GAT for Enterprise
GAT for Education
Popular Search security officergatdelegated auditor
View Categories

Alert Rules in Shield

Table of Contents

Introduction #

GAT Shield provides an extensive way to alert admins and delegated auditors to certain behaviors in their domain and web activity.

By deploying the extension to the web browser, Shield is able to monitor the browser, report back, and take action on any alerts configured by the admin/auditor.

Alert Rules #

Navigate to Shield > Configuration > Alert Rules > Add a rule 

There are a number of different types of alerts available. Click the option below to skip to the specific configuration for the type of alert rule you are setting.

  • Device
  • Device user/owner mismatch
  • Download
  • Page content inspection
  • IP address
  • Location
  • Search
  • Upload
  • Visit

Alternatively, you can  Add from a template.

Most of the options are the same for every alert rule, though some have a few minor differences, depending on the Type of rule you select.

The screenshot depicts the 'Alerts' section in GAT Shield, specifically the 'Rules' sub-section and shows an arrow pointing to a dropdown menu arrow. The dropdown menu reveals the 'from template' option with an arrow suggesting that this option should be selected to 'Create a new alert rule from a template.

Alert Rule Types #

File download #

This alert allows the Admin to get alerted about specific file download activity, with the option to cancel the download if desired.

The screenshot shows the first option after 'From template' is selected. It depicts the a drop downmenu under the Type section. The 'Type' is set to 'File download'. There is a second dropdown, lower down on the page with the 'Template' heading. The template is set to Executable download.

To set up the rule, configure the options below. The alert rule wizard will guide you through the process step by step. Here’s what all the options mean. If you get stuck, you can click the (i) info button for more information on a specific heading.

The first modal in the wizard is the same for all alert rules.

The screenshot depicts, the first modal in the wizard for setting up an alert rule with GAT Shield. It has one arrow pointing to the Action dropdown menu, indicating that the admin must choose an action. It ha second arrow pointing to the default severity option, indicating that the user must choose the severity. There is a 'Next' button at the bottom left corner of the modal to move onto the next section of the alert rule creation modal. There is an 'x' button in the top right corner if the user wants to exit the alert rule configuration wizard.

Here you can specify:

  • Alert rule name – You can change the name of the alert rule
  • Action
    • Show warning – Displays a warning message to the end user who violated the rule
    • Close – Displays a warning message and closes the browsing tab.
    • Close without warning – Close the browser tab without a message.
    • Redirect – The end user who violated the rule will be redirected to another web page of your choosing. They will also receive a pop-up notification about what happened
    • Redirect without warning – The end user who violated the rule will be redirected to another web page of your choosing.
    • None – The end user will not be made aware that they are in violation of your alert rule
  • Default severity – Choose ‘High’, ‘Low’, or choose not to specify, this will be shown on the alert notification and also the email if you choose to send one later

When you are finished, click Continue, and the next page of the modal will be shown.

The second part of the modal is also the same for every type of alert rule. This is when you define the scope of users to be included in the alert rule.

The screenshot shows the 2nd section of the rule creation wizard modal, the Scope section. This allows you to decide which accounts the rule should run on. There is an annotated arrow, pointing to the first field at the top of the modal. The field has 'All users' selected, and it's a dropdown menu that allows you to narrow the scope. There is some annotated text on the page. It says 'Select all users, an OU or group of users, or a select few individual users' The midsection of the 'Scope' section of the modal has a 'Rule Exclusions' heading. Under the heading it reads 'Excluded addresses' with fields for 'Account' and 'OU'. The annotated test reads 'You may exclude some accounts, within the selected scope, from triggering the rule'. The 'selected scope' is what was configured at the top of the modal.

Here you can specify:

  • Scope – Account, group, or OU to run the alert on
  • Rule Exclusions 
    • Excluded addresses – Exclude certain accounts from having the rule on them
    • Excluded websites, URLs – Exclude certain sites from the rule.
    • Active only on selected websites, URLs– Alert only when a user breaks the rule on some of the websites listed.
  • Time Restrictions – Run the rule during specific days and times only
  • Time Zone slider – If enabled, the local user’s timezone will be used for checking if they are within the time restriction. Otherwise, the timezone from the General configuration will be used.

Now, select which users from your domain the rule should run on, and exclude any user you would prefer that the rule not run on.

By default, the rule will be active while the users within the scope are on any website on the internet.

You have the option to decide if this rule should run on a particular set of sites only, or if you would like to exclude the rule from triggering while the users are on a particular site. You can come back to this section and amend the site exclusions later, if you find your rule is triggering on a site that you feel is not worthy of this alert.

You also have the option to run this rule within certain times of day only. Configure the time restrictions if you feel it is necessary. By default, if you choose not to set the time restrictions, the rule will run all the time.

When you are finished, click ‘Continue’ in the bottom right corner of the modal.

The image depicts the time restrictions part of the alert rule creation modal, this is still within the scope section. It is below the scope selection itself, and also below the Rule Exclusions section, which is minimised. The time restriction is set for Monday 09:00 to 18:00, below that is Tuesday 09:00 to 18:00 and below that is Wednesday 09:00 to 18:00, and below that in the centre is a the '+ Add: Time Restriction' button, to allow you to include more days and times. The whole 'Time restrictions' section is highlighted with an orange border around it, indicating it is the main focus of the picture. Each time restriction has a red trash can icon button beside it, indicated that each time restriction can be deleted individually. Down at the bottom of the time restrictions section and inline with the '+ Add: Time Restriction' button, to the right of it, there is another red trash can button with the red text reading 'Remove all', indicating that all the time restrictions can be removed at once. Below the time restrictions section and outside of the orange border, there is another section called Time zone' which has a single switch labelled 'Use local time zone'. At the very bottom, to the right hand side, is the blue oval shaped 'Continue' button to continue on to the next part of the wizard.

The configuration section will be different depending on he type of alert rule you selected. Click below to find the one you choose

  • Device
  • Device user/owner mismatch
  • Download
  • Page content inspection
  • IP address
  • Location
  • Search
  • Upload
  • Visit

Download #

First, select one of the ‘Mode’ options; the options available to change will differ, depending on your choice.

Here you can specify:

  • Mode – Choose to have the alert trigger when
    • A particular type of file is downloaded
    • A file is over a particular size
    • A file is both of a certain type and is greater than the defined size
  • File extension – The type of file that you want to be alerted on by giving the ‘dot’ extension name – exe, doc, docx, html, PDF, XLS, XLSX etc ). Just enter the file extension without the dot beforehand
  • File size – Minimum sizes of the file download, before the alert will trigger – you select your own unit type
  • Cancel/delete download – Decide if, in addition to the alert being triggered, if the download itself should be cancelled for the user.

First, select one of the ‘Mode’ options; the options to select will differ, depending on your choice.

If your mode includes ‘File extensions’, you can add as many different file extensions as you wish; just click the ‘Add extensions’ button to add more. Don’t put them all in one field, or it won’t work. You can use the trash can icon to remove a file extension if you make a mistake and need to delete a field.

If your mode includes File Size, you will see the option to select the minimum size of file that is downloaded is, before the alert will trigger. You may choose what units you write the number in from the dropdown menu.

If the cancel download option is selected, the file will be removed automatically by GAT Shield, and the user will never have the file stored locally on their machine.

An example of the alert rule triggering, from the end users perspective, with the notification set to be shown to the user, and the cancel download slider enabled, is shown below.

 

Page Content Inspection #

The Page Content Inspection alert notifies the admin if a user visits a page that contains certain words or phrases. The admin can also use a regular expression (regex) to detect a string of a certain format, so this alert can also be used to detect Personally Identifiable Information on a webpage such as a Social Security Number, a medical record, a credit card number, or anything else you can think of, where the string has a specific format (ask the GAT Team for help if you have a specific type of format that you want to match.

Here you can specify:

  • Mode – 
    • Scan page content and user input – The alert triggers when the target word/phrase/string simply appears on a webpage that the user visits
    • Scan only user input – A less aggressive mode, where the alert will only trigger when the target word/phrase/string appears on a page, and the user is also typing something on that same page.

To set up the rule, configure the options below:

  • Alert rule name – Alert rule name.
  • Active – Toggle to activate/deactivate the rule.
  • Page content inspection Regex – enter words to trigger in a regex format.
  • Distinct uppercase and lowercase letters – toggle to activate.
  • Scan and alert on entire page – toggle to activate scan on user input AND user visit/load pages. By default, this option is unchecked and scans only on user input (typing).
  • Regex word exclusions – words to exclude in a regex format.
  • Page Keywords – Add words to trigger on any webpage.
  • Alert trigger threshold – The minimum number of words to trigger an alert.
  • Time restriction – If enabled, the local user’s timezone will be used for checking. Otherwise, the timezone from General Configuration will be used.
  • Notification interval – Time interval in minutes after which the notification about subsequent rule violations by the user will be sent. If empty, the default value will be used.
  • Report matched text – Include the triggered text in the notification.
  • Monitor on the following sites only 
  • Site exclusions -Sites to be excluded from the rule.
  • Scope – Users’ email or Org. unit to be monitored.
  • Scope exclusions – Users’ email or Org. unit to be excluded from the rule.
  • End-user action,
    • Display a warning message.
    • Display a warning message and close the browsing tab.
    • Display a warning message and redirect.
    • Close the browser tab without a message.
    • Redirect without a message.
    • None.
  • warning message – warning message to display
  • Alert recipients – Recipients for the alert in place. This can be a user or group email.
  • Screen capture – Screenshot of the screen where the alert triggered.
  • Webcam capture – the capture of the webcam on the device (access must be pre-configured in the admin console).

Visit #

This alert allows admins/auditors to trigger an alert on any websites visited that are configured in the alert rule.

To set up the rule configure the options below,

  • Alert rule name – Alert rule name.
  • Active – Toggle to activate/disactivate rule.
  • Check page URL proximity – Toggle to activate a trigger when any site visited is not matched with the site list. (for authenticity)
  • Page URL regex -enter page URLs to trigger in a regex format.
  • Report site name – Toggle to send the site name in the trigger notification.
  • Time restriction – If enabled, the local user timezone will be used for checking. Otherwise, the timezone from General Configuration will be used.
  • Notification interval – Time interval in minutes after which the notification about subsequent rule violations by the user will be sent. If empty, the default value will be used.
  • Scope – Users’ email or Org. unit to be monitored.
  • Scope exclusions – Users’ email or Org. unit to be excluded from the rule.
  • End-user action,
    • Display warning message.
    • Display a warning message and close the browsing tab.
    • Display warning message and redirect.
    • Close the browser tab without a message.
    • Redirect without a message.
    • None.
  • warning message – warning message to display
  • Alert recipients – Recipients for the alert in place. This can be a user or group email.
  • Screen capture – Screenshot of the screen where the alert triggered.
  • Webcam capture – the capture of the webcam on the device (access must be pre-configured in the admin console).

Search #

This alert allows admins/auditors to trigger an alert on any search words input on any webpage.

To set up the rule configure the options below,

  • Alert rule name – Alert rule name.
  • Active – Toggle to activate/disactivate rule.
  • Search term – Enter search words to trigger.
  • Search term regex -enter search words to trigger in a regex format.
  • Distinct uppercase and lowercase letters – toggle to activate.
  • Report site name – Toggle to send the site name in the trigger notification.
  • Time restriction – If enabled, the local user timezone will be used for checking. Otherwise, the timezone from General Configuration will be used.
  • Notification interval – Time interval in minutes after which the notification about subsequent rule violations by the user will be sent. If empty, the default value will be used.
  • Monitor on the following sites only 
  • Site exclusions -Sites to be excluded from the rule.
  • Scope – Users’ email or Org. unit to be monitored.
  • Scope exclusions – Users’ email or Org. unit to be excluded from the rule.
  • End-user action,
    • Display warning message.
    • Display a warning message and close the browsing tab.
    • Display warning message and redirect.
    • Close the browser tab without a message.
    • Redirect without a message.
    • None.
  • Warning message – warning message to display
  • Alert recipients – Recipients for the alert in place. This can be a user or group email.
  • Screen capture – Screenshot of the screen where the alert triggered.
  • Webcam capture – the capture of the webcam on the device (access must be pre-configured in the Admin console).

Device Usage #

This alert allows admins/auditors to receive an alert if a device appears to be active again, particularly useful for missing devices.

To set up the rule configure the options below,

  • Alert rule name – Alert rule name.
  • Active – Toggle to activate/disactivate rule.
  • User OR device – Users or devices to cover with this rule.
  • Notification interval – Time interval in minutes after which the notification about subsequent rule violations by the user will be sent. If empty, the default value will be used.
  • End-user action,
    • Display warning message.
    • Display a warning message and close the browsing tab.
    • Display warning message and redirect.
    • Close the browser tab without a message.
    • Redirect without a message.
    • None.
  • Warning message – warning message to display
  • Alert recipients – Recipients for the alert in place. This can be a user or group email.
  • Screen capture – Screenshot of the screen where the alert triggered.
  • Webcam capture – The capture of the webcam on the device. (access must be preconfigured in the admin console).

Location #

This alert allows admins/auditors to trigger an alert if users are outside a specified location.

To set up the rule configure the options below:

  • Alert rule name – Alert rule name.
  • Active – Toggle to activate/deactivate rule.
  • Location Bounds – select an area on the map that will define the non-triggerable location.
  • Time restriction – If enabled, the local user timezone will be used for checking. Otherwise, the timezone from General Configuration will be used.
  • Notification interval – Time interval in minutes after which the notification about subsequent rule violations by the user will be sent. If empty, the default value will be used.
  • Scope – Users’ email or Org. unit to be monitored.
  • Scope exclusions – Users’ email or Org. unit to be excluded from the rule.
  • End-user action,
    • Display warning message.
    • Display a warning message and close the browsing tab.
    • Display warning message and redirect.
    • Close the browser tab without a message.
    • Redirect without a message.
    • None.
  • Warning message – warning message to display
  • Alert recipients – Recipients for the alert in place. This can be a user or group email.
  • Screen capture – Screenshot of the screen where the alert triggered.
  • Webcam capture – the capture of the webcam on the device. (access must be preconfigured in the admin console).

IP Address #

This alert allows admins/auditors to trigger an alert if users either match the specified IP addresses or mismatch.

To set up the rule, configure the options below:

  • Alert rule name – Alert rule name.
  • Active – Toggle to activate/deactivate rule.
  • IP Addresses – IP addresses to be considered in the rule.
  • Mode – Toggle for a match or no-match mode.
  • Time restriction – If enabled, the local user timezone will be used for checking. Otherwise, the timezone from General Configuration will be used.
  • Notification interval – Time interval in minutes after which the notification about subsequent rule violations by the user will be sent. If empty, the default value will be used.
  • Scope – Users’ email or Org. unit to be monitored.
  • Scope exclusions – Users’ email or Org. unit to be excluded from the rule.
  • End-user action,
    • Display a warning message.
    • Display a warning message and close the browsing tab.
    • Display warning message and redirect.
    • Close the browser tab without a message.
    • Redirect without a message.
    • None.
  • Warning message – warning message to display
  • Alert recipients – Recipients for the alert in place. This can be a user or group email.
  • Screen capture – Screenshot of the screen where the alert triggered.
  • Webcam capture – the capture of the webcam on the device. (access must be preconfigured in the admin console).

Denoted User/Last User Mismatch #

This alert rule allows admins/auditors to trigger an alert whenever someone who is not the designated user of the device is using the device.

This feature uses a variety of information gathered from Shield to determine if the identity of the denoted user and the user actually using the device at hand match  (particularly Chromebooks assigned to a certain user).

  • Notification interval – Time interval in minutes after which the notification about subsequent rule violations by the user will be sent. If empty, the default value will be used.
  • Site exclusions – Exclude certain sites from the rule.
  • Scope exclusions – Users’ email or Org. unit to be excluded from the rule.
  • Warning message – warning message to display.
  • Alert recipients – Recipients for the alert in place.
  • Screen capture – Screenshot of the screen where the alert triggered.
  • Webcam capture – the capture of the webcam on the device (access must be pre-configured in the admin console).
GAT Shield
Did you find this article helpful?

Audit. Manage. Protect.

Google Workspace Marketplace badge

PRODUCT

USE CASES

COMPANY

© Copyright 2010 – 2024 | All Rights Reserved | Powered by General Audit Tool

Twitter Youtube Linkedin

LIVE EVENT

Join Us for a Training Session

For customers and current trials.

View the calendar & register

This website uses cookies to ensure you get the best experience on our website

Accept all