Configuring Alert Rule Assignments

This topic describes how to assign alert rules to Users Lists in order to improve the operational efficiency of alert rules. For further details, see Implementing Lists in ObserveIT.

The ITM On-Prem (ObserveIT) Insider Threat Library of alert rules are already assigned to Users Lists.

After defining/editing an alert rule's details (see Defining Rule Details), you can configure assignments for the rule in the RULE ASSIGNMENT area of the Create/Edit Alert Rule page.

If you are creating a new alert rule, the Create Alert Rule page shows no inital assignment to any Users List. For example:

If you are editing a rule, the Edit Alert Rule page displays the current user assignment for the alert rule. In the following example, the alert rule is assigned to the Admin Users list with a Critical Risk Level:

Clicking the List name (in this case, Admin Users) hyperlink opens the Edit List page in which you can view and edit the List's contents (for details, see Editing Lists). If the List name is Private and the current Console user is not authorized to view or edit the List's contents, the following message will be displayed: This is a private List that you are not authorized to view or edit.

To assign the alert rule to all users

• Select the option to enforce the rule on All users.

To assign the rule to a specific list of users

• Select the option to enforce the rule on The Below user list.

• The rule will be assigned to the currently displayed Users list(s) with the specified Risk Level(s).

To add/change the alert rule assignment:

1. Click the Add User List button.

   

2. In the popup window, select the required Users Lists, and assign a risk level (Critical, High, Medium, or Low) to each List.

3. Click Add.

   The new assignment for the alert rule will be displayed in the Create/Edit Alert Rule page.

   For example: