Alert Rules


Alert rules allow you to determine what events on the computers being investigated will be considered as an alert. Each alert must have at least one rule.

Each rule consists of a parameter, a comparison operator, and the value to which the parameter will be compared.

 

Parameters

The following parameters can be selected to use for rules:

Parameter

Description

Example

Parameters applied to all Clients

Username

The name of the user whose work is to be monitored.

Select this parameter type for the alert to be triggered whenever a specified user uses a Client computer.

If secondary user authentication is enabled and the secondary user login matches the user name alert parameter, the Client marks the corresponding events as an alert.

For example:

The alert parameter is Username LIKE “John”. The user logs in to Windows as “Guest” and then enters “John” as the secondary login. The first record in the session of this user “(Guest (John))” is marked as an alert.

John

Parameters applied to Windows, macOS, and Linux (for X Window System) Clients

Application

The name of the application opened on a computer being investigated.

Select this parameter type for the alert to be triggered whenever the specified value is identified as the name of an application opened.

skype.exe

Title

The name that appears in the title of a window.

Select this parameter type for the alert to be triggered whenever the specified value is identified in any window title on the screen.

My document

Parameters applied to Windows and macOS Clients

URL

The URL entered in the browser address bar or visited by the user.

Select this parameter type for the alert to be triggered whenever the specified value is identified as the URL.

NOTE: The URL monitoring option must be enabled for the Client.

facebook.com

Parameters applied to Windows Clients

Keystrokes

The keystrokes entered by the user.

Select this parameter type for the alert to be triggered whenever the specified value is entered.

download

Clipboard Copy

The clipboard value copied or cut by the user.

Select this parameter type for the alert to be triggered whenever the specified value is copied or cut. Enter an asterisk (*) in the value field if you want to detect any copying or cutting action.

*

Clipboard Paste

The clipboard value pasted by the user.

Select this parameter type for the alert to be triggered whenever the specified value is pasted. Enter an asterisk (*) in the value field if you want to detect any pasting action.

C21H23

File Upload

The filename of the file uploaded by the user.

Select this parameter type for the alert to be triggered whenever a file with the specified filename is uploaded.

NOTE: The File Upload parameter type is not available by default. To use it, the File Monitoring feature needs to be activated by sending a request to our Support team at: [email protected]The File Monitoring feature is also only available if you have an activated serial key for the Enterprise Edition of Ekran System.

NOTE: Custom alerts can also be added to be triggered on file upload/download by combining multiple rules using the other alert rule parameter types, similar to, for example, the default alert on detecting file download from an Internet browser, which uses the following combination of four rules:

In this example, if any of the 3 browser applications (defined in the first 3 rules) are used, and a window is opened containing the word “Save” in its title (as defined in the fourth rule), then the alert will be triggered.

See also Examples of Alert Rules.

* or *.exe or c:\TopSecret\*.*

Parameters applied to Linux Clients (both SSH and X Window System sessions)

Command

The command entered in the Linux terminal.

Select this parameter type for the alert to be triggered whenever the specified command is entered.

sudo

Parameter

The parameter of the Linux command entered.

Select this parameter type for the alert to be triggered whenever the user enters a command along with the specified parameters.

ImportantDocument

Parameters of Active Directory Groups

Computer Belonging to a Domain Group

The name of the domain group.

Select this parameter type for the alert to be triggered on the Client computers belonging to this group.

NOTE: Alerts containing this parameter need to be assigned to the All Clients group to work properly.

Accounting

User Belonging to a Domain Group

The name of the domain group.

Select this parameter type for an alert to be triggered whenever the users of the specified domain group start to use the Client computers.

Support


Comparison Operators

For all rule parameters except for parameters that belong to Active Directory groups, you can select the following comparison operators to use for rules:

Comparison Operator

Description

Example

ValueFoundNot Found

Equals

The result found is an exact match to the defined value.

Jon

Jon

Jonnie

Like

The result found includes the defined value.

Jon

Jonnie, Jonathan

Johan

Not equals

The result found does not match the defined value.

Jon

Oliver, Jonnie

Jon

Not like

The result found does not include the defined value.

Jon

Oliver, Johan

Jonnie, Jon, Jonathan


Rules defined for Windows and Linux parameters do not influence one another. Therefore you can define rules for both Windows and Linux Clients in a single alert, and the alert will work correctly.

For example:


Parameter

Operator

Value

Rule 1

Command

Equals

su

Rule 2

URL

Like

facebook.com

Result

The alert will be triggered by a user entering the “su” command in the Linux terminal, or by visiting the facebook.com website on a computer running the Windows operating system.


Where multiple rules are defined for the same parameter within one alert using Like or Equals operators, the alert will be triggered if the conditions of at least one of the rules are met.

For example:


Parameter

Operator

Value

Rule 1

Application

Equals

skype.exe

Rule 2

Application

Equals

winword.exe

Result

The alert will be triggered by a user opening either the Skype or Microsoft Word applications.


Where rules are defined for different parameters within one alert using Like or Equals operators, the alert will only be triggered if the conditions of all the rules are met.

For example:


Parameter

Operator

Value

Rule 1

Application

Equals

skype.exe

Rule 2

Username

Like

Nancy

Result

The alert will be triggered by the user Nancy opening the Skype application.


Where there are multiple rules defined for one parameter and one rule defined for another parameter using the Like or Equals operators, the alert will be triggered if any of the conditions are met of any rule defined for the first parameter and the conditions are met for the rule defined for a different parameter.

For example:


Parameter

Operator

Value

Rule 1

Application

Equals

skype.exe

Rule 2

Application

Equals

winword.exe

Rule 3

Username

Equals

Nancy

Result

The alert will by triggered by the user Nancy opening either Skype or Microsoft Word.


Where there are multiple rules defined for one parameter using the Not equals or Not like operators, the alert will be triggered if the result found does not match or include any of the defined values.

For example:


Parameter

Operator

Value

Rule 1

Application

Not equals

skype.exe

Rule 2

Application

Not equals

winword.exe

Result

The alert will be triggered by a user opening any application except Skype and Microsoft Word.