Viewing Details of Rules
This topic describes how you can view the details of all the currently configured alert and prevention rules according to the criteria that you specify.
The Alert & Prevent Rules page displays a table showing the rules for all categories; the number of rules currently included are displayed in parenthesis next to each category. All categories are displayed; even those with no associated rules. See also Managing Rule Categories.
When the Alert & Prevent Rules page first opens, the categories in the table might be closed, which means that the rules are not displayed. In order to expand a category to display its rules, click the icon.
You can open all the rules in all categories at once by clicking the Expand All icon. Note that if the total number of rules for all expanded categories exceeds a predefined number, you cannot open them all at once.
When the rules are displayed, you can click the icon next to the rule's name in order to see details of the conditions that define the rule (Who? Did What? On Which Computer? When? From Which Client?). For more information about the conditions that define a rule, see Configuring a Detection Policy for Alert Rules.
You can show the full details for all rules within the open categories by clicking the Show Full Details icon above the table.
If the value of any of the alert rule conditions was defined by a predefined List (see Understanding Lists in ObserveIT), clicking the List name hyperlink (see Sensitive Files in the above screenshot example) opens the Edit List page in which you can view and edit the List contents. For more information, see Editing Lists.
For each rule in the table, the following information is displayed:
-
Rule name: A unique name that describes the rule.
-
Status: Active or Inactive. When a rule is inactive, new alerts are not generated but old alerts are fully accessible in the Alerts page. The default status for new rules is 'Inactive".
-
Updated on: Date the rule was created or last updated.
-
Updated by: Name of the Console User that last updated or created the rule.
-
OS type: Operating system for which the rule was defined - Windows, Mac, or Unix.
-
Assigned: User List to which the rule is assigned. If the rule is assigned to more than one user list, a hyperlink displays the number of lists. Clicking the link opens a popup in which you can see the assigned user lists with an indication of their risk level.
The rules within each category can be sorted by Rule name, Status, Updated on, Updated by, and OS Type fields.