Alerts Report Configuration
This topic describes the metadata that you can select to be included in an Alerts type report (see Report Types).
ITM On-Prem (ObserveIT) enables you to create customized reports that provide summary information about alerts on monitored Windows, Mac, or Unix-based endpoints.
For detailed instructions on the steps required to create a report, see Creating a Custom Report.
Following are some examples of reports you might want to create:
-
Alerts that were generated on the detection of user actions to copy files or insert USB storage devices with the intent to exfiltrate data (for details, see Detecting Data Loss in ObserveIT).
-
Alerts based on specific (user-defined) interactions with sensitive application (In-App) elements.
-
Alerts on Windows or Unix machines grouped by risk level that were deleted during the last year. For each alert, you could select to display in the report the alert date, user identity, alert rule name, endpoint name, etc.
-
All critical alerts that occurred during the last month on Windows or Unix machines, grouped by User Identity. For each alert, you could select to display in the report the alert date, rule name, application name, Website name, top level command, endpoint name, etc.
-
All critical alerts on Windows or Unix machines grouped by User Identity that were marked as Ignored during the last week. For each alert, you could select to display in the report the alert date, rule name, endpoint name, etc.
When creating an Alerts type report, you can specify types of columns for:
-
Alerts fields: as described in the table
-
Application - General fields: see Application Report Configuration
-
Command (Unix Only) fields: see Command Report Configuration
-
Endpoint fields: see Endpoint Report Configuration
-
User fields: see User Report Configuration
| Type | Column | Description |
|---|---|---|
|
Alerts |
Alert Date |
Date (from local endpoint) the alert was triggered. (selected by default) |
|
Alert Date (server time) |
Date (from server) the alert was triggered. |
|
|
Interacted Application |
Name of the application with which the user interacted (as shown in the Windows Task Manager). |
|
|
Alert Rule Name |
Name of the alert rule. (selected by default) |
|
|
Risk Level |
Severity of the alert (Critical, High, Medium, or Low). (selected by default) |
|
|
Status |
Current status of the alert (New, Reviewing, Issue, or Non-Issue). |
|
|
Marked as Flagged |
Alert is flagged for further attention. |
|
|
Play Video (Alert Point) |
Video playback from point of alert. |
|
|
Alert Detail |
Details of alert. |
|
|
User Text Feedback |
Text feedback that the user provided when receiving a warning notification or blocking message action. |
|
|
Action Type |
Action that was taken when the alert was triggered. Available action types include: No Action, Warning Notification, Blocking Message, Log Off, Close Application, Start Video Recording, Prevent Execution, and Start Standard Recording. The following operators allow you to select from a list of predefined action types to be included in or excluded from your report:
You can select the check boxes of one or more actions that you want to include in your report, or [Select all] to view alerts with all types of actions. |
|
|
Viewing Status |
Status of the alert on the Agent: New, Received, Displayed, Recording, or Expired. The following operators allow you to select from a list of predefined viewing status(es) to be included in or excluded from your report:
You can select the check boxes of one or more statuses or [Select all] to view alerts with all types of statuses. |