New to Alarms?
Start with our ActivTrak Alarms Overview! We've created out-of-the-box Alarms for the most common scenarios - no setup required. Once you're comfortable with how Alarms work, you can always come back to create your own custom configurations.
ActivTrak offers three Alarm types to address different monitoring needs:
- Activity Alarms track user behavior across applications and websites, alerting you when specific conditions are met. These Alarms help you monitor usage patterns, identify potential security risks, and ensure compliance with company policies.
- USB Alarms alert you when Users connect external storage devices to their computers. Monitoring and controlling USB device usage across your organization helps protect sensitive data and maintain security compliance.
- Security Audit Alarms alert you when changes are made to your ActivTrak account. These Alarms help you monitor administrative actions, maintain security compliance, and keep track of important account modifications.
Contents
- Common use cases
- Create a custom Alarm
- Best practices
- Viewing the Alarm Log
- Alarm testing and validation
- Learn more
Common use cases
- Monitor access to unauthorized websites or applications
- Track usage of sensitive applications
- Alert when Users spend excessive time on non-productive activities
- Detect potential data security risks
- Identify the usage of AI tools or other specific applications
- Detect unauthorized data transfers to external devices
- Monitor USB device connections in secure environments
- Maintain compliance with data security policies
- Create an audit trail of external device usage
- Monitor administrative User activity
- Track changes to User permissions or roles
- Get notified about agent installations or removals
- Detect when Users are added to or removed from Do Not Track lists
- Stay informed about data export actions
Create a custom Alarm
Access the Alarm Configuration page
- Navigate to the Alarm Configuration page via Notifications > Compliance Alarms > Alarm Configuration.
- Click the + Create New Alarm button in the top left corner.
Name your Alarm and select the type
- Enter a descriptive name for your Alarm.
- Select the Alarm type: Activity, USB or Security Audit.
Apply to specific Groups
Note: This step only applies to creating Activity Alarms.
Define who the Alarm will monitor in the Group Alarm panel:
- Global application: Set the Selected Groups to All Users and Computers
- Specific Groups: Select one or more Groups by clicking into the Selected Group box, or type directly into the box to search the available Groups
Configure Conditions
The setup steps for Conditions vary by Alarm type.
Important: The Conditions available in your account depend on the type of Alarm, the plan type and add-ons. We have summarized the availability of Conditions in the ActivTrak Alarm Overview page.
- Choose a matching rule.
| Match Any | Triggers if any single condition is met |
| Match All | Requires all conditions to be satisfied simultaneously |
- Add Condition(s) by clicking the Add Condition button.
- Use the dropdown menu to select the Field and the type of activity you want to monitor, such as website visits, application usage, or specific User actions.
Note: Depending on the Fields you select, you may need to switch from 'Match Any' to 'Match All'. A message will pop up if this change is required.
| Computer | The name of the device where the activity occurred |
| Description | Details about what the User was doing (like the title of a webpage or document) |
| Duration (seconds) | The length of time in seconds the activity lasted |
| Executable | The name of the program or application being used |
| Private IP Address | The internal network address assigned to the User's device |
| Logon Domain | The domain or computer name where the User signed in |
| Primary Domain | The main network domain the computer belongs to |
| Titlebar* | The text that appears at the top of a window or browser tab |
| URL* | The web address (like www.google.com) |
| User | The ActivTrak username |
*Available Conditions depend on the type of Alarm, the plan type and add-ons. See Conditions Availability for specific details about what's included with your setup.
- Select the Operator with the dropdown menu. The Operator is used to set the specific conditions that will trigger your alarm, such as "contains," "equal to," or "greater than."
| Contains |
Triggers when the keyword appears anywhere in the activity ("Google" matches "www.Google.com" and "Google Drive") |
| Does Not Contain |
Triggers when the keyword is nowhere in the activity ("Facebook" won't match activities that include "Facebook.com") |
| Ends with |
Triggers when the activity ends with your keyword (".pdf" matches "report.pdf" but not "pdf-converter.exe") |
| Equal to |
Triggers only when the activity matches your keyword
exactly ("Google.com" won't match "www.Google.com") |
| Not Equal to |
Triggers when the activity doesn't match your keyword
exactly ("Google.com" will not match "www.Google.com" since they're not identical) |
| Starts with |
Triggers when the activity begins with your keyword ("www" matches "www.Google.com" but not "Google.com") |
| Greater than |
Triggers when the number exceeds your threshold (set to 600 seconds to catch activities lasting longer than 10 minutes) |
- Enter the Value, the keyword or the number that the Alarm is looking for in order to trigger. This can be the website name, username, keyword in a title bar or description, the time in seconds the User is active on a particular window, etc.
- Toggle on Case Sensitive if your matching needs to consider letter case.
- Click the Update button to add the Condition to your Alarm.
USB Alarms use specific triggers related to external device connections.
- Toggle on the USB events you want to monitor. You can choose either option or both.
| USB Storage is Inserted | Triggers when a USB device is plugged in |
| USB Storage is Written | Triggers when data is written to a USB device |
- Add optional conditions by clicking the Add Condition button.
- Use the dropdown menu to select the Field and the type of activity you want to monitor, such as computer, primary domain, or User.
| Computer | The name of the device where the activity occurred |
| Logon Domain | The domain or computer name where the User signed in |
| Primary Domain | The main network domain the computer belongs to |
| User | The ActivTrak username |
- Select the Operator with the dropdown menu. The Operator is used to set the specific conditions that will trigger your alarm, such as "contains," "equal to," or "starts with."
| Contains |
Triggers when the keyword appears anywhere in the
activity ("Google" matches "www.Google.com" and "Google Drive") |
| Does Not Contain |
Triggers when the keyword is nowhere in the activity ("Facebook" won't match activities that include "Facebook.com") |
| Ends with |
Triggers when the activity ends with your keyword (".pdf" matches "report.pdf" but not "pdf-converter.exe") |
| Equal to |
Triggers only when the activity matches your keyword
exactly ("Google.com" won't match "www.Google.com") |
| Not Equal to |
Triggers when the activity doesn't match your keyword
exactly ("Google.com" will not match "www.Google.com" since they're not identical) |
| Starts with |
Triggers when the activity begins with your keyword ("www" matches "www.Google.com" but not "Google.com") |
- Enter the Value, the keyword or the number that the Alarm is looking for in order to trigger. This can be a username, device, or domain.
- Toggle on Case Sensitive if your matching needs to consider letter case.
- Click the Update button to add the Condition to your Alarm.
Security Audit Alarms trigger based on specific events in your account.
- Choose a matching rule.
| Match Any | Triggers if any single condition is met |
| Match All | Requires all conditions to be satisfied simultaneously |
- Add Condition(s) by clicking the Add Condition button.
- Use the dropdown menu to select the Field and the type of activity you want to monitor, such as logins, exports, or specific configuration changes.
| ActivTrak ID |
The associated email for the App Access user who performed
the action (example@youremail.com) |
| Public IP Address | The internet address showing where the App Access user connected from |
| Description | Additional details about what took place during the event |
| Event |
The type of activity that happened (like
login, export, or configuration change) Tip: For a list of items you may wish to search for in the “Event” column of the Security Audit Log, see Commonly Logged Events. |
| Action Type | Whether the action created, deleted, or updated something. |
| Action Data | Specific information about what was accessed or modified |
- Select the Operator with the dropdown menu. The Operator is used to set the specific conditions that will trigger your alarm, such as "contains," "equal to," or "starts with."
| Contains |
Triggers when the keyword appears anywhere in the
activity ("Google" matches "www.Google.com" and "Google Drive") |
| Does Not Contain |
Triggers when the keyword is nowhere in the activity ("Facebook" won't match activities that include "Facebook.com") |
| Ends with |
Triggers when the activity ends with your keyword (".pdf" matches "report.pdf" but not "pdf-converter.exe") |
| Equal to |
Triggers only when the activity matches your keyword
exactly ("Google.com" won't match "www.Google.com") |
| Not Equal to |
Triggers when the activity doesn't match your keyword
exactly ("Google.com" will match "www.Google.com" since they're not) identical |
| Starts with |
Triggers when the activity begins with your keyword ("www" matches "www.Google.com" but not "Google.com") |
- Enter the Value or the keyword that the Alarm is looking for in order to trigger. This can be the App Access user's email address, a certain event, etc.
- Toggle on Case Sensitive if your matching needs to consider letter case.
- Click the Update button to add the Condition to your Alarm.
Configure Actions
You've set up what triggers your alarm. Now let's decide what it does when triggered. There are six main Actions that can be configured.
Important: The Actions available in your account depend on the type of Alarm, the plan type and add-ons. See Actions Availability for specific details about what's included with your setup.
Important: Available for Activity and USB Alarm Types, with Screen Details (Add-on) or Full Details selected
Automatically take a Screenshot when your alarm triggers, or capture multiple screenshots at intervals you set (with a minimum interval of 10 seconds).
- Toggle on "Capture screenshots when the alarm is triggered"
- Choose Single (captures one image when the Alarm triggers) or Multiple Screenshots (takes recurring screenshots at a set interval)
- For multiple screenshots, set capture frequency (minimum 10 seconds)
Screenshots will continue until the window or application changes, the User becomes inactive, or the maximum number of screenshots is reached (100 per activity).
Best Practices
- Consider privacy implications before enabling Screenshots
- Use Screenshots selectively for high-risk activities
- Inform Users about your organization's Screenshot policies
- Review Screenshots promptly when an Alarm triggers
- Set an appropriate Screenshot frequency to balance detail with storage limitations
Important: Available for Activity and USB Alarm Types, with Screen Details (Add-on) or Full Details selected
Pop-up Messages show notifications directly on the User's screen when your alarm triggers. You can write your own custom message or use our pre-filled text options. These can be useful for policy reminders when USB devices are connected, for example.
- Toggle on "Display pop-up message on the client"
- Enter the message text to display
- Use the pre-filled text options to make the message detailed (e.g., Time, User, URL). Consider crafting a clear, concise message that explains why the action triggered an Alarm, references relevant policies, and provides guidance on appropriate behavior.
Important: Available for all Alarm Types and all paid plans
Email Notifications allow the ActivTrak Admin to be alerted whenever the Alarm triggers. Similar to the Pop-up Messages, the fields can be prefilled, or the Admin can create a custom message. The To field can be populated with any user with App Access (Settings > Access > App Access).
- Toggle on "Send email notification when the alarm is triggered"
- Enter the recipient email address(es) in the To field
- Customize the Subject and Email Body with a custom message
- Use the pre-filled text options to make the message detailed (e.g., Time, User, URL)
Important: Available for all Alarm Types and all paid plans
External Notifications, also called Webhooks, enable administrators to integrate ActivTrak alarms with other applications, such as Slack or Microsoft Teams. Simply plug in the URL generated by the destination application, along with any additional parameters as needed.
- Toggle on "Send external notifications when alarm is triggered"
- Select Destination (Slack, Microsoft Teams, or custom webhook)
- Enter Custom WebhookURL
- Select the information (e.g., Title, User, URL) that will be included in the notification
Benefits
- Centralize notifications in your existing communication tools
- Alert specific teams based on Alarm type
- Create a dedicated security or compliance channel
External Notification Log
When you send an External Notification with the Alarms Feature, the status of this gets logged in the External Notifications Log via Notifications > Compliance Alarms > Alarm Webhooks. Check the State column to determine if triggered notifications are Pending, Delivered (successful payload delivery), or Failed (unsuccessful payload delivery). Click the blue eye icon next to a failed status to see the reason for the webhook failure.
Important: Available for Activity Alarm Type, with Screen Details (Add-on) or Full Details selected
Activating the Terminate action on an alarm instructs the agent to close the application that triggered the alarm. If a User were to open Facebook, for example, with this Alarm active, the browser would be closed immediately, including non-Facebook tabs the User may have been using.
- Toggle on "Terminate client application that triggered the alarm"
Important considerations
- Users will notice applications closing, but won't see a notification explaining why
- For discreet monitoring, consider using an Email Notification or an External Notification
- We recommend testing Alarms that use the Terminate action before widespread deployment
- Terminate works best with specific, narrowly defined conditions
Important: Available for Activity and USB Alarm Types, and all paid plans
Assigning a point value to certain alarms makes it easier for administrators to detect and quickly analyze certain behaviors.
- Toggle on "Enable risk level for this alarm"
- Select the risk level using the 1 (low) to 10 (high) scale
Save and activate
- Click the Create button at either the top or bottom of the page.
- Ensure the Alarm is active from the Alarm Configuration page (the toggle should be blue in the Status column on the left).
Best practices
- Start with broader conditions and refine as needed
- Test Alarms with limited user groups before deploying widely
- Review Alarm logs regularly to identify false positives
- Consider user experience when setting up pop-ups or termination actions
- Group related Alarms logically to simplify management
- Consider the volume of alerts that might be generated before implementing
- Use screenshots to understand the context around USB usage
- Combine with Activity Alarms to get a complete picture of potential data exfiltration
- Keep policy reminder messages clear and concise
- Review USB Alarm logs periodically to identify patterns
- Create separate Alarms for different departments with varying security requirements
- Create separate Alarms for different security event categories
- Limit email notifications to critical events to avoid alert fatigue
- Consider creating a dedicated Slack or Teams channel for security alerts
- Review Security Audit logs regularly, not just when Alarms trigger
- Set up Alarms for failed login attempts to detect potential unauthorized access
- Document your security Alarm strategy as part of your compliance procedures
Viewing the Alarm Log
You can access the full Alarm Log at any time:
- Navigate to Notifications > Compliance Alarms > Alarm Log
- Use filters to search for specific events, Users, or time periods
The log provides a comprehensive record of all administrative actions, even beyond those for which you've configured Alarms. It will closely resemble the Activity Log. It will display data such as whether the action was considered Productive or Unproductive, the name of the Alarm, when it was triggered, which machine was used, by which user, along with the duration of the activity, and other relevant fields.
Every alarm trigger creates its own log entry, which displays the type of alarm that triggered, the cause, and the subsequent actions taken. You can sort the Alarm Log by user, group, computer, or date. Use the boxes in the top left to customize which columns appear. Export your data as a CSV file or directly to Google Drive.
Alarm testing and validation
Before deploying Alarms widely, test them with a small group.
- Create a test Group with representative Users
- Apply new Alarms to this Group only
- Trigger the Alarm conditions deliberately
- Verify that the proper Actions (e.g., Notifications, Screenshots, Termination) are working as expected
- Deploy to a wider audience once validated