Protocols (Regular Profile) : Managing Protocols White List : White List Rule Parameters : If this rule triggers
  
If this rule triggers
The If this rule triggers parameter applies to all protocols.
This parameter specifies the following additional actions to be performed when the rule triggers:
Send Alert - Specifies that an alert is sent whenever the rule triggers.
DeviceLock sends alerts on the basis of alert settings. These settings specify where and how the alerts should be sent. Before enabling alerts for a specific white list rule, alert settings must be configured in the service options (see Alerts).
Log Event - Specifies that an event is logged in the Audit Log whenever the rule triggers.
Shadow Copy - Specifies that a shadow copy of data is created whenever the rule triggers.
When alerts, audit and/or shadowing are enabled or disabled in a white list rule, the rule setting takes precedence over the respective setting for the protocol.
Example: If audit is enabled for a particular protocol and disabled in a rule for that protocol, the triggering of the rule does not cause audit events. If audit is enabled in the rule, then the triggering of the rule causes audit events, even if audit is disabled at the protocol level.
The rule can also inherit the alert, audit and/or shadowing setting from the protocol level. This is the default option, represented by the indeterminate state of the respective check boxes (neither checked nor cleared). The state of each check box can be changed individually.
Example: When a rule inherits the audit setting from the protocol level, the triggering of the rule causes audit events only if audit is enabled for the protocol controlled by that rule.
The Audit Log Viewer displays the following information about any event generated by a white list rule:
Type - Success
Date/Time - The date and time the connection was started, in the following format: dd.mm.yyyy hh:mm:ss. Example: 05.06.2012 14:54:46
Source - The type of the protocol involved.
Action - The user’s activity type: either Incoming Connection or Outgoing Connection
Name - Contains no information.
Information - The IP address with the port number and the fully qualified domain name (FQDN) of the remote host. Example:
Remote host: 192.168.100.10:99 (mycomputer.mygroup.mydomain.com)
Reason - The cause of the event: White List: “<rule_name>”
User - The name of the user associated with this event, in the following format: <domain_name>\<user_name>.
PID - The identifier of the process associated with this event. Example: 4420
Process - The fully qualified path to the process executable file. Example: C:\Program Files\AppFolder\AppName.exe