Start > Using 8MAN - The Services > Security Monitoring > File server > +8MATE FS Logga  > Enable alerts for data deletion (file server)

Enable alerts for data deletion (file server)

<< Inhaltsverzeichnis anzeigen >>

Navigation:  Start > Using 8MAN - The Services > Security Monitoring > File server > +8MATE FS Logga  >

Enable alerts for data deletion (file server)

Background / Value

To efficiently capture security incidents, 8MAN focuses on user-initiated file server events. If these occur in unusually high numbers and additionally in a short period of time, 8MAN proactively informs all those responsible.

 

Data deletions: A user account deletes very many files in a short period of time.

 

Additional Services

Enable alerts for file server directories

Enable alerts for suspected data theft (file server)

Enable alerts for suspected cases on ransomware (file server)

Run a script after an alert

Manage alerts

 

Step by step process

C014-01 EN Alarme für spezifische Verzeichnisse

 

1.Choose Resources.

2.Expand the "file server".

3.Already configured alerts are displayed with a bell symbol.

4.Right-click on a resource and select "Create alert" in the context menu to create a new alert.

5.Right-click a resource and select Manage alerts in the context menu to customize or delete existing alerts.


 

 

C018-01 EN Alarm für Datenlöschungen

 

1.Give the alert configuration a name.

2.Choose "Event".

3.Define which events trigger an alert. For data deletions typically: "directory deleted" and "file deleted".

4.Optional:
Click on "Blacklist user".


 

 

C014-03 EN Alarme für spezifische Verzeichnisse

 

optional:

Use the blacklist to define which users do not trigger an alert.

Each alert configuration has its own blacklist configuration.

You can only add users, not groups.

1.Use the search function to find the users you want.

2.Use double-click or drag-and-drop to add users to the blacklist.

3.Use the "Delete" key to remove users from the blacklist.

4.Click "Apply" to save the changes.


 

 

C014-04 EN Alarme für spezifische Verzeichnisse

 

1.optional:
Select "Blacklist directories".


 

 

C014-05 EN Alarme für spezifische Verzeichnisse

 

optional:

Use the blacklist to define which directories are not monitored.

 

1.Use the filter function to find the desired directories. When you filter, the tree view changes to a result list of the directory paths.

2.Use double-click or drag-and-drop to add directories to the blacklist.

3.Use the "Delete" key to remove directories from the blacklist.

4.Enable or disable monitoring of subdirectories.

5.Click "Apply" to save the changes.


 

 

C015-02 EN Alarm für Veradcht auf Datendiebstahl

 

1.Select Threshold.

2.Enable threshold.

3.Activate the option.

4.Define how many events within a period trigger the alert.


 

 

C014-06 EN Alarme für spezifische Verzeichnisse

 

1.Choose Actions. Here you specify which actions are executed when an alert is triggered. You must activate at least one action (arrows).

2.Activate the option if an email should be sent in case of an alert.
The content of the emails can be customized. This is analogous to the recertification emails.

3.The alert is written to the Windows Event Log. The categorization is used. This option is especially useful if you are using a SIEM system.

4.Enable the execution of a script. To activate this option, a script configuration  for alerts must be stored.


 

 

C014-07 EN Alarme für spezifische Verzeichnisse

 

Choose a category.

This is used when writing to the Windows Event Log and for the email subject.


 

 

C014-08 EN Alarme für spezifische Verzeichnisse

 

1.You must specify a reason for the alert configuration in order to save it.

2.Click "Apply".