Viewing Rules and Their Assignments

In the Alert & Prevent Rules page, you can view all currently configured alert and prevention rules. All Categories and current List assignments for alert rules are displayed.

You can navigate to this page via ConfigurationAlerts > Alert & Prevent Rules. For a list of tasks and actions you can perform on the rules displayed in this page, see Tasks and Actions You Can Perform on Rules.

Rules are displayed according to the selection made in the Manage rules assigned to drop-down list at the top of the page. The options in the list enable you to Show all rules, view rules assigned to All Users, a specific Users type List (for example, Everyday Users), or None (when no specific Users list is selected). See Assigning Rules to User Lists.

The Alert & Prevent Rules page displays a table showing the rules for all categories; the number of rules currently included are displayed in parenthesis next to each category.

  • You can expand/collapse a category in order to display/hide its rules by clicking the and icons.
  • You can open or close all the rules in all categories at once by clicking the Expand All Categories or Collapse All Categories icons. Note that if the total number of rules for all expanded categories exceeds a predefined number, you cannot open them all at once.
  • You can show or hide the full details for all rules within the open categories by clicking the Show All Details or Hide All Details icons.

For each rule in the list, the following information is displayed according to the currently "filtered" details:

Click to display the details of a specific rule. See Viewing Details of Rules.

Vertical colored bar

Indicates the risk level of the alert rule:

  • Dark red - Critical
  • Red - High
  • Orange - Medium
  • Gray - Low

Icon

Indicates the action performed on the alert or prevent rule when an alert is triggered:

  • Warning Notification (Windows, Mac, or Unix/Linux Agents)
  • Blocking Message (Windows or Mac Agents)
  • Prevent Execution (Linux Agents only)
  • Start Video Recording (Windows or Mac Agents)
  • Standard-Mode Recording (Unix/Linux Agents)
  • Log Off (Windows, Mac, or Unix/Linux Agents)
  • Close Application (Windows or Mac Agents)

Rule Name

A unique name that describes the rule. For example: "Audit log tampering detected".

Status

Active or Inactive. When a rule is inactive, new alerts are not generated but old alerts are fully accessible in the Alerts page. The default status for new rules is 'Inactive".

Updated on

Date the rule was created or last updated.

Updated by

Name of the Console User that last updated or created the rule (or System if the rule was configured in the ITM On-Prem (ObserveIT) Insider Threat Library).

OS Type

Operating system for which the rule was defined - Windows, Unix, or Both (Windows and Unix).

Assigned

Users List to which the rule is assigned. If the rule is assigned to more than one users list, a hyperlink displays the number of lists. Clicking the link opens a popup in which you can see the assigned users lists with an indication of their risk level. For example:

If you are viewing rules for "All Users" (as selected in the Manage rules assigned to list), All will be displayed.

The rules within each category can be sorted by Rule Name, Status, Updated on, Updated by, and OS Type fields.