Defining Actions for Alert Rules
After defining a detection policy for your alert rules, in the Action area of the Create/Edit Alert Rule page, you can specify the actions that will be taken when an alert is triggered.
ITM On-Prem (ObserveIT) preventive actions enable security and compliance officers to stop users from breaching security or violating company policies.
-
On Windows, Mac, or Unix endpoints, users can be forcibly logged off from machines that they are not authorized to access or to prevent them from continuing with activities that are risky or malicious. See Forcing Log Off.
-
On Windows or Mac endpoints, applications or Web browsers that users should not be running can be forcibly closed, including "triggering" applications (for example, when users browse forbidden websites or website categories, or execute potentially harmful SQL commands). See Forcing Application Closure.
ITM On-Prem (ObserveIT) security administrators can configure user warning notifications and blocking messages to notify end users in real-time about any out-of-policy behavior, so that they can take remedial action. On Windows and Mac endpoints, users can acknowledge a message, add a comment explaining their actions, and open a link to view the company policy. If required, you can also select to start recording screenshots of the user activity from the point at which the alert was generated. For details on how configured warning notification and blocking messages appear to the end user, see How Warning Notification and Blocking Messages Appear to the End User.
Notes:
-
When the Agent is online, user messages will be displayed to the user a couple of seconds after an out-of-policy action is detected. See Defining Settings for Rules.
-
If the Agent is in offline mode, no messages can be displayed to the user. In this case, the Application Server keeps a queue of messages which will be sent once the Agent is online again. Messages are discarded if they are older than 1 minute. If both Warning Notifications and Blocking Messages are waiting to be displayed on the Agent side, only the Blocking Messages will be displayed (one after the other).
-
If a Secondary Authentication dialog box needs to be displayed (for example, in the case of session timeout) while a Warning Notification or Blocking Message is currently displayed on the screen, it will be displayed only after the Warning Notification or Blocking Message is closed.
Configured actions identified by specific icons are displayed throughout the ITM On-Prem Web Console and the User Risk Dashboard.
Available actions for an alert rule on Windows or Mac endpoints
Available actions for an alert rule on Unix endpoints
When Both (Windows and Unix) is the selected OS Type in the alert rule details, no action can be applied. The following message is displayed:
The following actions can be taken when an alert is triggered:
| Alert | Description |
|---|---|
|
No Action |
Available for Windows, Mac, and Unix endpoints. This is the default action that is automatically selected when creating a new rule. When this option is selected, the text "No action has been defined yet" is displayed. When no conditions are defined in the "Did What?" category, no other action can be selected. |
|
Warning Notification |
Available for Windows, Mac, and Unix endpoints. This action is not available if the "Did What?" category is set to "Logged In". If you switch from "Logged-In" to a different "Did What?" category, this action then becomes available for selection. For details, see Warning Notifications. |
|
Blocking Message |
Available for Windows and Mac endpoints. This action is not available if the "Did What?" category is set to "Logged In". If you switch from "Logged-In" to a different "Did What?" category, this action then becomes available for selection. For details, see Blocking Messages. |
|
Start Video Recording |
Available for Windows and Mac endpoints. This action can be selected on its own or combined with "Warning Notification" and/or "Blocking Message" actions. This action is not available if the "Did What?" category is set to "Logged In". If you switch from "Logged-In" to a different "Did What?" category, this action then becomes available for selection. For details, see Starting Video Recording. |
|
Start Standard Rec. |
Available only for Unix operating systems. This action can be selected on its own or combined with the "Warning Notification" action. This action is not available if the "Did What?" category is set to "Logged In". If you switch from "Logged-In" to a different "Did What?" category, this action then becomes available for selection. For details, see Start Standard Recording. |
|
Log Off |
Available for Windows, Mac, and Unix endpoints. This action is available for all the "Did What?" categories including "Logged In". The OS Type in the alert rule details must be Windows or Unix (i.e., it cannot be Both). For details, see Forcing Log Off. |
|
Close Application |
Available for Windows and Mac endpoints. This action is similar to the Prevent Execution action which can be performed on Linux endpoints (see Configuring the Prevent Execution Action). The Close Application action is not available if the "Did What?" category is set to "Logged In". If you switch from "Logged-In" to a different "Did What?" category, this action then becomes available for selection. For details, see Forcing Application Closure. |
When switching between actions, if any details were already defined but not yet saved, a warning message is displayed asking if you are sure you want to switch actions and discard all the current settings. Upon clicking No, the currently selected action is maintained.