SSN Detection Alert with GAT Shield

To set up an alert rule in  GAT Shield for Social Security Number detection

Within GAT Shield you will find a template rule for detecting Social Security Numbers on any website you users visit or if they themselves type it into a webpage.

1. In the Configuration Area, Alert Rules click on ‘Add a template rule’ and choose US SSN entered.

2. Take the following actions:

  • Check the box to activate the rule.
  • Select the users, groups or Org Unit you want this rule to be applied to, If you leave the Scope blank all users with GAT Shield extension will be covered.
  • (Optional) Show a warning message or take no end user action.
  • (Optional) Report matched Text – will send you the text they typed attached with the email you receive.
  • (Optional) Check the box ‘Report Screen Capture’ to take a screenshot of the page.
  • (Optional) Check the box ‘Report Webcam Capture’ to take a web picture of the user behind the device.

3. Click on Save.

The reg. ex. Inside of this template matches any valid SSN and by default, it has a weight of 1. If other keywords occur on the same page they each have their own weight. If the total weight is equal to or above 3 the rule will be fired.
You can also add your own keyword, or edit the regex, to exclude numbers like local area codes as an example (345,214,526,732)

The regex option we have is:
\b(?!000)(?!666)([0-6]\d{2}|7([0-356]\d|7[012]))[- ]?(?!00)\d{2}[- ]?(?!0000)\d{4}\b

We can edit this to exclude your local code:
\b(?!00)(?!000)(?!345)(?!214)(?!526)(?!732)(?!666)([0-6]\d{2}|7([0-356]\d|7[012]))[- ]?(?!00)\d{2}[- ]?(?!0000)\d{4}\b

Once you select the scope you would like to cover the rule will be active and alerts will be sent to an Admin every time the rule is violated.

Example of an email received by a super admin.

Chrome ‘Device Usage’ Alerts in GAT Shield

Do you want to track down a missing device? Do you know the serial number? Or know the last person using it? If yes, you can use GAT Shield Device Usage alert to get notified.

How to Configure this Alert.

1.Launch the GAT Shield tool.

2.Enter the Alert Rules section.

3.Select Device Usage from the ‘Add a rule’ drop-down menu.

4.Give the rule a meaningful name. Check the box to activate the rule. Now, enter the user’s email address and/or serial number. If both are entered one of them will take precedence if detected first when the rule is triggered on the device.

5.Check the box Report Screen Capture to take a screenshot of the page they were browsing at the time the rule is fired.

6.Optionally you can take a webcam picture of the person behind the device.

7.There is an option to display a message to the user if you turn ON End user action.

Once the alert is triggered an email is sent to the G Suite Super Admin.


When GAT  Shield receives a signal that the device is active, the admin will receive an email with a screenshot of the page opened, and location on a map where the device is located.
The Device Usage rule will be switched to disabled once the rule is fired to prevent getting multiple alerts for the same user or device.

Prevent MP3 files and other file types from being downloaded

Using the real-time alert rules within GAT Shield an admin can set up a rule to prevent certain file types from being downloaded to a user’s device.

To set up a download rule, go to the Configuration section of GAT Shield. And enter the Alert Rules section.

Click on the Add a rule button, and select File download.

Click on the Add a rule button, and select File download.

Once the menu appears, do the following:

    • Give the rule a meaningful name, in my case, I will prevent mp3 and mp4 files from being downloaded.  
      Admin can add many more extensions such as ‘mov’, ‘zip’ ‘pdf’ and so on

 

    • Make sure to enable ‘Active’ so that the rule will be active once the rule set up is complete.

 

  • I entered mp3;mp4 I used a semicolon to separate the two file extensions. A semicolon is not necessary if only one file type is being covered.

Tick the boxes next to "active" and "cancel/delete download"

    • You have an option available to block files based on their file size as well. Anything equal to or above the value you have entered. For example, I can enter 20 MB. That means any mp3 or mp4 equal to or greater than 20 MB will be blocked from being downloaded others which are less won’t.  

 

    • The Cancel/delete download will be enabled because we want this rule to block and prevent downloads if left unchecked it would only notify you and not take any action.

 

  • Site exclusions are useful if you have some educational sites where downloading of mp3 or mp4 are allowed.

    • Now we need to indicate which users will be covered by this rule. I have used the OU option, and I’ve selected the root user OU / and I have also included sub. Org units. This means my entire domain is covered by this rule (well actually users who have Shield deployed on their accounts). You can indicate a sub OU like /Students and enable the option to cover its sub-OUs if you wish.

 

    • You can also take actions like shutting the webpage down or showing a custom warning message to the students.

 

  • The last 3 options allow you to report the file name, capture the screen the user was on and take a picture of the user using the webcam of the device (if Shield Companion app is deployed as well).

All alerts will be sent to you via email and you can also find them in the Shield Alerts section.

See Who Violated Your Domain’s Usage Rules with GAT Shield

In the Shield Alerts section of GAT Shield, you can view all the instances where your users have violated any Alert Rules.

You can see the video instead of reading the post.

 

To know how to create an Alert Rule you can watch our video covering the topic.

In the Alerts Explorer, you can view a list of all the times a rule was violated.

You can see data such as the Rule name, The Rule type, Page info if it was a URL visit, how long ago the Rule was violated, the User who violated the rule and whether the Status of the alert was still open or acknowledged by an Admin.

See when rules were violated

Clicking the check mark will change the status indicator to a green Acknowledged status.

This is so you can let other Administrators on your domain know the alert was investigated.

By clicking the eye Icon you can get all the details of that alert, as well as the admin who acknowledged it.

Device information such as the rule violators Shield UUID, OS, IP details and location information is also available in this area.

Device information such as the rule violators Shield UUID, OS, IP details and location information can be seen with GAT Shield

How to Report and Remove Files Downloaded by Users Using GAT Shield

GAT Shield’s Alert Rules allows admins to stop and report unsafe downloads by users on your domain.

Here’s the video how-to:

To do this, select the ‘Alert Rules’ section. First, we’ll add a rule for downloads. Then, we’ll name the rule EXE and PNG blocked. In the file extension box, we’ll put EXE and PNG separated with a semicolon. Checking to cancel ‘delete/download’ box will prevent a download from happening. And if it’s already downloaded, it will be deleted. We can then apply these rules to a User, Group, or OU. You can also exclude a User, Group or OU from this rule. In the end user action, you can pick what will happen if a user violates this rule. You can check report file name screen capture and webcam captured to see who downloaded the file and what their screen and webcam were capturing at the time of the download. You can also whitelist certain web pages whitelist rule will not apply.

how to set up downloads alert rules with GAT Shield for S Suite

If you unchecked the ‘cancel/delete download’ button, but have any reports checked, you will only receive a report instead of interrupting to download.

That concludes this GAT Shield how-to. Thanks for watching.

Protected: How to Refresh Alert Rules in GAT Shield

This content is password protected. To view it please enter your password below:

Stopping LGBTQ Offensive Language in Schools

Since it’s Pride Month, we’ve decided to share with you a few ways you can protect your LGBTQ students in school. The featured video shows you how you can use GAT Shield to spot LGBTQ offensive language in schools:

The past few years has seen significant progress in the tackling of LGBTQ offensive language in schools. This is to a large degree due to the rising number of schools combating LGBTQ bullying by launching awareness campaigns. It is no secret that the use of homophobic language has a negative impact on LGBTQ students. At the very least, it can impact the affected student’s happiness at school, their grades, and their social life. At its worst, it can affect the student’s mental health and wellbeing. Continued use of homophobic language can quickly escalate into more serious homophobic bullying. That’s why school officials of all levels need to be trained on how to successfully challenge homophobic language in the classroom. Awareness campaigns on their own need to be supplemented with continued strategic action year-round in order to achieve the greatest level of success possible.  

Illustration of Teens Wearing Rainbow Color Shirts to Show LGBT Support

To help teachers and admins like you take continued action in protecting students from the LGBTQ community in schools, we have compiled a short list of 3 things you and your colleagues can do to raise awareness and support the LGBTQ community.

#1 Create a school policy that clearly states homophobic language is wrong and will not be tolerated and ensure it is promoted. Something as simple as a new policy implementation can set a strong authoritative tone throughout the school’s community. Guidelines should clearly lay out how any member of the school can go about reporting hateful language to the relevant bodies. Remember to regularly remind both staff and students of the policy so that it remains top of mind more often than not.

#2 Train staff how to deal with homophobic language in the school. It has been reported that many teachers fail to address homophobic bullying of students simply because they do not know how to reprimand or combat such behaviour. Training school staff of all levels will both help staff members gain the confidence needed to tackle the problem and do it more effectively and efficiently.

Class and teacher gathered around laptop

#3 Use explaining language. Banning certain words and phrases may seem like the simplest most straightforward solution but we need to consider the demographic we are trying to influence. Many kids will want to rebel in the face of direct prohibitions. The best way to deal with such behaviour is by explaining to these kids just why certain words and phrases are hurtful to members of the LGBTQ community and are therefore banned. You might be surprised at how many students will respond to this approach.

Hand with marker writing: Do You Understand Me?

If you would like further in-depth reading about tackling homophobic language in schools then you should check out this pdf. Now that we’ve addressed a few simple yet powerful strategies schools can implement to raise awareness about LGBTQ offensive language, here is what you can do with GAT Shield to take this one step further.

GAT Shield is a powerful audit, reporting and security tool for the Chrome environment. It helps protect your users by monitoring all activity and providing real-time DLP on all sites, in all locations and at all times.

But in this post, we’ll be focusing on a specific GAT Shield feature called ‘Alerts’.

It is different from GAT+ in that Shield sends an alert to a designated G Suite admin the moment a blacklisted word is typed.

This is one way of catching prohibited language used in your students’ G Suite and Chrome environment. In the Configuration section of GAT Shield, we provide a multitude of real-time alerts which you can put into place.

We created a new one for this awareness month.

The rule is called the “Homophobic Language Detected” template which you can modify to add locally used homophobic words your users type.

detect homophobic language with GAT Shield

Read about REGEX here

Using these alerts, the admin will be notified immediately every time their users are typing homophobic words and other keywords which are also scanned and identified after typing which may be on the site already.

This powerful functionality will allow you not to only report but also to take action, some of those actions may be to show a warning message to your users, or to shut down the webpage. You can also capture a screenshot of the webpage and capture the user behind the device who typed in the homophobic word.

Alert Rule Scoring in GAT Shield

The Alert rule scoring is summed up as follows:
The regular expression word (weight of ‘1’) AND any other keyword or keywords (whose weight you can assign when adding the keywords) must equal or exceed the ‘Alert Threshold’ value (which you can also assign). This is how you adjust alert test sensitivity.
edit alert rule in page content inspection
The rule is set with an alert threshold of 3.
For this alert rule to fire the regular expression MUST be matched at least once, this gives a score of 1.
The alert is not triggered because the threshold is 3. GAT Shield scans the rest of the text or waits until more text is typed.
If it sees blank, another 1 is added to the score. If it sees Prize Money another 1 is added. Now the score has reached the threshold and the alert is triggered.
It could also have been triggered by just the credit card number and the word Draw, this would have scored 4.
If the words Draw, Bank, Money, all appeared but no credit card number, then the alert would not have triggered.
Note: GAT Shield reads all text in the computer screen buffers, including text (which may contain trigger words) that does not appear visible because it may be out of scroll or the web page developer has it hidden.

Export and Import GAT Shield Alert Rules for G Suite

Share Alert rules between G Suite domains. It is easy to share cool or sophisticated alert rules from your domain to another. Just send the second Admin the Rule json export file, Here’s how:

In GAT Shield, under Alert rules it is possible to create a large number of very different and sophisticated rules for G Suite. GAT has made it easy for G Suite Admins to share these rules.

Beside each rule an Admin can click on the download button to download the json description of the rule. This is a simple format text file.

export and import GAT Shield alert rules for G Suite

The json file looks like this …

[

{

 “id”: “59c68ff0463d7e0cf1ccfd0e”,

 “name”: “Block visits to Games site”,

 “type”: “visit”,

 “active”: true,

 “unique”: false,

 “regex”: “games”,

 “alertAction”: “warn”,

 “alertActionMsg”: “‘$text’ violated ‘$name’ rule.”,

 “alertNotify”: true,

 “alertThreshold”: 0,

 “reportMatch”: true,

 “reportScreen”: true,

 “reportVideo”: false,

 “created”: 1506185200217,

 “modified”: 1521733041871,

 “createdBy”: “robert@generalaudittool.com”,

 “modifiedBy”: “robert@generalaudittool.com”,

 “ruleRecipients”: [],

 “ruleOrgRecipients”: [],

 “alertRecipients”: [

  “robert@generalaudittool.com”

 ],

 “_id”: “59c68ff0463d7e0cf1ccfd0e”

}

]

 

The Admin can then send that file to another Admin on a different domain. The second Admin can change references to the old domain and insert his address and domain into the file in the same locations. The rule can then be uploaded into the new domain with the rule ‘Upload’ button and selecting the modified json file.

Upload rule in GAT Shield

Once the rule it uploaded it can be further edited and refined by the Admin on the new domain.

In this way, rules can be shared easily between different Admins and Domains.

Gat Shield Alert Type: Document Inspection

GAT Shield has added a new alert type: Document inspection. Existing alerts monitor what the users type, now we can read documents they open. This new alert will read Google Docs and Sheets as well as Microsoft docs and sheets opened in previews and identify content to be alerted on, even if that content is not appearing on screen. The user must open the document for the alert to work. IT WILL NOT inspect documents at rest.

GAT Shield new alert type