Proofpoint | ObserveIT On-Premises Insider Threat Management
Defining Rule Details
When creating or editing alert or Linux prevent rules, you must first define the details of the rule.
This topic describes how to define the details for alert and prevent rules, including the alert frequency.
To define details for a new alert rule
-
In the Alert & Prevent Rules tab, click the New Alert Rule button.
The Create Alert Rule page opens in which you can define the required details of the alert rule.
To define details for a new Linux prevent rule
-
In the Alert & Prevent Rules tab, click the New Linux Prevent Rule button.
The Create Linux Prevent Rule page opens in which you can define the required details of the Linux prevent rule.
To edit the details of an existing alert or prevent rule
-
In the list of rules in the Manage Alert & Prevent Rules page (see Viewing Rules), select a rule that you want to edit.
The Edit Alert/Linux Prevent Rule dialog box opens, showing the details of the selected rule some of which you can edit. For example:
System rules have limited editing capabilities. For details, see Creating and Editing Alert Rules.
In the Alert/Linux Prevent Rule Details area of the Create/Edit Alert/Linux Prevent Rule page, specify or edit the following details:
| Field | Description |
|---|---|
|
Name |
The name of the rule. For example: "Suspicious Unix activity after working hours". Note: When editing a System rule, you cannot change the rule name. |
|
Description |
A description for the rule that explains its meaning or motivation. For example: "Warn about irregular access to database servers and suspicious activity over the weekend." |
|
Category |
The category to which the rule is associated. The rule can also be UNCATEGORIZED. To change the category, click the Change hyperlink. A dialog box opens enabling you to select a different category. For details, see Managing Rules Categories. Note: When editing a System rule, you cannot change its category. |
|
OS Type |
Select the operating system(s) for which you want to create/edit the rule - Windows/Mac, Unix, or Both (Windows/Mac and Unix). Note: The OS Type parameter that you define affects the "Did What?" condition options that are available, and also the actions that you can configure to be taken when an alert is generated. Note: If you creating or editing a prevention rule, the only available OS type is Unix. Note: When editing a System rule, you cannot change its OS Type. |
|
Notification Policy |
Select a notification policy that defines who should receive email notifications when an alert from this rule is triggered, and how often. For example: "Daily digest for Division Managers". To define the policy, click the There is no default notification policy. New rules are created with no policy, which means that newly generated alerts will not trigger any email. |
|
Status |
Select the status of the alert rule: Active or Inactive (no alert will be triggered for this rule). |
|
Risk level |
Select the risk level of the alert rule: Critical, High, Medium, or Low. The default risk level for new rules is Medium. The risk level of newly generated alerts is the risk level of the rule that triggered the alert (that is, this parameter). |
|
Alert frequency |
Select one of the following options to control how frequently the alert will be triggered:
|
