Skip to main content
Skip table of contents

Alert Rules


Alert rules allow you to determine what events on the computers being investigated will be considered and detected as an alert, and therefore trigger the alert resulting in an alert event. Each alert must have at least one rule.

Each alert rule consists of the following (specified in the 3 fields in the Rules section, respectively):

 a parameter.

 a comparison operator.

 a value (to which the parameter will be compared).


Table of Contents


1. Parameters


The following parameter types can be selected to use for rules:

Parameter

Description

Example Value

Parameters applied to all Clients

Username

The value is the name of the user whose activity is to be monitored.

Select this parameter type for the alert to be triggered whenever the specified user logs in to a Client computer.

For Windows or macOS users, a domain name (or computer name for local Windows users) can also be used (i.e. specified before the username), by entering the value of the username in the following format:

 For a Windows username: <domain name or computer name>\<username>

 For a macOS user: <domain name>\<username>


If secondary user authentication is enabled and the secondary user login username matches the username alert parameter, the alert is triggered.

For example:

The alert rule is defined as Username Like John, and the user logs in to (a Windows or Linux computer) as “Guest” and then enters “John” as the secondary login username. The alert is then triggered, and first record in the session of this user “(Guest (John))” is indicated as an alert event (e.g. in the Metadata grid in the Session Viewer).

John

Parameters applied to Windows, macOS, and Linux (for X Window System only) Clients

Application

The value is the name of the application opened on the Client computers being investigated.

Select this parameter type for the alert to be triggered whenever the specified value is identified as the name of an application opened.

skype.exe

Title

The value is the name that appears in the title of a window.

Select this parameter type for the alert to be triggered whenever the specified value is identified in any window title on the screen.

My document

Parameters applied to Windows and macOS Clients only

Keystrokes

The value is the keystrokes entered by the user.

Select this parameter type for the alert to be triggered whenever the specified value is entered.

download

URL

The value is the URL entered in the browser address bar or visited by the user.

Select this parameter type for the alert to be triggered whenever the specified value is identified as the URL.

NOTE: The URL monitoring option must be enabled for the Client.

facebook.com

Clipboard Copy

The value is the clipboard value copied or cut by the user.

Select this parameter type for the alert to be triggered whenever the specified value is copied or cut. Enter an asterisk (*) in the value field if you want to detect any copying or cutting action.

confidential

Clipboard Paste

The value is the clipboard value pasted by the user.

Select this parameter type for the alert to be triggered whenever the specified value is pasted. Enter an asterisk (*) in the value field if you want to detect any pasting action.

confidential
File Upload

The value is the filename of the file uploaded by the user.

Select this parameter type for the alert to be triggered whenever a file with the specified filename is uploaded.

NOTE: This feature is only available with an activated serial key for the Enterprise Edition of Ekran System.

NOTE: For Windows Clients, custom alerts can also be added to be triggered on file upload/download by combining multiple rules using the other alert rule parameter types, similar to, for example, the default alert on detecting file download from an Internet browser, which uses the following combination of four rules:

In this example, if any of the 3 browser applications (defined in the first 3 rules) are used, and a window is opened containing the word “Save” in its title (as defined in the fourth rule), then the alert will be triggered.

See also Examples of Alert Rules.

*

*.exe

*.app

c:\TopSecret\*.* [currently only available for Windows Clients]

User Belonging to Domain Group

The value is the name of the domain group.

The comparison operator is the Active Directory domain name (instead of the usual comparison operators: Equals, like, Not equals, or Not like).

Select this parameter type for an alert to be triggered whenever the users of the specified domain group start to use (i.e. log in to) the Client computers.

Support

Parameters applied to Linux Clients only (both SSH and X Window System sessions)

Command

The value is the command entered in the Linux terminal.

Select this parameter type for the alert to be triggered whenever the specified command is entered.

sudo

Parameter

The value is the Linux command entered.

Select this parameter type for the alert to be triggered whenever the user enters a command along with the specified parameters.

ImportantDocument

Parameters applied to Active Directory Groups (for Windows only)

Computer Belonging to Domain Group

The value is the name of the domain group.

Select this parameter type for the alert to be triggered on the Client computers belonging to this group.

NOTE: Alerts containing this parameter need to be assigned to the All Clients group to function correctly.

Accounting


2. Comparison Operators


For all alert rule parameters except for parameters that belong to Active Directory groups, you can select the following comparison operators to use for rules:

Comparison Operator

Description

Example

ValueFoundNot Found

Equals

The result found is an exact match to the defined value.

Jon

Jon

Jonnie

Like

The result found contains the defined value.

Jon

Jonnie, Jonathan

Johan

Not equals

The result found does not match the defined value.

Jon

Oliver, Jonnie

Jon

Not like

The result found does not contain the defined value.

Jon

Oliver, Johan

Jonnie, Jon, Jonathan


3. Examples of Using Multiple Rules in an Alert


Rules defined with Windows and Linux parameters do not influence one another. Therefore, you can define multiple rules for both Windows and Linux Clients in a single alert, and the alert will work correctly.

For example:


Parameter

Comparison Operator

Value

Rule 1

Command

Equals

su

Logical OperatorOR

Rule 2

URL

Like

facebook.com

Result

The alert will be triggered by a user entering the “su” command in the Linux terminal, or by visiting the facebook.com website on a computer running the Windows operating system.


Where multiple rules are defined with the same parameter using the OR logical operator in a single alert using Like or Equals comparison operators, the alert will be triggered if the conditions of at least one of the rules are met (i.e. using OR logic).

For example:


Parameter

Comparison Operator

Value

Rule 1

Application

Equals

skype.exe

Logical OperatorOR

Rule 2

Application

Equals

winword.exe

Result

The alert will be triggered by any user opening either the Skype or Microsoft Word applications.


Where multiple rules are defined with different parameters using the AND logical operator in a single alert using Like or Equals comparison operators, the alert will only be triggered if the conditions of all the rules are met (i.e. using AND logic).

For example:


Parameter

Comparison Operator

Value

Rule 1

Application

Equals

skype.exe

Logical OperatorAND

Rule 2

Username

Like

Nancy

Result

The alert will be triggered by the user Nancy opening the Skype application.


Where multiple rules are defined with one parameter using the OR logical operator and another rule is defined with a different parameter using the AND logical operator in a single alert using the Like or Equals comparison operators, the alert will be triggered if any of the conditions are met of any rule defined with the first parameter (using the OR logical operator), and the conditions are met for the rule defined with the different parameter (using the AND logical operator).

For example:


Parameter

Comparison Operator

Value

Rule 1

Application

Equals

skype.exe

Logical OperatorOR

Rule 2

Application

Equals

winword.exe

Logical OperatorAND

Rule 3

Username

Equals

Nancy

Result

The alert will by triggered by the user Nancy opening either Skype or Microsoft Word.


Where multiple rules are defined with the same parameter using the AND logical operator in a single alert using the Not equals or Not like comparison operators, the alert will be triggered if the conditions are met for all of the rules defined.

For example:


Parameter

Comparison Operator

Value

Rule 1

Application

Not equals

skype.exe

Logical OperatorAND

Rule 2

Application

Not equals

winword.exe

Result

The alert will be triggered by any user opening any application except Skype and Microsoft Word.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.