Understanding the Logic for Defining Rule Conditions

An alert or Linux prevent rule comprises conditions that define the criteria/logic for triggering an alert.

This topic describes the logic behind the rule conditions and the expected behavior of the system when defining a detection policy. You should read this topic before you attempt to create or edit alert or Linux prevent rules.

About Conditions

Each condition is evaluated as part of the rule. Each condition comprises:

Field (that is being tested). For example: "Server name".

Operator (for example, "is, is not, contains, ...").

  • Note: Depending on the mode (see Values Mode versus List mode below), the operator for the condition may differ. For example, "contains" in "Values mode" would be "contains value from the list" in List mode.

Value(s) (to test against). For example: "SRV, DB, LAP".

Values Mode versus List Mode

When defining values by which to evaluate a condition of an alert rule, you can enter multiple values separated by commas either directly or by clicking the […] icon to open a popup in which you can enter the value. When Lists are supported (see Understanding Lists in ObserveIT), you can choose to select a predefined List instead of entering a set of values. By hovering over the values field, two icons appear that enable you to switch between the modes:

Values mode

List mode

When List mode is selected, a drop-down list shows all the predefined Public and Private lists that are authorized for this Console User that match the condition. You can select the required List or click the Edit List hyperlink to edit the properties of a selected List. Only General type lists are supported.

Rules for Configuring Alert Conditions

For each of the "Who-Did What-....." sections, you can configure a number of alert conditions.

To define an additional condition, click the icon.

To delete a condition, click the adjacent icon.

You can sort the order of your conditions by clicking the icon.

The "Who-Did What-....." sections always relate to each other with the "AND" logic. For example:
  • Who?
  • User is John
  • AND
  • Did what?
  • Ran application Regedit
  • AND
  • On which computer?
  • Computer is DBSVR1
  • AND
  • When?
  • Day is Sunday

You can choose whether all conditions within a "Who-Did What-....." section must match (by using the "AND" logic), or whether any of the conditions may apply (by using the "OR" logic). You cannot configure "AND and "OR" conditions within the same criteria section. To switch between "AND" and "OR", simply click on the text.

A negative condition, for example, "Window title does not contain x, y, z", means that the Window title does not contain "x", nor "y", nor "z".

The system should trigger a new alert if any of the matched conditions are different from previously triggered alerts. For example, when the condition "User ran application Regedit, SQL Manager, or CMD" is defined, an alert is triggered if the user runs "Regedit" or "CMD".