Introduction #
GAT Shield provides an extensive way to alert admins and delegated auditors on certain behaviors in their domain and web activity.
By deploying the extension to the web browser, Shield is able to monitor the browser, report back and take action on any alerts configured by the admin/auditor.
Alert Rules #
Navigate to Shield > Configuration > Alert Rules > Add a rule
Pick any of the Rules available
- File download
- Page content inspection
- Google docs inspection
- Visit
- Search
- Device usage
- Location
- IP Address
- Active ID
- Denoted user/last user mismatch
Alternatively, you can Add from a template.
Alert Rule Types #
File download #
This alert allows admins/auditors to capture any file download activity.
To set up the rule configure the options below:
- Alert rule name – Alert rule name.
- Active – Toggle to activate/deactivate rule.
- File extensions – The type of file extensions to monitor. ( DOC and DOCX, HTML and HTM, PDF, XLS and XLSX etc ).
- File size – Minimum number of sizes to detect ( Bytes, Kilobytes, Megabytes, Gigabytes ).
- Cancel/delete download – Toggle to cancel/delete download.
- Report file name – Include file name and meme type in the alert.
- Time restriction – If enabled, the local user timezone will be used for checking. Otherwise, the timezone from General Configuration will be used.
- Notification interval – Time interval in minutes after which the notification about subsequent rule violations by the user will be sent. If empty, the default value will be used.
- Monitor on the following sites only – Monitor an exclusive list of sites.
- Site exclusions – Exclude certain sites from the rule.
- Scope – Users’ email or Org. unit to be monitored.
- Scope exclusions – Users’ email or Org. unit to be excluded from the rule.
- End-user action
- Display warning message.
- Display a warning message and close the browsing tab.
- Display warning message and redirect.
- Close the browser tab without a message.
- Redirect without a message.
- None.
- Warning message – warning message to display.
- Alert recipients – Recipients for the alert in place.
- Screen capture – Screenshot of the screen where the alert triggered.
- Webcam capture – the capture of the webcam on the device (access must be pre-configured in the admin console).
Page Content Inspection #
This alert allows admins/auditors to trigger an alert on any words specified in the rule for any webpage.
To set up the rule configure the options below:
- Alert rule name – Alert rule name.
- Active – Toggle to activate/deactivate rule.
- Page content inspection Regex – enter words to trigger in a regex format.
- Distinct uppercase and lowercase letters – toggle to activate.
- Scan and alert on entire page – toggle to activate scan on user input AND user visit/load pages. By default, this option is unchecked and scans only on user input (typing).
- Regex word exclusions – words to exclude in a regex format.
- Page Keywords – Add words to trigger on any webpage.
- Alert trigger threshold – The minimum amount of words to trigger an alert.
- Time restriction – If enabled, the local user timezone will be used for checking. Otherwise, the timezone from General Configuration will be used.
- Notification interval – Time interval in minutes after which the notification about subsequent rule violations by the user will be sent. If empty, the default value will be used.
- Report matched text – Include the triggered text in the notification.
- Monitor on the following sites only
- Site exclusions -Sites to be excluded from the rule.
- Scope – Users’ email or Org. unit to be monitored.
- Scope exclusions – Users’ email or Org. unit to be excluded from the rule.
- End-user action,
- Display warning message.
- Display a warning message and close the browsing tab.
- Display warning message and redirect.
- Close the browser tab without a message.
- Redirect without a message.
- None.
- warning message – warning message to display
- Alert recipients – Recipients for the alert in place. This can be a user or group email.
- Screen capture – Screenshot of the screen where the alert triggered.
- Webcam capture – the capture of the webcam on the device (access must be pre-configured in the admin console).
Google Docs Inspection #
This alert allows admins/auditors to trigger an alert on any words specified in the rule for any Google document.
To set up the rule configure the options below:
- Alert rule name – Alert rule name.
- Active – Toggle to activate/deactivate rule.
- Google docs content inspection Regex – enter words to trigger in a regex format.
- Distinct uppercase and lowercase letters – toggle to activate.
- Regex word exclusions – words to exclude in a regex format.
- Page Keywords – Add words to trigger on any webpage.
- Alert trigger threshold – The minimum amount of words to trigger an alert.
- Time restriction – If enabled, the local user timezone will be used for checking. Otherwise, the timezone from General Configuration will be used.
- Notification interval – Time interval in minutes after which the notification about subsequent rule violations by the user will be sent. If empty, the default value will be used.
- Report matched text – Include the triggered text in the notification.
- Monitor on the following sites only
- Site exclusions -Sites to be excluded from the rule.
- Scope – Users’ email or Org. unit to be monitored.
- Scope exclusions – Users’ email or Org. unit to be excluded from the rule.
- End-user action,
- Display warning message.
- Display a warning message and close the browsing tab.
- Display warning message and redirect.
- Close the browser tab without a message.
- Redirect without a message.
- None.
- warning message – warning message to display
- Alert recipients – Recipients for the alert in place.
- Screen capture – Screenshot of the screen where the alert triggered.
- Webcam capture – the capture of the webcam on the device (access must be pre-configured in the admin console).
Visit #
This alert allows admins/auditors to trigger an alert on any websites visited that are configured in the alert rule.
To set up the rule configure the options below,
- Alert rule name – Alert rule name.
- Active – Toggle to activate/disactivate rule.
- Check page URL proximity – Toggle to activate a trigger when any site visited is not matched with the site list. (for authenticity)
- Page URL regex -enter page URLs to trigger in a regex format.
- Report site name – Toggle to send the site name in the trigger notification.
- Time restriction – If enabled, the local user timezone will be used for checking. Otherwise, the timezone from General Configuration will be used.
- Notification interval – Time interval in minutes after which the notification about subsequent rule violations by the user will be sent. If empty, the default value will be used.
- Scope – Users’ email or Org. unit to be monitored.
- Scope exclusions – Users’ email or Org. unit to be excluded from the rule.
- End-user action,
- Display warning message.
- Display a warning message and close the browsing tab.
- Display warning message and redirect.
- Close the browser tab without a message.
- Redirect without a message.
- None.
- warning message – warning message to display
- Alert recipients – Recipients for the alert in place. This can be a user or group email.
- Screen capture – Screenshot of the screen where the alert triggered.
- Webcam capture – the capture of the webcam on the device (access must be pre-configured in the admin console).
Search #
This alert allows admins/auditors to trigger an alert on any search words input on any webpage.
To set up the rule configure the options below,
- Alert rule name – Alert rule name.
- Active – Toggle to activate/disactivate rule.
- Search term – Enter search words to trigger.
- Search term regex -enter search words to trigger in a regex format.
- Distinct uppercase and lowercase letters – toggle to activate.
- Report site name – Toggle to send the site name in the trigger notification.
- Time restriction – If enabled, the local user timezone will be used for checking. Otherwise, the timezone from General Configuration will be used.
- Notification interval – Time interval in minutes after which the notification about subsequent rule violations by the user will be sent. If empty, the default value will be used.
- Monitor on the following sites only
- Site exclusions -Sites to be excluded from the rule.
- Scope – Users’ email or Org. unit to be monitored.
- Scope exclusions – Users’ email or Org. unit to be excluded from the rule.
- End-user action,
- Display warning message.
- Display a warning message and close the browsing tab.
- Display warning message and redirect.
- Close the browser tab without a message.
- Redirect without a message.
- None.
- Warning message – warning message to display
- Alert recipients – Recipients for the alert in place. This can be a user or group email.
- Screen capture – Screenshot of the screen where the alert triggered.
- Webcam capture – the capture of the webcam on the device (access must be pre-configured in the Admin console).
Device Usage #
This alert allows admins/auditors to receive an alert if a device appears to be active again, particularly useful for missing devices.
To set up the rule configure the options below,
- Alert rule name – Alert rule name.
- Active – Toggle to activate/disactivate rule.
- User OR device – Users or devices to cover with this rule.
- Notification interval – Time interval in minutes after which the notification about subsequent rule violations by the user will be sent. If empty, the default value will be used.
- End-user action,
- Display warning message.
- Display a warning message and close the browsing tab.
- Display warning message and redirect.
- Close the browser tab without a message.
- Redirect without a message.
- None.
- Warning message – warning message to display
- Alert recipients – Recipients for the alert in place. This can be a user or group email.
- Screen capture – Screenshot of the screen where the alert triggered.
- Webcam capture – The capture of the webcam on the device. (access must be preconfigured in the admin console).
Location #
This alert allows admins/auditors to trigger an alert if users are outside a specified location.
To set up the rule configure the options below:
- Alert rule name – Alert rule name.
- Active – Toggle to activate/deactivate rule.
- Location Bounds – select an area on the map that will define the non-triggerable location.
- Time restriction – If enabled, the local user timezone will be used for checking. Otherwise, the timezone from General Configuration will be used.
- Notification interval – Time interval in minutes after which the notification about subsequent rule violations by the user will be sent. If empty, the default value will be used.
- Scope – Users’ email or Org. unit to be monitored.
- Scope exclusions – Users’ email or Org. unit to be excluded from the rule.
- End-user action,
- Display warning message.
- Display a warning message and close the browsing tab.
- Display warning message and redirect.
- Close the browser tab without a message.
- Redirect without a message.
- None.
- Warning message – warning message to display
- Alert recipients – Recipients for the alert in place. This can be a user or group email.
- Screen capture – Screenshot of the screen where the alert triggered.
- Webcam capture – the capture of the webcam on the device. (access must be preconfigured in the admin console).
IP Address #
This alert allows admins/auditors to trigger an alert if users either match the specified IP addresses or mismatch.
To set up the rule configure the options below:
- Alert rule name – Alert rule name.
- Active – Toggle to activate/deactivate rule.
- IP Addresses – IP addresses to be considered in the rule.
- Mode – Toggle for a match or no match mode.
- Time restriction – If enabled, the local user timezone will be used for checking. Otherwise, the timezone from General Configuration will be used.
- Notification interval – Time interval in minutes after which the notification about subsequent rule violations by the user will be sent. If empty, the default value will be used.
- Scope – Users’ email or Org. unit to be monitored.
- Scope exclusions – Users’ email or Org. unit to be excluded from the rule.
- End-user action,
- Display warning message.
- Display a warning message and close the browsing tab.
- Display warning message and redirect.
- Close the browser tab without a message.
- Redirect without a message.
- None.
- Warning message – warning message to display
- Alert recipients – Recipients for the alert in place. This can be a user or group email.
- Screen capture – Screenshot of the screen where the alert triggered.
- Webcam capture – the capture of the webcam on the device. (access must be preconfigured in the admin console).
Active ID #
This alert allows admins/auditors to trigger an alert if users do not match their active ID verification. Active ID continuously checks if the designated user is using the device at hand.
To set up the rule configure the options below:
- Alert rule name – Alert rule name.
- Active – Toggle to activate/deactivate rule.
- Prediction threshold – Set threshold value for minimum breach trigger.
- Report site name – Toggle to send the site name in the trigger notification.
- End-user log out of the action,
- None.
- Soft logout.
- Hard logout.
- Time restriction – If enabled, the local user timezone will be used for checking. Otherwise, the timezone from General Configuration will be used.
- Notification interval – Time interval in minutes after which the notification about subsequent rule violations by the user will be sent. If empty, the default value will be used.
- Scope – Users’ email or Org. unit to be monitored.
- Scope exclusions – Users’ email or Org. unit to be excluded from the rule.
- warning message – warning message to display
- Alert recipients – Recipients for the alert in place. This can be a user or group email.
- Screen capture – Screenshot of the screen where the alert triggered.
- Webcam capture – the capture of the webcam on the device. (access must be preconfigured in the admin console).
Denoted User/Last USer Mismatch #
This alert rule allows admins/auditors to trigger an alert whenever someone who is not the denoted user of the device is using the device.
This feature uses a variety of information gathered from Shield to determine if the identity of the denoted user and the user actually using the device at hand match (particularly Chromebooks assigned to a certain user).