Proofpoint | ObserveIT On-Premises Insider Threat Management

Defining the "On Which Computer?" Conditions

In the On Which Computer? section of the Create Alert/Prevent Rule page, you can define (or edit) the specific or groups of computers/servers on which the suspicious activity occurred.

The On Which Computer? condition can be configured for both alert and prevent rules.

To define the "On Which Computer" conditions

  1. Open the On Which Computer section by clicking or the Edit icon.

  2. To define the specific or groups of computers/servers on which the action occurred, select the required field, relevant operator, and specify value(s) for each condition that you want to define, as described in the table below.

    When defining the values by which to evaluate the condition of an alert rule, you can:

    • Enter multiple values separated by commas either directly or by clicking the […] icon to open a popup in which you can enter the value.

    • Create and maintain a List. You can choose to select a predefined List instead of entering a set of values. You can use Lists to define values for all of the following options.

    When defining the values by which to evaluate the condition of an alert rule, you can enter multiple values separated by commas either directly or by clicking the […] icon to open a popup in which you can enter the value. When Lists are supported, you can choose to select a predefined List instead of entering a set of values. You can use Lists to define values for all of the following options. The operator for the condition also depends on whether you are defining values or Lists; for example, "contains" in "Values mode" would be "contains value from the list" in List mode. For details, see Understanding the Logic for Defining Rule Conditions.

Options for Defining the "On Which Computer?" Conditions

Field

Operator

Example Values

Computer domain\name

LOCAL\DB, DomainA\FIN

ObserveIT server group name

Windows, GroupA, Unix

Computer IP address

10.1.100.100, 10.1.200.61

Note: When alert rules are based on IP address ranges, you can specify the IP address range using the CIDR notation format: aaa.bbb.ccc,ddd/N, where N in an integer between 0-32.
For example: 192.158.2.0/24

You can click the link Check CIDR syntax to check if your format is permitted.

OS name

Windows 2016 R2, Ubuntu, Solaris 11

Agent version number

5.6.9, 5.7.3

version 7.12.2

Copyright © 2021 ObserveIT a division of Proofpoint