Proofpoint | ObserveIT On-Premises Insider Threat Management

Creating and Editing Alert Rules

The topics in this section describe how to create new or edit existing alert rules. For information about duplicating existing alert rules, see Duplicating Rules.

Creating or editing an alert rule requires the following steps:

  1. Specify the alert rule details. For instructions, see Defining Rule Details.

  2. Configure the alert rule assignment. For instructions, see Configuring Alert Rule Assignments.

  3. Configure a detection policy for the rule that will trigger the alert. For instructions, see Configuring a Detection Policy for Alert Rules.

  4. Define additional actions to be taken when the alert is triggered. For instructions, see Defining Actions for Alert Rules.

Before you begin to create or edit alert rules, it is recommended that you read the topic Understanding the Logic for Defining Rule Conditions, which describes the expected behavior of the system when defining a detection policy.

Creating a New Alert Rule

To create a new alert rule

  1. In the Alert & Prevent Rules tab, click the New Alert Rule button.

    The Create Alert Rule page opens without any defined content, enabling you to define the parameters and conditions required for your alert rule.

  2. Continue with the steps described in the subsequent topics:
    1. Defining Rule Details

    2. Configuring Alert Rule Assignments

    3. Configuring a Detection Policy for Alert Rules

    4. Defining Actions for Alert Rules

Editing a System Rule

The ObserveIT installation package includes a library of alert rules that can be applied on Windows and Unix/Linux machines. You can use these System rules to match the security needs of your organization.

Editing a System rule has limited capabilities; an indication of this is presented when opening the Edit Alert Rule page. For example:

The following fields cannot be edited for a System rule:

  • Rule name

  • Category

  • OS type

  • DETECTION POLICY details are read-only

You can modify all the other fields/sections, including Status, Description, Risk Level, Notification Policy, Alert Frequency, RULE ASSIGNMENT, and ACTION.

If you want to make changes to some of the read-only System rule fields, it is recommended that you duplicate the rule (see Duplicating Rules). When clicking the Duplicate hyperlink, if the System rule was Active, you will be asked whether or not to Inactivate the original rule before making a copy of it. If you opt to Inactivate the original rule, the newly-copied rule will remain Active.

Saving the New/Edited Alert Rule

When you have finished creating or editing your alert rule, click Save to save your settings.

Note the following:

  • If the status of the rule is Inactive, a message will be displayed warning you that an alert cannot be triggered as the rule is not Active. You can still continue with the Save operation.

  • If the rule is Active, and the rule is assigned to a specific list of users but no user list was selected (see Configuring Alert Rule Assignments), you will not be able to save the rule as Active. In this case, you must inactivate the rule or assign it to a user list.

The newly configured alert rule is displayed in the Alert & Prevent Rules page. See Viewing Rules.

version 7.13.1