8MATE FS Logga: Set alerts to file activity

<< Display table of contents >>

Navigation:  Start > Release Notes > 9.0 > Security Monitoring >

8MATE FS Logga: Set alerts to file activity

In order to capture security incidents efficiently, 8MAN takes the user-initiated file server events into view. If these occur in unusually high numbers and additionally in a short period of time, 8MAN proactively informs all responsible persons.

The following possible security incidents are indicated by 8MAN:

Data theft: A user account reads unusually many files in a short period of time ("file read")

Sabotage: A user account deletes very many files in a short period of time ("file delete")

Ransomware attack: The combination of file creation and deletion results from a user account ("file create" & "file delete")


You configure the following events as triggers for alerts:

File read

File written

Directory created

File created

Directory moved/renamed

File moved/renamed

Directory deleted

File deleted

Permission (ACL) changed


Define thresholds based on the frequency of the events as well as the time intervals. Service accounts, administrator accounts and special directories can be excluded via a blacklist from the alert function.


Automatically run a script after an alert

If a file server or Active Directory alert is triggered, 8MAN can then execute a script. This is for example relevant in the following scenario:

A user account is added to the monitored administrator group. An alert is triggered immediately, and the linked script immediately removes the user account from the group. This means that the administrator group is permanently protected from manipulation.


Prioritize alerts

In version 9, you prioritize the alerts according to the categories in the Windows Event Log. In addition, categorized alert emails are sent.



Enable alerts for file server directories

Activate alerts for suspected cases of data theft (file server)

Enable alerts for data erasure (file server)

Activate alerts for suspicious cases on Ransomware (file server)

Run a script after an alert