Table of Contents
Configuration Settings Options Available in GAT Shield for Alert Rules #
In this post, we will be outlining all of the available settings options when creating Alert Rules within the Shield Console.
Creating an Alert Rule #
As a Google Workspace Super Admin and enter the GAT Shield console. Navigate to Configuration and then Alert Rules.
Clicking on Add a rule will show all the different alert types.
Setting Options Available within Alert Rules #
Name and Type
- Device
- Device user/owner mismatch
- Download
- Page content inspection
- IP address
- Location
- Search
- Upload
- Visit
The following settings options can be found in the different types of Alert Rules.
- Action – When the alert rule is triggered, we will execute the selected action on the user’s device. Only tabs that trigger the rule will be closed or redirected if these actions are selected.
- Show warning
- Close
- Close without warning
- Redirect
- Redirect without warning
- No action
- Warning message -Users will see this message when the alert rule is triggered. To customize the Warning message, you can use the following variables
- $name will be replaced with the rule name
- $text will be replaced with the matching text when a Page content inspection alert rule is triggered
- You can edit the message to suit your needs. For example, you could add a contact person’s details for further assistance, or you can remove any bits of information you prefer not to share with users.
- Default Severity – When the Alert Rule is triggered, a notification is created. The severity of the notification indicates its level of importance. “Default Severity” is the value assigned to all notifications generated by this rule.
- Unspecified
- Low
- High
Scope #
Select the scope of users for whom the rule will be applied
Scope type #
You can select the scope to be multiple email addresses, multiple Google Groups, or members of an Org Unit.
Rule exclusions #
- Excluded addresses – Enter the account and OU
- Excluded websites and URLs – The rule will not be checked on the following websites, URLs. The entered value should not start with “http://” or “https://” and should not end with a slash.
- Active only on selected websites, URLs – The rule will be only checked on the following websites, URLs. The entered value should not start with “http://” or “https://” and should not end with a slash.
Time restriction #
Select when the rule should be active. By default, when no time restriction is added, the rule will always be active. To change it, select days and time ranges when the rule will be active.
Configuration #
The configuration for each of the alert rules might be different depending on the action to be taken.
- Device – the device has no configuration, as only a notification is sent when a specific device is used
- Device user/owner mismatch – has no configuration as a notification when someone uses someone else’s device.
- Download – The configuration mode has a File extension and Size to be chosen. Select file extension or size, or combined, as well as minimum file size, and an action to cancel the download
- Page content inspection – Scan page content and user input, or Scan page content and user input.
- Field to enter trigger expression.
- Button to enable and enter regex mode
- Enable or disable case-sensitive
- Regex exclusion -Alert won’t be triggered if any of these words is found on the page.
- Page keywords – Enter page keywords to reduce alert sensitivity. Keywords stop the rule from being triggered unless the combined keywords’ weight on the page meets the threshold. The weight of a keyword contributes to the score only once, even if the word occurs many times on the page.
- IP address – Select different modes, to report when a match list item or report when not on the list
- IP addresses list – Enter IP and network addresses. Network addresses must end with CIDR.
- Examples:
- 192.168.0.17 – a host address
-
192.168.0.0/24 – a network address
- Location – Select a location from the map displayed. The alert will be triggered when a Shield device is used outside the selected area
- Search – Enter search parameters,
- List of phrases
- Regular expression
- Regular expressions and phrases
- Search phrases list – Enter the list of phrases that will trigger this alert.
- Upload – Select file extension for upload rule.
- Leave this list empty to trigger on any upload. Otherwise, the alert rule will be triggered if the uploaded file has any of these extensions.
- Minimum file size – Minimum file size to trigger the alert.
- Leave this list empty to trigger on any upload. Otherwise, the alert rule will be triggered if the uploaded file has any of these extensions.
- Visit – Select mode for the Search alert
- Report pages matching expression
- Report similar URLs
- Trigger expression – enter trigger expression
Notifications #
In the Notification sections, fill in the notification settings.
- Alert recipients – Enter the recipients for the alert
- Notification interval – Enter the interval between alerts that will not be sent
- Full alert context – Save website and file information and include them in notifications
- Screen capture –
- Do not send
- Send in the notification email
- Send in the notification email and save to the rule creator’s Drive
- Send in the notification email, save to the rule creator’s Drive and share with other alert recipients
- Webcam capture –
- Do not sent
- Send in the notification email
- Send in the notification email and save to the rule creator’s Drive
- Send in the notification email, save to the rule creator’s Drive and share with other alert recipients
