Email - Did What

This topic describes how to define alert rule conditions using the options available in the Email group category in the Did what? section of the Create Alert Rule page. (For more about the Did what? section, see Defining the "Did What?" Conditions.)

You can set up alert rules to help prevent exfiltration by email.

When Email Monitoring and File Activity Monitoring and are enabled in the System Policy settings, you can configure alerts for:

  • Sent email using an email client: An alert is triggered when an email is sent using an email client.

  • Exfiltrated file by sending it via email: An alert is triggered when an attached file is sent via email.

  • Exfiltrated file by attaching it to an email client: An alert is triggered when a file is attached to an email.

  • Saved file from an email client: An alert is triggered when a file attachment from an email is saved.

In some options, you can enter multiple values separated by commas either directly or by clicking the […] icon to open a popup in which you can enter the values. Alternatively, when Lists are supported, you can choose to select a predefined List instead of entering a set of values. By hovering over the values field, two icons appear that enable you to switch between the Values and List modes: or . When List mode is selected, a drop-down list shows all the predefined Public and Private lists that are authorized for this Console User. You can edit the list contents, if required. For details, see Editing Lists.

Related Topics:

Email Monitoring Policies

Email Clients Monitoring and Visibility

Email Activity Report Configuration