FAAM Alerting

Hello everyone hope the week is going well for all, My questions is about FAAM and alerts.

Has anyone setup FAAM related alerts? ex: I have a laptop and I copy a network share directory to the desktop of said laptop, it’s fairly large amount of data and is a few folders deep, OR I found out my boss is going to let me go so I delete all my personal files form my network home directory. How would I set up an alert for those types of scenarios, or similar ?

thanks in advance and have a great day
Randy

Hey Randy,

you would set up FAAM on the file server, since FAAM is for network shares only then as far as building a detection on those events you could create a Custom Detection rule that says for example, alert me if I see X number of unique files being accessed in Y minutes.

An example Custom Detection Rule Might look something like this

Screenshot 2024-11-21 at 12.12.41 PM

This says for any user, when the access type is observed as Delete, and there are 1000 unique file names accessed in 10 minutes, create an Investigation.

David

David, this worked awesome. :+1:
Thanks so much it is greatly appreciated.

Randy

Hi @david_smith1,
can I ask you to better explain what the 2 entries indicate

  • “Group matched data from specific key”
  • “Detect on unique values ​​in a specific key”

and then also the differences between:

  • “This rule will detect only one on match”
  • “This rule will detect on every match after”
  • “This rule will detect on every match between”

I have read the documentation several times, but it is not very clear, some descriptive examples would be very useful.

Thanks

Hi Dome,

within the product there is a helpful tootip guide that explains this pretty well.

See the blue link to the right