GAT for Enterprise
GAT for Education
Popular Search security officergatdelegated auditor
View Categories

Alert Rules in Shield

Table of Contents

Introduction #

GAT Shield provides an extensive way to alert admins and delegated auditors on certain behaviors in their domain and web activity.

By deploying the extension to the web browser, Shield is able to monitor the browser, report back and take action on any alerts configured by the admin/auditor.

Alert Rules #

Navigate to Shield > Configuration > Alert Rules > Add a rule 

There are a number of different types of alerts available

  • File download
  • Page content inspection
  • Google docs inspection
  • Visit
  • Search
  • Device usage
  • Location
  • IP Address
  • Active ID
  • Denoted user/last user mismatch
  • Upload Alert

Alternatively, you can  Add from a template.

Most of the options are the same for every alert rule, though some have a few minor differences, depending on the Type of rule you select.

The screenshot depicts the 'Alerts' section in GAT Shield, specifically the 'Rules' sub-section and shows an arrow pointing to a dropdown menu arrow. The dropdown menu reveals the 'from template' option with an arrow suggesting that this option should be selected to 'Create a new alert rule from a template.

Alert Rule Types #

File download #

This alert allows the Admin to get alerted about specific file download activity, with the option to cancel the download if desired.

The screenshot shows the first option after 'From template' is selected. It depicts the a drop downmenu under the Type section. The 'Type' is set to 'File download'. There is a second dropdown, lower down on the page with the 'Template' heading. The template is set to Executable download.

To set up the rule configure the options below, the alert rule wizard will guide you through the process step by step, here’s what all the options mean. If you get stuck you can click the (i) info button for more information on a specific heading.

The first modal in the wizard is the same for all alert rules.

The screenshot depicts, the first modal in the wizard for setting up an alert rule with GAT Shield. It has one arrow pointing to the Action dropdown menu, indicating that the admin must choose an action. It ha second arrow pointing to the default severity option, indicating that the user must choose the severity. There is a 'Next' button at the bottom left corner of the modal to move onto the next section of the alert rule creation modal. There is an 'x' button in the top right corner if the user wants to exit the alert rule configuration wizard.

Here you can specify:

  • Alert rule name – You can change the name of the alert rule
  • Action
    • Show warning – Displays a warning message to the end user that violated the rule
    • Close – Display a warning message and closes the browsing tab.
    • Close without warning – Close the browser tab without a message.
    • Redirect – The end user that violated the rule, will be redirected to another web page of your choosing. They will also receive a popup notification about what happened
    • Redirect without warning – The end user that violated the rule, will be redirected to another web page of your choosing.
    • None – The end use will not be made aware that they are in violation of your alert rule
  • Default severity – Choose ‘High’, ‘Low’, or choose not to specify, this will be shown on the alert notification and also the email if you choose to send one later
  • File extensions – Enter the type of file that you want to be alerted on by giving the ‘dot’ extension name ( exe, doc, docx, html, htpm PDF, XLS and XLSX etc ). Click the
  • File size – Minimum number of sizes to detect ( Bytes, Kilobytes, Megabytes, Gigabytes ).
  • Cancel/delete download – Toggle to cancel/delete download.
  • Report file name – Include file name and meme type in the alert.
  • Time restriction – If enabled, the local user timezone will be used for checking. Otherwise, the timezone from General Configuration will be used.
  • Notification interval – Time interval in minutes after which the notification about subsequent rule violations by the user will be sent. If empty, the default value will be used.
  • Monitor on the following sites only – Monitor an exclusive list of sites.
  • Site exclusions – Exclude certain sites from the rule.
  • Scope – Users’ email or Org. unit to be monitored.
  • Scope exclusions – Users’ email or Org. unit to be excluded from the rule.
  • Warning message – warning message to display.
  • Alert recipients – Recipients for the alert in place.
  • Screen capture – Screenshot of the screen where the alert triggered.
  • Webcam capture – the capture of the webcam on the device (access must be pre-configured in the admin console).

Page Content Inspection #

This alert allows admins/auditors to trigger an alert on any words specified in the rule for any webpage.

To set up the rule configure the options below:

  • Alert rule name – Alert rule name.
  • Active – Toggle to activate/deactivate rule.
  • Page content inspection Regex – enter words to trigger in a regex format.
  • Distinct uppercase and lowercase letters – toggle to activate.
  • Scan and alert on entire page – toggle to activate scan on user input AND user visit/load pages. By default, this option is unchecked and scans only on user input (typing).
  • Regex word exclusions – words to exclude in a regex format.
  • Page Keywords – Add words to trigger on any webpage.
  • Alert trigger threshold – The minimum amount of words to trigger an alert.
  • Time restriction – If enabled, the local user timezone will be used for checking. Otherwise, the timezone from General Configuration will be used.
  • Notification interval – Time interval in minutes after which the notification about subsequent rule violations by the user will be sent. If empty, the default value will be used.
  • Report matched text – Include the triggered text in the notification.
  • Monitor on the following sites only 
  • Site exclusions -Sites to be excluded from the rule.
  • Scope – Users’ email or Org. unit to be monitored.
  • Scope exclusions – Users’ email or Org. unit to be excluded from the rule.
  • End-user action,
    • Display warning message.
    • Display a warning message and close the browsing tab.
    • Display warning message and redirect.
    • Close the browser tab without a message.
    • Redirect without a message.
    • None.
  • warning message – warning message to display
  • Alert recipients – Recipients for the alert in place. This can be a user or group email.
  • Screen capture – Screenshot of the screen where the alert triggered.
  • Webcam capture – the capture of the webcam on the device (access must be pre-configured in the admin console).

Visit #

This alert allows admins/auditors to trigger an alert on any websites visited that are configured in the alert rule.

To set up the rule configure the options below,

  • Alert rule name – Alert rule name.
  • Active – Toggle to activate/disactivate rule.
  • Check page URL proximity – Toggle to activate a trigger when any site visited is not matched with the site list. (for authenticity)
  • Page URL regex -enter page URLs to trigger in a regex format.
  • Report site name – Toggle to send the site name in the trigger notification.
  • Time restriction – If enabled, the local user timezone will be used for checking. Otherwise, the timezone from General Configuration will be used.
  • Notification interval – Time interval in minutes after which the notification about subsequent rule violations by the user will be sent. If empty, the default value will be used.
  • Scope – Users’ email or Org. unit to be monitored.
  • Scope exclusions – Users’ email or Org. unit to be excluded from the rule.
  • End-user action,
    • Display warning message.
    • Display a warning message and close the browsing tab.
    • Display warning message and redirect.
    • Close the browser tab without a message.
    • Redirect without a message.
    • None.
  • warning message – warning message to display
  • Alert recipients – Recipients for the alert in place. This can be a user or group email.
  • Screen capture – Screenshot of the screen where the alert triggered.
  • Webcam capture – the capture of the webcam on the device (access must be pre-configured in the admin console).

Search #

This alert allows admins/auditors to trigger an alert on any search words input on any webpage.

To set up the rule configure the options below,

  • Alert rule name – Alert rule name.
  • Active – Toggle to activate/disactivate rule.
  • Search term – Enter search words to trigger.
  • Search term regex -enter search words to trigger in a regex format.
  • Distinct uppercase and lowercase letters – toggle to activate.
  • Report site name – Toggle to send the site name in the trigger notification.
  • Time restriction – If enabled, the local user timezone will be used for checking. Otherwise, the timezone from General Configuration will be used.
  • Notification interval – Time interval in minutes after which the notification about subsequent rule violations by the user will be sent. If empty, the default value will be used.
  • Monitor on the following sites only 
  • Site exclusions -Sites to be excluded from the rule.
  • Scope – Users’ email or Org. unit to be monitored.
  • Scope exclusions – Users’ email or Org. unit to be excluded from the rule.
  • End-user action,
    • Display warning message.
    • Display a warning message and close the browsing tab.
    • Display warning message and redirect.
    • Close the browser tab without a message.
    • Redirect without a message.
    • None.
  • Warning message – warning message to display
  • Alert recipients – Recipients for the alert in place. This can be a user or group email.
  • Screen capture – Screenshot of the screen where the alert triggered.
  • Webcam capture – the capture of the webcam on the device (access must be pre-configured in the Admin console).

Device Usage #

This alert allows admins/auditors to receive an alert if a device appears to be active again, particularly useful for missing devices.

To set up the rule configure the options below,

  • Alert rule name – Alert rule name.
  • Active – Toggle to activate/disactivate rule.
  • User OR device – Users or devices to cover with this rule.
  • Notification interval – Time interval in minutes after which the notification about subsequent rule violations by the user will be sent. If empty, the default value will be used.
  • End-user action,
    • Display warning message.
    • Display a warning message and close the browsing tab.
    • Display warning message and redirect.
    • Close the browser tab without a message.
    • Redirect without a message.
    • None.
  • Warning message – warning message to display
  • Alert recipients – Recipients for the alert in place. This can be a user or group email.
  • Screen capture – Screenshot of the screen where the alert triggered.
  • Webcam capture – The capture of the webcam on the device. (access must be preconfigured in the admin console).

Location #

This alert allows admins/auditors to trigger an alert if users are outside a specified location.

To set up the rule configure the options below:

  • Alert rule name – Alert rule name.
  • Active – Toggle to activate/deactivate rule.
  • Location Bounds – select an area on the map that will define the non-triggerable location.
  • Time restriction – If enabled, the local user timezone will be used for checking. Otherwise, the timezone from General Configuration will be used.
  • Notification interval – Time interval in minutes after which the notification about subsequent rule violations by the user will be sent. If empty, the default value will be used.
  • Scope – Users’ email or Org. unit to be monitored.
  • Scope exclusions – Users’ email or Org. unit to be excluded from the rule.
  • End-user action,
    • Display warning message.
    • Display a warning message and close the browsing tab.
    • Display warning message and redirect.
    • Close the browser tab without a message.
    • Redirect without a message.
    • None.
  • Warning message – warning message to display
  • Alert recipients – Recipients for the alert in place. This can be a user or group email.
  • Screen capture – Screenshot of the screen where the alert triggered.
  • Webcam capture – the capture of the webcam on the device. (access must be preconfigured in the admin console).

IP Address #

This alert allows admins/auditors to trigger an alert if users either match the specified IP addresses or mismatch.

To set up the rule configure the options below:

  • Alert rule name – Alert rule name.
  • Active – Toggle to activate/deactivate rule.
  • IP Addresses – IP addresses to be considered in the rule.
  • Mode – Toggle for a match or no match mode.
  • Time restriction – If enabled, the local user timezone will be used for checking. Otherwise, the timezone from General Configuration will be used.
  • Notification interval – Time interval in minutes after which the notification about subsequent rule violations by the user will be sent. If empty, the default value will be used.
  • Scope – Users’ email or Org. unit to be monitored.
  • Scope exclusions – Users’ email or Org. unit to be excluded from the rule.
  • End-user action,
    • Display warning message.
    • Display a warning message and close the browsing tab.
    • Display warning message and redirect.
    • Close the browser tab without a message.
    • Redirect without a message.
    • None.
  • Warning message – warning message to display
  • Alert recipients – Recipients for the alert in place. This can be a user or group email.
  • Screen capture – Screenshot of the screen where the alert triggered.
  • Webcam capture – the capture of the webcam on the device. (access must be preconfigured in the admin console).

Active ID #

This alert allows admins/auditors to trigger an alert if users do not match their active ID verification. Active ID continuously checks if the designated user is using the device at hand.

To set up the rule configure the options below:

  • Alert rule name – Alert rule name.
  • Active – Toggle to activate/deactivate rule.
  • Prediction threshold – Set threshold value for minimum breach trigger.
  • Report site name – Toggle to send the site name in the trigger notification.
  • End-user log out of the action,
    • None.
    • Soft logout.
    • Hard logout.
  • Time restriction – If enabled, the local user timezone will be used for checking. Otherwise, the timezone from General Configuration will be used.
  • Notification interval – Time interval in minutes after which the notification about subsequent rule violations by the user will be sent. If empty, the default value will be used.
  • Scope – Users’ email or Org. unit to be monitored.
  • Scope exclusions – Users’ email or Org. unit to be excluded from the rule.
  • warning message – warning message to display
  • Alert recipients – Recipients for the alert in place. This can be a user or group email.
  • Screen capture – Screenshot of the screen where the alert triggered.
  • Webcam capture – the capture of the webcam on the device. (access must be preconfigured in the admin console).

Denoted User/Last USer Mismatch #

This alert rule allows admins/auditors to trigger an alert whenever someone who is not the denoted user of the device is using the device.

This feature uses a variety of information gathered from Shield to determine if the identity of the denoted user and the user actually using the device at hand match  (particularly Chromebooks assigned to a certain user).

GAT Shield
Did you find this article helpful?

Audit. Manage. Protect.

Google Workspace Marketplace badge

PRODUCT

USE CASES

COMPANY

© Copyright 2010 – 2024 | All Rights Reserved | Powered by General Audit Tool

Twitter Youtube Linkedin

LIVE EVENT

Join Us for a Training Session

For customers and current trials.

View the calendar & register

This website uses cookies to ensure you get the best experience on our website

Accept all