Policy Triggers
Policy Triggers Configuration
To access Policy Triggers configuration, go to Threat Detection > Policy Triggers.
What are Policy Triggers?
Data Security Essentials Policy Triggers run regularly against the Data Security Essentials database to detect unexpected user behavior. For example, they can notify administrators when:
- A user downloads a large number of files.
- Secure or sensitive information is accessed.
- Suspicious activities, such as ransomware attacks, are detected.
When a Policy Trigger runs, it searches the database for specified user activities and alerts administrators via email. All matching triggers appear in the Threat Detection list.
For Policy Triggers to function correctly, a Data Security Audit policy must be set up to monitor your NAS device and store user activities in the database.
Defining or Editing a Policy Trigger
A Policy Trigger includes the following main parameters:
- Properties
- Actions
- Schedule
- Notifications
To define a new Policy Trigger or edit an existing one, follow these steps:
- Access the Data Security Essentials Policy Triggers list.
- Click Create Trigger to set up a new trigger, or select a built-in trigger from the list on the left panel to enable specific triggers to track.
- In the Properties tab, define the trigger properties.
- In the Actions tab, set the actions to be taken when the trigger conditions are met.
- In the Schedule tab, choose if and when the trigger should run on a set schedule.
- In the Notification tab, configure how and where notifications will be sent.
- Save changes before selecting another Policy Trigger to avoid losing any updates. You can also choose to close at any time.
Saving changes is required to retain your updates before moving to another Policy Trigger in the list.
Here’s a revised version of the Properties section, incorporating the guidelines for clarity and structure:
Properties
In the Properties tab, specify the following settings:
- Policy Trigger Name and Description: Define a unique name and description for custom policies.
- Event Types: Select the operations the Policy Trigger should monitor. You can choose to monitor all operations or select specific ones.
- Time Period Options: Set the scanning period to narrow down the data scope.
- Define other criteria: You can specify additional criteria for other operations details such as file extensions, the user who performed the operation, client machine IP, path or file size, etc.
Additional criteria information
Field | Description | Example |
---|---|---|
Minimum Operation Count | The ‘Minimum Operation Count’ defines the minimum number of operations that should match for the Policy Trigger to notify the user. | E.g., 1000 for serial deletes |
Minimum File Size | The ‘Minimum File Size’ defines the minimum file size that counts as an operation for the Policy Trigger. | E.g., 10MB for audio files |
Extensions | The ‘Extension’ defines the extension the Policy Trigger monitors. The Policy Trigger will monitor operations on files with the specified extension. Only one extension is allowed. Wildcards are supported (e.g., “mp?”). | E.g., *.mp3 , *.exe |
File directory name | The ‘File or Directory Name’ defines a certain file or directory name to match. Only one file or directory name is allowed. Wildcards are supported (e.g., “Sales” will match all folders/files that contain "Sales" within it). | E.g., *Project_name* to audit relevant folders |
Path | The ‘Path’ defines the path the Policy Trigger monitors. The Policy Trigger will only monitor operations on files or directories that reside on the specified path. Only one path is supported for each Policy Trigger. Wildcards are supported. | E.g., \Compliance\Legal\Legal_hold |
User | The ‘User’ defines the full name of the user a Policy Trigger monitors. Note: Leave this field blank if you wish to search for all operations done by all users. This field does not accept account names and does not accept group names, only full names are accepted. Wildcards (* and ?) can be used (e.g., “Mark *”). | Example: Entering "Mark *" matches all users named Mark |
Client System name or IP | The ‘Client System name or IP’ defines the computer name/IP a Policy Trigger monitors. Note: Leave this field blank to monitor access from all computers. This field accepts only one computer name or one IP. Wildcards are used. | E.g., 10.20.2.* to match IPs in the range 10.20.2.0 to 10.20.2.255 |
Actions
In the Actions tab, you can specify which actions should be taken if a Policy Trigger violation is detected. Multiple actions can be selected if desired:
- Disable User Account: Disables the user’s Active Directory account if a match is detected.
- Requirement: The DSES service account must have administrator or account operator permissions in the domain.
- Log User Off Workstation: Logs the user off their workstation if a match is detected.
- Requirement: The DSES service account must belong to the local admins group on the user's workstation.
Schedule
In the Schedule tab, select whether the Policy Trigger is to run only once or recurrently and Select the Policy Trigger start time.
If you selected the Policy Trigger to be recurring, select how often it should run. When the Policy Trigger runs, it will notify the administrator about any behavior that matches the Policy Trigger that occurred during the specified time period. The minimum recurring time is 5 minutes.
Notifications
In the Notifications tab, specify the email accounts that should receive notifications when the Policy Trigger runs. To add an email account, use the Add Email Target panel, where you’ll enter the target name and email address, then complete the Notification Type section before clicking Add.
To retain your updates, make sure to save changes before selecting another Policy Trigger from the list; otherwise, your changes will be lost. You can close the tab at any time if needed.
Save Changes
You must Save Changes before selecting another Policy Trigger from the existing Policy Triggers list; otherwise, you will lose your changes. You may choose to close at any time.
Default Policy Triggers
Data Security Essentials includes a set of default Policy Triggers that serve as examples of how to use these features effectively. Users can edit these default Policy Triggers to suit their specific needs. Additionally, Data Security Essentials provides three ransomware indicators, which are Policy Triggers specifically designed to enhance ransomware protection.
Policy Trigger | Description |
---|---|
After Hours Access | Used to discover operations done after hours. It runs daily (default 8 am) and analyzes the past 14 hours to check for activity. For best results, set it to run at the start of each working day. |
Disgruntled Employee | Detects whether a user has deleted a large number of files within the last hour. |
Financial Qtr Rpts | Used for financial quarterly reports to discover modifications in the financial reports directory by any user within the last quarter. |
HIPAA Auditing | Identifies suspicious activity in folders containing health information, ensuring HIPAA compliance. Requires specifying the path where HIPAA documents are stored (e.g., vol\docvol\HIPAA ). |
Large File Audit | Notifies when a user creates any file larger than 500MB in a specific directory. |
Ownership Change Audit | Alerts when a user takes ownership of a file or changes its owner. |
Permission Change Audit | Notifies when a user changes the security settings of a file or directory. |
Ransomware Indicator 1 | Detects behavior consistent with creating new versions of files while deleting originals. |
Ransomware Indicator 2 | Identifies activity involving data reading followed by bulk renaming of files. |
Ransomware Indicator 3 | Monitors for activity where data is read and then overwritten on the same files. |
Ransomware Extension | Flags files with extensions commonly associated with ransomware. |
Serial Deletes | Detects if a user has deleted multiple files within the last hour. |
Serial Downloads | Identifies if a user has downloaded many files within the last hour. |
Serial Edits | Tracks if a user has edited numerous files within the last hour. |
Wikileaks | Monitors for behavior similar to Wikileaks incidents, detecting if a user has performed numerous file copies/downloads within the last 30 minutes. |