert Name, enter a name for this alert configuration.

   

6. Select Event.

   

7. Select the events that trigger an alert.

   For data deletions, select Directory deleted and File deleted.

   

8. (Optional) Create a blacklist that defines all users who are not considered for the alert. Otherwise, go to the next step.

   Each alert configuration has its own blacklist configuration.
   You can only add users, not groups.

   1. Click Blacklist Users.

      

   2. Use the Search function to find the target users.

      

   3. Double-click or drag the directory to the blacklist.

      

   4. Click Apply.

9. (Optional) Create a blacklist that defines all directories that are not considered for the alert. Otherwise, go to the next step.

   1. Click Blacklist Directories.

      

   2. Use the filter function to find the target directories. When you filter, the tree view changes to a result list of the directory paths.

      

   3. Double-click or drag the directory to the blacklist.

      

   4. Click to enable or disable monitoring the subdirectories. To remove a directory from the blacklist, select the directory and press Delete.

   5. Click Apply.

10. Select Threshold.

    

11. Activate the thresholds

    

    1. Set Turn threshold on to On.

    2. Set Caused by the same initiator to Yes.

    3. Define the required number of events to trigger the alert.

    4. Define the period of time (number of seconds) to limit monitoring.

       Your selections display at the bottom of the Threshold window. Your threshold is set.

12. Click Actions.

    

13. Select at least one action that executes when an alert is triggered.

    1. If an email should be sent when an alert is triggered, select the Send email checkbox and complete the fields.

       

       The content of the emails can be customized. This is analogous to the recertification emails.

    2. To write the alert to the Windows Event Log using this categorization, select the Write to Windows event log checkbox.

       

       This option is useful if you are using a security information and event management (SIEM) tool that monitors the Windows Event Log.

    3. To execute a script, select the Execute script checkbox. To activate this option, a script configuration for alerts must be stored.

       

    4. To write the event to a syslog server, select the Write to SysLog checkbox.

       

       The syslog server must be configured in the ARM Configuration application. See Set the syslog servers for instructions.

14. Under Category, click the drop-down menu and select a category used when writing to the Windows Event Log and selecting the email subject.

    This option is useful if you are using a security information and event management (SIEM) tool.

    

15. (Required) Enter a reason for the alert configuration.

    

16. Click Create.

See the following sections for more information.

• Enable alerts for file server directories

• Enable alerts for suspected data theft (file server)

• Enable alerts for suspected cases on ransomware (file server)

• Manage alerts