Enable alerts for data deletion (file server)
Background / Value
To efficiently capture security incidents, ARM focuses on user-initiated file server events. If these occur in unusually high numbers and additionally in a short period of time, ARM proactively informs all those responsible.
Data deletions: A user account deletes very many files in a short period of time.
Related features
Enable alerts for file server directories
Enable alerts for suspected data theft (file server)
Enable alerts for suspected cases on ransomware (file server)
Step-by-step process
- Choose Resources.
- Expand the "file server".
- Already configured alerts are displayed with a bell symbol.
- Right-click on a resource and select "Create alert" in the context menu to create a new alert.
- Right-click a resource and select Manage alerts in the context menu to customize or delete existing alerts.
- Give the alert configuration a name.
- Click Event.
- Define which events trigger an alert. For data deletions typically: Directory deleted and File deleted.
- Optional: Click Blacklist user.
Optional: Use the blacklist to define which users do not trigger an alert.
Each alert configuration has its own blacklist configuration.
You can only add users, not groups.
- Use the search function to find the users you want.
- Use double-click or drag-and-drop to add users to the blacklist.
- Use the "Delete" key to remove users from the blacklist.
- Click "Apply" to save the changes.
Optional: Select Blacklist directories.
Optional: Use the blacklist to define which directories are not monitored.
- Use the filter function to find the desired directories. When you filter, the tree view changes to a result list of the directory paths.
- Use double-click or drag-and-drop to add directories to the blacklist.
- Use the Delete key to remove directories from the blacklist.
- Enable or disable monitoring of subdirectories.
- Click Apply to save the changes.
- Click Threshold.
- Enable threshold.
- Activate the option.
- Define how many events within a period trigger the alert.
- Choose Actions. Here you specify which actions are executed when an alert is triggered. You must activate at least one action (arrows).
- Activate the option if an email should be sent in case of an alert.
The content of the emails can be customized. This is analogous to the recertification emails.
- The alert is written to the Windows Event Log. The categorization is used.
- Enable the execution of a script. To activate this option, a script configuration for alerts must be stored.
Enable this option to send the event to a syslog server. Syslog servers must be configured in the ARM configuration application under Server > Syslog.
Choose a category. This is used when writing to the Windows Event Log and for the email subject.
This option is especially useful if you are using a SIEM system.
- You must specify a reason for changing an alert configuration in order to save it.
- Click Create.