Alert Rules
Alert rules allow you to determine what events on the computers being investigated will be considered as an alert. Each alert must have at least one rule.
Each rule consists of a parameter, a comparison operator, and the value to which the parameter will be compared.
Parameters
The following parameters can be selected to use for rules:
Parameter | Description | Example |
Parameters applied to all Clients | ||
Username | The name of the user whose work is to be monitored. Select this parameter type for the alert to be triggered whenever a specified user uses a Client computer. If secondary user authentication is enabled and the secondary user login matches the user name alert parameter, the Client marks the corresponding events as an alert. For example: The alert parameter is Username LIKE “John”. The user logs in to Windows as “Guest” and then enters “John” as the secondary login. The first record in the session of this user “(Guest (John))” is marked as an alert. | John |
Parameters applied to Windows, macOS, and Linux (for X Window System) Clients | ||
Application | The name of the application opened on a computer being investigated. Select this parameter type for the alert to be triggered whenever the specified value is identified as the name of an application opened. | skype.exe |
Title | The name that appears in the title of a window. Select this parameter type for the alert to be triggered whenever the specified value is identified in any window title on the screen. | My document |
Parameters applied to Windows and macOS Clients | ||
URL | The URL entered in the browser address bar or visited by the user. Select this parameter type for the alert to be triggered whenever the specified value is identified as the URL. NOTE: The URL monitoring option must be enabled for the Client. | facebook.com |
Clipboard Copy | The clipboard value copied or cut by the user. Select this parameter type for the alert to be triggered whenever the specified value is copied or cut. Enter an asterisk (*) in the value field if you want to detect any copying or cutting action. | * |
| File Upload | The filename of the file uploaded by the user. Select this parameter type for the alert to be triggered whenever a file with the specified filename is uploaded. NOTE: The File Upload parameter type is not available by default. To use it, the File Monitoring feature needs to be activated by sending a request to our Support team at: [email protected]. The File Monitoring feature is also only available if you have an activated serial key for the Enterprise Edition of Ekran System. NOTE: For Windows Clients, custom alerts can also be added to be triggered on file upload/download by combining multiple rules using the other alert rule parameter types, similar to, for example, the default alert on detecting file download from an Internet browser, which uses the following combination of four rules:
In this example, if any of the 3 browser applications (defined in the first 3 rules) are used, and a window is opened containing the word “Save” in its title (as defined in the fourth rule), then the alert will be triggered. See also Examples of Alert Rules. | * *.exe *.app c:\TopSecret\*.* [currently only available for Windows Clients] |
Parameters applied to Windows Clients | ||
Keystrokes | The keystrokes entered by the user. Select this parameter type for the alert to be triggered whenever the specified value is entered. | download |
Clipboard Paste | The clipboard value pasted by the user. Select this parameter type for the alert to be triggered whenever the specified value is pasted. Enter an asterisk (*) in the value field if you want to detect any pasting action. | C21H23 |
Parameters applied to Linux Clients (both SSH and X Window System sessions) | ||
Command | The command entered in the Linux terminal. Select this parameter type for the alert to be triggered whenever the specified command is entered. | sudo |
Parameter | The parameter of the Linux command entered. Select this parameter type for the alert to be triggered whenever the user enters a command along with the specified parameters. | ImportantDocument |
Parameters of Active Directory Groups | ||
Computer Belonging to Domain Group | The name of the domain group. Select this parameter type for the alert to be triggered on the Client computers belonging to this group. NOTE: Alerts containing this parameter need to be assigned to the All Clients group to work properly. | Accounting |
User Belonging to Domain Group | The name of the domain group. Select this parameter type for an alert to be triggered whenever the users of the specified domain group start to use the Client computers. | Support |
Comparison Operators
For all rule parameters except for parameters that belong to Active Directory groups, you can select the following comparison operators to use for rules:
Comparison Operator | Description | Example | ||
| Value | Found | Not Found | ||
Equals | The result found is an exact match to the defined value. | Jon | Jon | Jonnie |
Like | The result found includes the defined value. | Jon | Jonnie, Jonathan | Johan |
Not equals | The result found does not match the defined value. | Jon | Oliver, Jonnie | Jon |
Not like | The result found does not include the defined value. | Jon | Oliver, Johan | Jonnie, Jon, Jonathan |
Rules defined for Windows and Linux parameters do not influence one another. Therefore you can define rules for both Windows and Linux Clients in a single alert, and the alert will work correctly.
For example:
Parameter | Operator | Value | |
Rule 1 | Command | Equals | su |
Rule 2 | URL | Like | |
Result | The alert will be triggered by a user entering the “su” command in the Linux terminal, or by visiting the facebook.com website on a computer running the Windows operating system. | ||
Where multiple rules are defined for the same parameter within one alert using Like or Equals operators, the alert will be triggered if the conditions of at least one of the rules are met.
For example:
Parameter | Operator | Value | |
Rule 1 | Application | Equals | skype.exe |
Rule 2 | Application | Equals | winword.exe |
Result | The alert will be triggered by a user opening either the Skype or Microsoft Word applications. | ||
Where rules are defined for different parameters within one alert using Like or Equals operators, the alert will only be triggered if the conditions of all the rules are met.
For example:
Parameter | Operator | Value | |
Rule 1 | Application | Equals | skype.exe |
Rule 2 | Username | Like | Nancy |
Result | The alert will be triggered by the user Nancy opening the Skype application. | ||
Where there are multiple rules defined for one parameter and one rule defined for another parameter using the Like or Equals operators, the alert will be triggered if any of the conditions are met of any rule defined for the first parameter and the conditions are met for the rule defined for a different parameter.
For example:
Parameter | Operator | Value | |
Rule 1 | Application | Equals | skype.exe |
Rule 2 | Application | Equals | winword.exe |
Rule 3 | Username | Equals | Nancy |
Result | The alert will by triggered by the user Nancy opening either Skype or Microsoft Word. | ||
Where there are multiple rules defined for one parameter using the Not equals or Not like operators, the alert will be triggered if the result found does not match or include any of the defined values.
For example:
Parameter | Operator | Value | |
Rule 1 | Application | Not equals | skype.exe |
Rule 2 | Application | Not equals | winword.exe |
Result | The alert will be triggered by a user opening any application except Skype and Microsoft Word. | ||