GAT for Enterprise
GAT for Education
Popular Search security officergatdelegated auditor
View Categories

Allow non-admin users to review Shield Alerts and Site Access Events

Table of Contents

GAT Shield extension allows the Admins to monitor the user behavior while browsing on the Google Chrome browser.

The Admin can set up multiple DLP Alerts rules.

Based on those alerts then the Admin can be notified via Alert notification when the users have done something against the Alert rule.

All the Shield alerts that are triggered can be viewed in the Shield > Shield Alerts module.

Delegated auditor – reviewer #

The Alerts rules that are triggered could be too many for one Admin to review.

To help the Admin, a Delegated Auditor ( reviewer ) can be created.

This will allow a person to be added to use GAT Shield and view and review all the Alerts that are being generated.

Create delegated auditor in GAT Shield #

Delegated auditors feature allows users, who don’t have to be administrators, to access GAT Shield’s auditing capabilities. You can configure auditors to view data for only specific users, groups or organization units.

An Admin can create the delegated auditor (reviewer) and give them access to view and manage the Shield Alerts

To configure Delegated Auditor role, navigate to GAT Shield > Configuration > Delegated Auditors > + New Auditor

GAT Shield panel showing Delegated Auditors module and the + New Auditor button that allows creating a new GAT Shield Auditor.

When selecting the + New Auditor button, a new wizard window will be displayed.

Fill in the details for creating the Auditor.

  • Auditor (1) – enter the user email who will audit the Alerts
    • Scope type – define the scope type as User if you want to delegate the role to only one user, alternatively as Groups or Org. Unit to delegate the role to more people at once
    • User – if the scope type is defined as User, Under the Users field select the domain user that you wish to delegate the role to (alternatively, Groups or OUs depending on the earliest selection under Scope type)
  • Scope (2) – select into what users the Auditor will have access over, to view their Alerts
    • Scope type – select All users to monitor all domain users without any exceptions
  • Expiration (3) – define the date until which the role will be valid
    • Valid indefinitely – the role will be assigned indefinitely or until manually removed by the administrator
    • Expiration date – select the date until which the role will be active
  • Access (4) – select and enable the areas to which the auditor will have access:
    • Site Access Control Events – enable this module to allow auditors to audit events triggered by Site Access Control rules
    • Alert Notifications – enable this module to allow auditors to audit notifications triggered by Shield Alert Rules

GAT Shield New Auditor wizard window showing the fields that must be configured: 1. Auditor Scope Type selected as single User. This user will have the Delegated Auditor role assigned to them. 2. Scope of All users that allows auditing every user of the domain. 3. Expiration date set to the exact time in the future ( Valid indefinitely option available as an alternative). 4. Access area to which the Auditor gains access to for audit purposes.

Once all the configuration is ready, clicking the Create button creates the Delegated Auditor role with access permissions tailored to the needs defined by the administrator.

New Auditor wizard window showing the Create button to finalize the delegated auditor setup process.

Once a Delegated Role is created, administrators can review it in the GAT Shield > Delegated Auditors module, which displays a table with the roles created. This table shows the email addresses of the auditors, the scope they have access to, the expiration date, and whether the role is active or inactive (expired).

Delegated Auditors table showing all delegated auditors created, their access scope, role expiration date, and Active or Inactive status.

Delegated auditor (Reviewer) #

When the Delegated auditor is created they can log in to the tool and view and audit all the Shield Alerts Notifications and Site Access Events.

The Reviewers can log in from the Google Apps button by clicking on the GAT+ button.

Google Workspace Marketplace panel showing how to find and open GAT+ apps. 1. Click the “9 dots” in one of the Google services. 2. Scroll down to third-party apps where the GAT+ logo appears.

When login into GAT Shield they can view the sections allowed.

GAT Shield icon showing the product logo. Click on the logo to access GAT Shield product.

When login into GAT Shield they can view the sections allowed.

Site Access Control > Events section:

GAT Shield Delegated Auditor dashboard showing access to Site Access Control Events section (1) and a table with all existing/triggered events in a table (2). The event triggers table displays the email address of the users who triggered the event, the Action as blocked, the Rule Name, the Site, and the Alert triggered Date.

Site Access Control Events audit #

The Reviewer (delegated auditor) can also review the Site Access Events rules that are being triggered.

Those are all webpages that are blocked for the users via Site Access Control, created by the Admins of the domain

  • User – view who the site is being blocked for
  • Action – Blocked
  • Rule name
  • Website – view the website URL
  • Date – view went the site was blocked

Alerts > Notifications:

GAT Shield Delegated Auditor dashboard showing access to Alerts Notifications section (1) and a table with all existing/triggered alerts in a table (2). The alert notifications table displays the Rule name, Alert Type, email address of the users who triggered the alert, the trigger of the alert, the Acknowledged column, the Severity column, and the Alert notification Created date.

Shield Alerts Notifications audit #

The Auditor (Reviewer) can view all the Shield alerts notifications (1) that are triggered by the end-users displayed under the Alert Notifications table (2).

Audit all Shield Alerts Notifications:

  • Rule name – view the rule name for the Alert
  • Rule type – the type of rule created
  • User – view who is the user who triggers the alert
  • Trigger – view the trigger word or sentence that the user has typed
  • Acknowledged – indicator showing whether the alert was acknowledged by the auditor or not
  • Severity – severity of the alert rule defined by an admin when creating the alert rule itself
  • Created – the timestamp when the alert was created

Each alert can be reviewed in detail, acknowledged or its severity can be changed by hovering over the left side of each alert metadata displayed in the table (3) and clicking the appropriate button.

GAT Shield Delegated Auditor dashboard showing access to Alerts Notifications section (1) and a table with all existing/triggered alerts in a table (2). The alert notifications table has the options for each record in the table to quickly Acknowledge the alert, increase or reset Severity of the alert triggered and/or see the alert notification information in detail. To display the quick actions button, hover over the left side of each record and you will see 3 buttons to: Acknowledge, change Severity, view Details (3).

Actions on Shield Alerts #

An Alert Notification Auditor can perform the following actions:

  • Acknowledge – the auditor can Acknowledge  the alert – marking it as “acknowledged” – meaning is checked and acknowledged
  • Update Severity – either increase or reset severity level, acknowledge the seriousness of the alert  based on an impact it may have on your domain
  • See the alert notification Details – view details for the Alert notification triggered.

Alert notification action buttons: Acknowledge button, increase or reset Severity button, view more Details button.

When Details are selected, a new window will be displayed with all the additional details for the Alert rule

  • Acknowledge – on the top left side you can acknowledge the Alert
  • Update Severity – Marks this alert as either High or Low. This will be used by an algorithm later on.
  • Review Next alert – move on to the next alert

Alert Notifications Details window displaying Acknowledge button, Severity button and Next alert button to be able to move on and review the next alert notification.

  • Report false positive – notify about false-positive alert – click on 3 dots (1) and Report false positive (2)

Alert Notifications Details window displaying Report false positive option. To report false positive alert, click on 3 dots next to "Next alert" button (1), click on Report false positive button displayed to create the report.

A new window will appear where you can add an appropriate support message to explain why the alert was identified as a false positive (1). To send the message, click Send (2).

The Report False Positive dialog box is displayed, where you can type a Support team message to inform the appropriate team about generated a false positive alert.

View all the additional data reported for the Alert rule, such as:

  • Rule name – The alert name given when configuring it
  • Type – the type of the alert selected when setting up the alert
  • User – the email address od the user who triggered the alert
  • Created date – the date then when alert was generated
  • Trigger – the action that triggered the alert
  • Acknowledge – identify whether the alert was acknowledged or not
  • Users org. unit – the OR unit of the user that triggered the alert
  • Severity – The heaviness of the alert triggered define during the alert setup
  • Alert Context – defines why the alert was triggered and see its evidence such as tab title, URL and entered text

Alert Notifications Details window displaying all relevant information about the triggered alert, such as: Rule name, Type, User who triggered the alert, alert notification Created date, Trigger of the alert, Alert Context, Tab title, URL on which the alert was triggered and the Entered text.

FAQ #

Q: Does the Delegated Auditor see other sections on GAT Shield?

A: Delegated Auditor can only see the GAT Shield sections that were granted to them by the Administrator when configuring the Delegated Auditor role.

Q: Can the Delegated Auditor role be automatically deactivated?

A: Yes, the Delegated Auditor role can be configured to deactivate or expire automatically by providing expiration details when an administrator configures the role.

GAT Shield
Did you find this article helpful?

Audit. Manage. Protect.

Google Workspace Marketplace badge

PRODUCT

USE CASES

COMPANY

© Copyright 2010 – 2024 | All Rights Reserved | Powered by General Audit Tool

Twitter Youtube Linkedin

LIVE EVENT

Join Us for a Training Session

For customers and current trials.

View the calendar & register

This website uses cookies to ensure you get the best experience on our website

Accept all