Visited URL - Did What

This topic describes how to define alert rule conditions using the options available in the Visited URL group category in the Did what? section of the Create Alert Rule page. (For more about the Did what? section, see Defining the "Did What?" Conditions.)

This option is available only for alert type rules on Windows operating systems.

The Visited URL options enable you to generate an alert when a user visits a particular website, webpage, area of a website, or any Website category that belongs to a list of predefined categories that employees are forbidden to browse or require monitoring. Possible hacking attempts or data theft can be prevented by generating an alert if a user accesses sensitive or prohibited websites or webpages.

In Windows Explorer, the full path of a file that is currently in view is recorded as a URL. You can generate alerts on this metadata using the Visited URL options.

When defining the values by which to evaluate the condition of an alert rule, you can enter multiple values separated by commas either directly or by clicking the […] icon to open a popup in which you can enter the value. When Lists are supported, you can choose to select a predefined List instead of entering a set of values. You can use Lists to define values for the Site, URL Prefix, and Any part of URL options. The operator for the condition also depends on whether you are defining values or Lists; for example, "contains" in "Values mode" would be "contains value from the list" in List mode. For more information, see Understanding the Logic for Defining Rule Conditions.

For general information about defining Did What? conditions, see Defining the "Did What?" Conditions.

For URL prefix and any part of a URL, use “*facebook.com*” and not “*www.facebook.com*” or “http://www.facebook.com” or “http://facebook.com”. Starting with Google Chrome 69, Google has changed the displayed URL in the Address Bar. It now hides everything in front of a site’s actual domain name by default. This includes the scheme (for example "HTTP", "HTTPS:") and trivial subdomains (for example " "WWW" and "M") from steady state.

 

The Visited URL group includes the following options for configuring conditions:

Option

Description & Usage

Example Conditions

Site

URL domain or host name of the Website that was visited.

Use this option to be alerted when the user visits a specific Website, regardless of which pages were opened in the site or how many pages were viewed.

Track users accessing unauthorized or inappropriate sites (during work hours), such as browsing social media sites:

"Visited URL: Site contains facebook, twitter, linkedIn"

URL prefix

The first part of the visited Website from the beginning of the URL until the end of the matched text.

Use this option to generate an alert when a user visits a specific area of a website, according to the URL prefix that you define.

Generate an alert when a user visits the Admin Users page of ObserveIT (a sensitive area of the ObserveIT Web application):

"Visited URL: URL prefix contains /ObserveIT/AdminUser"

Any part of URL

Any part of the visited Website URL that matches the text.

Use this option to generate an alert when a user visits a website URL containing the specified keyword (or string).

Generate an alert when a user attempts to access Salesforce reports which may contain sensitive customer data. The keyword "reports" in the browser’s window title limits the scope of alerts to the reports pages of the Salesforce website:

"Visited URL: Any part of URL contains salesforce.com"

and

"Ran Application: Window title contains reports"

Website Category

Use this option to generate an alert when a user browses a Website that belongs to a predefined list of categories that require monitoring.

The ObserveIT Website Categorization module automatically detects categories of Websites that end users are browsing, enabling alerts to be generated on browsing categories such as Gaming, Adults, Infected or Malicious Websites, Phishing Websites, and more. Using URL Filtering technology, ObserveIT can automatically categorize any visited website and trigger alerts when users browse these counter-productive websites, or websites that are not allowed by policy or are suspicious for specific individuals.

A drop-down list includes all (42) predefined Website categories provided by ObserveIT.

For example:

"Visited URL categorized: Website Category is Gambling, Illegal Drugs"

Website Category (detailed)

ObserveIT's Website Categorization module supports direct access to the NetSTAR cloud service.

Use this option to generate an alert when a user browses a Website that belongs to any of the native categories defined in the NetSTAR cloud service.

A drop-down list includes all the native categories available in the NetSTAR cloud service.

For example:

"Visited URL categorized: Website Category (detailed) is Adult Search/Links, Career Advancement"

Example Scenarios

The following scenarios provide some examples of how and when alerts are triggered using some of the Visited URL group of conditions.

For purposes of these scenarios, the scope of the alert rule frequency is defined as "Once per session", which means that an alert will be generated only on the first occurrence of every unique match of the rule in each session.

Alert Rule

Condition Example

Description

User Activity

Alert Generated?

Trigger an alert the first time in a session that a user "browses social media sites during working hours".

"Visited URL: Site contains facebook, twitter"

Generate an alert every time the URL domain contains "facebook" or "twitter".

1. User logs in to Facebook: enters the URL: "www.facebook.com/login?..."

YES

2. User goes to a friend's page: enters the URL: "www.facebook.com/friend?...."

NO alert is generated, because the "Site" rule refers only to the domain part of the URL: "www.facebook.com"

3. User logs in to Twitter: "www.twitter.com/login..."

YES

Trigger an alert every first time in a session a user enters the User Administration area of the ObserveIT Web Console.

"Visited URL: URL prefix contains AdminUsersView

1. Generate an alert every first time the URL prefix contains "AdminUsersView".

1. User opens the browser: "http://111.222.333.444:4884/ObserveIT/AdminUsersView.aspx?GroupIndex=3&TabIndex=1&lang=en"

YES

2. User opens a new browser: "http://111.222.333.444:4884/ObserveIT/AdminUsersView.aspx?GroupIndex=2&TabIndex=1&lang=en"

NO alert is generated, because this is not a new occurrence of the "URL prefix" rule.

 

3. User goes to: "http://111.222.333.555:5994/ObserveIT/AdminUsersView/users.aspx?GroupIndex=2&TabIndex=1&lang=en"

YES
Matches the text URL prefix "/ObserveIT/AdminUsersView" but the site is different than the first site opened in the session.

 

Trigger an alert every time in a session that a user accesses, opens a new page, or searches for LinkedIn".

"Visited URL: Any part of URL contains linkedIn"

Generate an alert every time "any part of URL" contains "linkedIn".

1. User logs in to LinkedIn: enters the URL
"https://www.linkedin.com/nhome/"

YES

2. User goes to their profile:
"https://www.linkedin.com/profile/view?id=88888&trk=nav_responsive_tab_profile"

YES

3. User searches Google for "linkedin"
"https://www.google.co.il/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#ie=UTF-8&q=linkedin&sourceid=chrome-psyapi2"

YES

See Also