Configuring Alert Rules

Alert and prevent rules define the conditions under which an alert will be triggered. Alert and prevent rules help to:

  • Increase security awareness through user education and policy notifications

  • Prevent unauthorized and malicious activity via policy enforcement

  • Detect known patterns of risky behavior using the built-in Insider Threat Library rules

  • Provide dynamic forensic video for high risk activity

ITM On-Prem (ObserveIT) provides an extensive library of out-of-the-box detection scenarios that cover the most common scenarios of risky user activities that might generate alerts. These rules have built-in policy notifications that are designed to increase the security awareness of users, and reduce overall company risk. ObserveIT’s Library of alert rules can be applied on Windows and Unix/Linux machines. They are grouped according to security Categories to help navigation and management. Each alert rule in the ITM On-Prem (ObserveIT) Insider Threat Library is associated with one Category. A rule that does not necessarily fit into one of the predefined categories can be associated with a built-in category named UNCATEGORIZED. For details, please refer to the Alert Rule Categories.

On Windows Desktops and Windows Server machines, alert rule scenarios might be relevant to all users or to specific user populations – such as, administrators, external vendors, or regular business end users. On Unix and Linux machines, alert rule scenarios apply mainly to administrators and external vendors. Some scenarios are relevant to all users, while some apply to specific user populations. With ObserveIT, you can easily assign each scenario to the relevant group of users (a.k.a Lists). The rules in the ITM On-Prem (ObserveIT) Insider Threat Library are already assigned to User Lists. For details, see Implementing Lists in ObserveIT.

Lists cannot be used for configuring and operating prevent rules; prevent rules configuration is based on specific content (Items) only.

For each rule, you can specify a detection policy that defines the conditions that will trigger an alert, and specify additional actions to be taken when the alert is triggered. User warning notifications and blocking messages notify users in real-time about any out-of-policy behavior, enabling users to think again before performing a negligent or malicious action. Users can acknowledge a message, add a comment explaining their actions, and follow a link to view the company policy. If required, the security administrator can also select an action that will start recording a user when a security violation is detected.

Prevent rules can be configured on Linux operating systems only. Video recording of user commands and terminal output can be activated on prevent rules.

After defining an alert or prevent rule, the administrator can configure a notification policy which defines whom should be notified when the alert is generated, and how they will be notified. For details, see Defining Notification Policies for Alerts.

Managing and configuring alert and prevent rules is done from the Alert & Prevent Rules page in the ITM On-Prem Web Console. You can navigate to this page via Configuration > Alert & Prevent Rules.

From the Alert & Prevent Rules tab, you can: