Used Keyboard (Keylogging) Did What
This topic describes how to define alert rule conditions using the options available in the Used Keyboard (Key-logging) group category in the Did what? section of the Create Alert Rule page. (For more about the Did what? section, see Defining the "Did What?" Conditions.)
This option is used to trigger alerts for
Typed Text
Use this option to be alerted when the user:
- Types blacklisted commands (within CMD, Powershell, Putty, or Terminal), blacklisted phrases in an email, or sensitive words while browsing social media websites.
Following are some scenarios of when captured typed text data might generate an alert:
-
When a user types within CMD or PowerShell windows the command "netstat" that is included in a list of blacklisted commands specified in the List Network Sniffing.
-
When a user types sensitive words such as the company name while browsing within websites categorized as Instant Messaging, Chats or a Social Media Site. Sensitive keywords are specified in a list.
You can define alert rule conditions based on keywords that contain a single special character (for example, "%"), or words that contain special characters (note that you must specify the entire word; for example, "*resources"). You can also alert for phrases using quotation marks (for example, "john smith").
Defining Alerts for Typed Text
To define the typed text that will be included in the alert rule
-
From the Typed Text (Key Logging) option, select Typed text.
The available operator is contain which means that alerts will also be generated on typed words that include the specified keywords.
-
Enter the required values. You can enter multiple values separated by commas either directly or by clicking the […] icon to open a popup in which you can enter the values. You can also use a list, Implementing Lists in ObserveIT.
Pressed Special/Combination Keys
This option is available for alert type rules on Windows and Mac-based operating systems.
Use this option to be alerted when the user:
-
Presses one of the special keys, which are PrtScr, Backspace, Insert, Enter, Clear, Return, Delete, End, Esc, Home, Page Up, Page Down, Tab and F1 to F12.
-
Presses any combination keys, which are Alt, Ctrl, Shift and Win with other keys (Windows) and Cmd, Control, Option, and Shift with other keys (Mac).
Following are some scenarios of when captured special/combination key data might generate an alert:
-
PrtScrn key is defined as one of the special keys triggering an alert and a user presses the key to capture an image.
-
Alt and p are defined as a key combination trigger an alert and a user presses these key to print.
Defining Alerts for Special Keys and Key Combinations
To define the special keys and key combinations that will be included in the alert rule:
-
From the Used Keyboard (Key `logging) option, select Pressed special key/combination.
-
Enter the required values. You can enter multiple values separated by commas either directly or by clicking the […] icon to open a popup in which you can enter the values.
-Or-
Use the modifier or special key buttons to a select the value from the drop-down lists.
-Or-
Use a list in which such special keys or key combinations are already defined. For more about lists, see Creating Lists.