Creating a DAM access policy to monitor files on NAS and SharePoint

Use the comprehensive criteria and rule actions of Data Activity monitoring (DAM) access policy to monitor FAM for NAS and SP in deeper granularity. Set up alerts on a subset of users, audit all or a set of users, and optionally ignore a set of users or operations.

Before you begin

Create and install a FAM policy to filter FAM traffic that you want to monitor. For more information, see Creating file activity policies for network-attached storage (NAS) devices and Creating file activity policies for SharePoint.
Note: Set the FAM policy action to Audit Only.

About this task

Apply Data Activity Monitoring (DAM) access policy to NAS and SharePoint to achieve granular policy filtering.

Procedure

  1. Go to Protect > Security Policies > Policy Builder for Data.
  2. Create a policy by clicking the new icon.
  3. From the Name and properties pane of the Create New Policy window, set the policy type to Data security policy and define a policy name.
  4. Click the Rules pane to begin working with policy rules. Create a rule by clicking the new icon.
    1. From the Rule definition pane of the Create New Rule window, define a Rule name. Set the Rule type to Access.
    2. Click the Rule criteria pane. Use the menus to select individual parameters, define selection operators, and then specify values or groups to match.
      For FAM for NAS and SharePoint, use the following criteria:
      Session level criteria
      • Operating system user: The username of NAS or SharePoint. The database username is also the same.
      • Client IP address: The IP address that is used to connect to NAS or SharePoint.
      • Server IP address: The IP address where the NAS or SharePoint server is hosted.
      • Server host name: The hostname of the NAS or SharePoint host
      • Service name: To process FAM for NAS traffic, use NASFAM. For SharePoint, use SPFAM.
      SQL criteria
      1. Command
        Note: Commands are case-sensitive.
        For NAS, use the following commands:
        • Rename
        • Update
        • Create
        • Read
        • Delete
        • Access Rights Change
        For SharePoint, use the following commands:
        • CheckOut
        • CheckIn
        • View
        • Delete
        • Update
        • ProfileChange
        • ChildDelete
      2. Object
        • For NAS, provide the absolute path of the file name or directory name.
        • For SharePoint, provide the full URL to the SharePoint object.
      Attention:

      When both DAM and FAM for NAS and SP policies are installed to monitor NAS and SharePoint traffic, FAM rules are evaluated and triggered last, regardless of the order of the policies.

      Enable Continue to next rule for all DAM policy rules to ensure that the FAM rules are triggered.

    3. Click the Rule action pane to begin working with rule actions, then create a new rule action by clicking the new icon.
      For FAM for NAS and SharePoint, use the following actions:
      • ALERT PER MATCH
      • ALERT DAILY
      • ALERT ONLY
      • ALERT PER TIME GRANULARITY
      • LOG MASKED DETAILS
      • LOG FULL DETAILS
      • LOG FULL DETAILS WITH REPLACED VALUES
      • SKIP LOGGING
      • LOG ONLY
      Note: FAM for NAS and SharePoint does not support actions that are tracked per session or require S-TAP.
    4. After the rule is defined, click OK to return to the Rules pane.
      Continue working with rules as needed.
  5. After the policy and its rules are defined, click OK to save the policy and return to the Security Policies table.