Configuring a Detection Policy for Alert Rules
This topic describes how to configure a detection policy when creating (or editing) an alert rule. When the conditions of the detection policy are met, an alert is triggered.
The core part of creating rules is defining the criteria (Who?, Did What?, On Which Computer?, When?, From Which Client?) that when met, will trigger an alert. A detection policy comprises the criteria that you configure for your rule. By specifying where, when, and by whom an activity is performed, you can define the scope of the activity and limit the number of generated alerts.
All the conditions, except for specific Did What? activities, can be used in both Windows and Unix environments. Each condition has its own set of parameters for which you can choose from a list of available options (fields and operators) and specify input values.
The options available for defining the conditions of a detection policy and the resulting actions that you can take when an alert is generated, depend on the operating system(s) you select for creating/editing the rule. For example, on Unix systems, only the Logged-In and Executed Command options are available and Blocking Messages cannot be configured. If you selected Both (Windows and Unix machines) on which to create/edit the rule, the only available Did What? option is Logged-In, and no actions can be applied.
When defining conditions against which to test alert rules, you can choose between entering comma-separated values or using a predefined List. See Understanding Lists in ObserveIT.
For each rule, you can configure a detection policy that answers the following questions:
-
Who? - Who was logged in to the session when the alert was triggered?
-
Did what? - What was the user doing when the alert was triggered?
-
On which computer? - On which computer was the user logged in?
-
When? - At what time was the alert triggered?
-
From which client? - Which client computer was being used when the alert was triggered?
Configuring a detection policy for an alert rule is done in the DETECTION POLICY area of the Create Alert Rule page.
Before you begin, it is recommended that you read the topic Understanding the Logic for Defining Rule Conditions, which describes the expected behavior of the system when defining a detection policy.
To create a detection policy for a new alert rule
-
In the Alert & Prevent Rules tab, click the New Alert Rule button.
The Create Alert Rule page opens in which you can define the conditions for your detection policy.
You cannot edit the detection policy of an alert rule that is a System rule from the ITM On-Prem (ObserveIT) Insider Threat Library. In this case, the conditions of the detection policy are read-only. For details, see Editing a System Rule in the topic Creating and Editing Alert Rules.
The following conditions enable you to configure a detection policy for triggering alerts:
Condition |
Description |
For details, see... |
---|---|---|
"Who?" |
Who is the user on which the alert will be generated? |
|
"Did What?" |
What actions did the user do? |
|
"On Which Computer? |
Name of the computer on which the action occurred. |
|
"When?" |
What day/date/time did the action occur. |
|
"From Which Client?" |
Name of the client domain\name or client IP address. |