Overview
Alerts highlight risky file activity in your organization, such as when important data is moved to untrusted locations. This article describes the Manage Rules section of the Incydr console, where you view and update the rule criteria that trigger alert notifications.
For information about individual alerts generated based on these rules, see Review Alerts reference. For more details about rule criteria, see Create and manage alert rules.
Considerations
Manage Rules
Use the Manage Rules screen to view, create, edit, duplicate, and delete existing alert rules that trigger alert notifications.
To add or edit alert rules:
- Sign in to the Incydr console.
- Select Alerts > Manage Rules.
| Item | Description | |
|---|---|---|
| a | Risk settings |
Click to open the risk settings where you can set the score of each risk indicator. Scores are used to calculate the severity of each file event. For more information, see the Risk settings reference. |
| b | Create rule | Creates a new rule that you can use to alert you when important data may be leaving your company. |
| c | Recommended rules |
Creates a new rule from a pre-configured template that has recommended settings. Click one of the rule names to start creating a rule from that template, or click View all recommendations to view all of the recommended rules. You can change and customize the settings to match your specific needs. |
| d | Rule name | Name entered for the rule when it was created. |
| e | Created | Date the rule was created. |
| f | Column sort |
Hover over any column header to see the sort option. Click the up arrow to sort results by this column in ascending order. Click the down arrow to sort in descending order. |
| g | Last modified | Date the rule was last changed. |
| h | Enable |
Click to enable or disable rules.
|
| i | Actions |
Click to make a copy of an existing rule or to delete a rule. |
| j | View |
Click to view an alert rule's settings. For more information on editing rule settings, see Create and manage alert rules. |
| k | Rows per page | Select the number of rules to display on each page. |
| l | Pagination | Click the right and left arrows to scroll through pages of rules. |
Recommended rule templates
Incydr includes a number of pre-configured, recommended rule templates. You can quickly create rules from these templates, modifying the default settings to match your needs and environment.
To start creating a rule from a template:
- If the template you want appears in the Recommended rules list, click its name.
- Otherwise, click View all recommendations to view all recommended rule templates and then click the rule name.
When the Step 1 of 3 panel opens for that template, use it to customize the rule for your unique needs and environment. Each recommended rule template uses alert rule settings to identify the specific file activity to alert on.
Alert rule settings
To create an alert rule, you select rule settings that match the activity you want to be alerted about. You can mix and match settings as needed to target specific activity your organization has identified as carrying the most risk.
For more information about a setting, follow these links:
- Risk severity
- Filename keywords
- File categories
- User behavior
- File volume
- Destination
- Source
- Classification and sensitivity labels
- Personally identifiable information (PII)
- Custom file content risk indicators
- Preventative controls
- Individual users
- Watchlists
After adding settings to a rule, complete the rule by naming it, giving it a description, and identifying the users you want to notify when Incydr detects activity matching the rule's criteria.
View rule
For any alert rule listed in the Manage Rules table, click View to view details about that rule. You can then change the rule name, description, and add or edit the rule's settings.
Rule details vary. Specific rules may display different details than those shown in the example below.
| Item | Description | |
|---|---|---|
| a | Rule name and description |
The name and description entered when the rule was created. Rule names must be unique. |
| b | Actions menu |
Click
|
| c | Rule settings |
The settings for this rule. The options selected for each setting are also listed. Alerts automatically include all destinations for activity. For this reason, Any destination is listed for Destination even when no Destination setting has been added to the rule. If you have selected specific destinations that filter the detection of matching activity, those destinations are listed instead.
"No users defined" error message
An error message appears when the rule has the Individual users setting but no users have been added to that setting. You can either either add users to the Individual users setting or remove the setting entirely. If you remove the setting, you can instead add the Watchlists setting to the rule to monitor the activity of higher-risk users on a watchlist. |
| d | Add setting | Click to add a new setting to the rule and select its options. |
| e | Edit |
Click the edit icon to update the criteria for any item. |
| f | View activity that matches this rule criteria |
Click to view file events from the past 30 days that match these rule settings. Review the results to confirm that the rule identifies the activity you want to generate an alert.
|
| g | Actions |
If your product plan includes Instructor, the lesson that is automatically sent via email or Slack to users when their risky activity triggers the alert rule. Click Edit To avoid lesson "fatigue," lessons are automatically sent to users only once every 30 days even if they repeat the risky activity within that timeframe. |
| h | Notifications |
The email addresses of the users who are automatically notified when activity that matches the rule is detected. Click Edit If you do not enter any email addresses, no emails are sent, but the alert details are still visible in the Review Alerts table. |