Skip to main content
Version: 1.1.0

Policy Triggers

Policy Triggers Configuration

To access Policy Triggers configuration, go to Threat Detection > Policy Triggers.

alt text

What are Policy Triggers?

Data Security Essentials Policy Triggers run regularly against the Data Security Essentials database to detect unexpected user behavior. For example, they can notify administrators when:

  • A user downloads a large number of files.
  • Secure or sensitive information is accessed.
  • Suspicious activities, such as ransomware attacks, are detected.

When a Policy Trigger runs, it searches the database for specified user activities and alerts administrators via email. All matching triggers appear in the Threat Detection list.

note

For Policy Triggers to function correctly, a Data Security Audit policy must be set up to monitor your NAS device and store user activities in the database.

Defining or Editing a Policy Trigger

A Policy Trigger includes the following main parameters:

  • Properties
  • Actions
  • Schedule
  • Notifications

To define a new Policy Trigger or edit an existing one, follow these steps:

  1. Access the Data Security Essentials Policy Triggers list.
  2. Click Create Trigger to set up a new trigger, or select a built-in trigger from the list on the left panel to enable specific triggers to track.
  3. In the Properties tab, define the trigger properties.
  4. In the Actions tab, set the actions to be taken when the trigger conditions are met.
  5. In the Schedule tab, choose if and when the trigger should run on a set schedule.
  6. In the Notification tab, configure how and where notifications will be sent.
  7. Save changes before selecting another Policy Trigger to avoid losing any updates. You can also choose to close at any time.

alt text

info

Saving changes is required to retain your updates before moving to another Policy Trigger in the list.

Here’s a revised version of the Properties section, incorporating the guidelines for clarity and structure:

Properties

In the Properties tab, specify the following settings:

  • Policy Trigger Name and Description: Define a unique name and description for custom policies.
  • Event Types: Select the operations the Policy Trigger should monitor. You can choose to monitor all operations or select specific ones.
  • Time Period Options: Set the scanning period to narrow down the data scope.
  • Define other criteria: You can specify additional criteria for other operations details such as file extensions, the user who performed the operation, client machine IP, path or file size, etc.

Additional criteria information

FieldDescriptionExample
Minimum Operation CountThe ‘Minimum Operation Count’ defines the minimum number of operations that should match for the Policy Trigger to notify the user.E.g., 1000 for serial deletes
Minimum File SizeThe ‘Minimum File Size’ defines the minimum file size that counts as an operation for the Policy Trigger.E.g., 10MB for audio files
ExtensionsThe ‘Extension’ defines the extension the Policy Trigger monitors. The Policy Trigger will monitor operations on files with the specified extension. Only one extension is allowed. Wildcards are supported (e.g., “mp?”).E.g., *.mp3, *.exe
File directory nameThe ‘File or Directory Name’ defines a certain file or directory name to match. Only one file or directory name is allowed. Wildcards are supported (e.g., “Sales” will match all folders/files that contain "Sales" within it).E.g., *Project_name* to audit relevant folders
PathThe ‘Path’ defines the path the Policy Trigger monitors. The Policy Trigger will only monitor operations on files or directories that reside on the specified path. Only one path is supported for each Policy Trigger. Wildcards are supported.E.g., \Compliance\Legal\Legal_hold
UserThe ‘User’ defines the full name of the user a Policy Trigger monitors. Note: Leave this field blank if you wish to search for all operations done by all users. This field does not accept account names and does not accept group names, only full names are accepted. Wildcards (* and ?) can be used (e.g., “Mark *”).Example: Entering "Mark *" matches all users named Mark
Client System name or IPThe ‘Client System name or IP’ defines the computer name/IP a Policy Trigger monitors. Note: Leave this field blank to monitor access from all computers. This field accepts only one computer name or one IP. Wildcards are used.E.g., 10.20.2.* to match IPs in the range 10.20.2.0 to 10.20.2.255

Actions

In the Actions tab, you can specify which actions should be taken if a Policy Trigger violation is detected. Multiple actions can be selected if desired:

  • Disable User Account: Disables the user’s Active Directory account if a match is detected.
    • Requirement: The DSES service account must have administrator or account operator permissions in the domain.
  • Log User Off Workstation: Logs the user off their workstation if a match is detected.
    • Requirement: The DSES service account must belong to the local admins group on the user's workstation.

Schedule

In the Schedule tab, select whether the Policy Trigger is to run only once or recurrently and Select the Policy Trigger start time.

If you selected the Policy Trigger to be recurring, select how often it should run. When the Policy Trigger runs, it will notify the administrator about any behavior that matches the Policy Trigger that occurred during the specified time period. The minimum recurring time is 5 minutes.

Notifications

In the Notifications tab, specify the email accounts that should receive notifications when the Policy Trigger runs. To add an email account, use the Add Email Target panel, where you’ll enter the target name and email address, then complete the Notification Type section before clicking Add.

To retain your updates, make sure to save changes before selecting another Policy Trigger from the list; otherwise, your changes will be lost. You can close the tab at any time if needed.

Save Changes

You must Save Changes before selecting another Policy Trigger from the existing Policy Triggers list; otherwise, you will lose your changes. You may choose to close at any time.

Default Policy Triggers

Data Security Essentials includes a set of default Policy Triggers that serve as examples of how to use these features effectively. Users can edit these default Policy Triggers to suit their specific needs. Additionally, Data Security Essentials provides three ransomware indicators, which are Policy Triggers specifically designed to enhance ransomware protection.

Policy TriggerDescription
After Hours AccessUsed to discover operations done after hours. It runs daily (default 8 am) and analyzes the past 14 hours to check for activity. For best results, set it to run at the start of each working day.
Disgruntled EmployeeDetects whether a user has deleted a large number of files within the last hour.
Financial Qtr RptsUsed for financial quarterly reports to discover modifications in the financial reports directory by any user within the last quarter.
HIPAA AuditingIdentifies suspicious activity in folders containing health information, ensuring HIPAA compliance. Requires specifying the path where HIPAA documents are stored (e.g., vol\docvol\HIPAA).
Large File AuditNotifies when a user creates any file larger than 500MB in a specific directory.
Ownership Change AuditAlerts when a user takes ownership of a file or changes its owner.
Permission Change AuditNotifies when a user changes the security settings of a file or directory.
Ransomware Indicator 1Detects behavior consistent with creating new versions of files while deleting originals.
Ransomware Indicator 2Identifies activity involving data reading followed by bulk renaming of files.
Ransomware Indicator 3Monitors for activity where data is read and then overwritten on the same files.
Ransomware ExtensionFlags files with extensions commonly associated with ransomware.
Serial DeletesDetects if a user has deleted multiple files within the last hour.
Serial DownloadsIdentifies if a user has downloaded many files within the last hour.
Serial EditsTracks if a user has edited numerous files within the last hour.
WikileaksMonitors for behavior similar to Wikileaks incidents, detecting if a user has performed numerous file copies/downloads within the last 30 minutes.