Monitoring Alerts

The Alerts feature provides ObserveIT with a proactive, real-time detection, deterrence and prevention mechanism. Alerts are user-defined notifications which are generated when suspicious login events or user activity occurs during a session. When alerts are triggered, textual notifications can be displayed warning users about potential security violations so that they can take remedial action. In some cases, users can be "denied access" and hence prevented from continuing with their current activity.

Customized reports can provide summary information about alerts on all monitored Windows, Mac, or Unix-based endpoints (for details, see Alert Report Configuration).

By highlighting and reporting suspicious user activity events in real-time, administrators, and IT security personnel can respond quickly and effectively to any deliberate or inadvertent threats to system integrity, IT security, regulatory compliance, or company policy. ObserveIT's Insider Threat Intelligence detects behavioral irregularities, and alerts IT security staff in real-time using the User Risk Dashboard which provides a user-centric view of risky users in the system. For example, from the dashboard, security administrators can view and investigate alerts for risky users who violated company policy or security rules, quickly identifying users with the highest number of policy violations and those whose behavior did not improve with time.

ObserveIT administrators can configure fully customizable and flexible alert and prevention rules which define the conditions in which user actions will cause alerts to be generated.

The ObserveIT installation package includes an extensive library of out-of-the-box alert rules that Business users or Administrators can use to detect risky user activity on Windows or Unix/Linux machines. For details, please refer to the ObserveIT Insider Threat Library.

ObserveIT administrators can view and manage alerts from the Alerts tab in the ObserveIT Web Console. Generated alerts are also highlighted in the User Diary, Endpoint Diary, and Search pages, as well as in the session's Video Player. ObserveIT administrators can create and manage rules from the Alert & Prevent Rules page in the ObserveIT Web Console (by selecting Configuration > Alert & Prevent Rules). After defining a rule, the administrator can configure an alert notification policy for users who will receive email notification about the alert. An alert notification policy defines which alerts are sent to which email addresses and at what frequency (for example, as every alert happens, as a digest once every x minutes, or as a daily digest).

Alerts can also be easily integrated into an organization’s existing SIEM system. For details, see Integrating Alerts in SIEM Products.

Risky Activity Alert Examples

Following are some examples of risky user activities that might trigger alerts:

  • Logging-in locally or remotely to unauthorized servers by unauthorized users or from unauthorized clients

  • Sending sensitive documents to a local/network printer during irregular hours

  • Copying files or folders that are either sensitive or located in a sensitive location during irregular hours

  • Connecting a USB storage device (or mobile phone) in order to copy sensitive information

  • Using Cloud storage backup or large file-sending sites that are not allowed by company policy

  • Storing passwords in files that can be easily detected by password harvesting tools

  • Clicking links within emails that open Phishing websites

  • Browsing contaminating websites with high potential security risk

  • Browsing websites with unauthorized content (gambling, adults, etc.)

  • Being non-productive by wasting time on Social Networks, Chat, Gaming, Shopping sites, and so on

  • Searching the Internet for information on malicious software, such as steganography tools (for hiding text-based information within images)

  • Accessing the Darknet using TOR browsers

  • Performing unauthorized activities on servers, such as, running webmail or Instant Messaging services

  • Running malicious tools such as, password cracking, port scanning, hacking tools, or non-standard SETUID programs on Linux/Unix

  • Hiding information and covering tracks by running secured/encrypted email clients, clearing browsing history, zipping files with passwords, or tampering with audit log files

  • Attempting to gain higher user privileges (for example, via the su or sudo commands, running an application as Administrator)

  • Performing copyright infringement by browsing copyright-violating websites or by running P2P tools

  • Changing the root password by regular user or searching for directories with WRITE/EXECUTE permissions in preparation for an attack (on Linux/Unix)

  • Performing IT sabotage by deleting local users or files in sensitive directories (on Linux/Unix)

  • Creating backdoors by adding users/groups to be used later un-innocently

  • Installing questionable or unauthorized software such as hacking/spoofing tools on either desktops or sensitive servers

  • Accessing sensitive administration tools or configurations, such as Registry Editor, Microsoft Management Console, PowerShell, Firewall settings, etc.

Example of an Alert Management Process

  1. An ObserveIT administrator defines a rule that will trigger an alert when suspicious activity occurs (for example, a suspicious command, window, or text appears in a command line or on the screen). The rule is configured to present a Blocking Message that will be displayed to the end user indicating a potential violation of a security policy.

  2. An alert is triggered.

  3. ObserveIT user/administrator receives an email notification about the alert.

  4. Via a link in the email, the user opens the alert in the Web Console's Alerts page for further investigation.

  5. User can view the alert details in list, full details, or slideshow mode. Any text feedback provided by the end user following warning notifications or blocking messages will also be displayed. Users can also search for the alert by its ID.

  6. User can click the Video icon next to the alert to launch the ObserveIT Session Player, which will replay all the slides of the session in which the alert occurred.

  7. If required, upon reviewing the slide(s) which triggered the alert, user can navigate back to the alert in the Alerts page, and flag it for follow up.

Viewing and Managing Alerts

The following sections describe how to view and manage activity alerts:

  • Managing Alerts: describes how to view alerts in different modes in the Web Console, filter alerts according to specified criteria, flag alerts for follow-up, add comments to alerts, print alerts, export alerts to PDF files, delete alerts, and receive alert notification emails.

  • Viewing Alert Indications in the Web Console: describes how to view sessions that have alerts, view alerts in recorded session videos (in the Session Player), and search for sessions according to an alert ID.

  • Integrating Alerts in SIEM Products: describes how to integrate alerts into your organization's existing SIEM system.

For details of how to view and manage alert rules, see Managing Rules in the Configuration Guide.