Messing with ITM On-Prem (ObserveIT) Components
Messing with ITM On-Prem (ObserveIT) Components
The following out-of-the-box alert rules are assigned to the category: MESSING WITH OBSERVEIT COMPONENTS.
|
ALERT RULE |
Description |
|---|---|
| Accessing ObserveIT libraries on Linux |
An alert is triggered upon executing commands involving ITM On-Prem (ObserveIT) libraries. Such activity can indicate an intent to detect if one is being monitored, or to remove or harm libraries while trying to hide activity. |
| Changing ObserveIT Image Security settings |
An alert is triggered upon browsing to the web page in which Image Security settings can be changed on ITM On-Prem (ObserveIT) Application Server. |
| Changing ObserveIT Installation Security settings |
An alert is triggered upon browsing to the web page in which Installation Security settings can be changed on ITM On-Prem (ObserveIT) Application Server. |
| Logging in to ObserveIT Web Console on an unauthorized machine |
An alert is triggered upon trying to browsing to ITM On-Prem (ObserveIT) Web Console login page in order to login from a machine which is not in the list of legitimate machines to do it from. |
| Logging in to ObserveIT Web Console using a sensitive account |
An alert is triggered upon logging in ITM On-Prem (ObserveIT) Web Console using an administrative or sensitive account. The accounts are not supposed to be used in logging in by individuals. This operation can indicate an early intent to hide identities. |
| Looking for ObserveIT libraries using Terminal on Mac |
An alert is triggered upon looking for ITM On-Prem (ObserveIT) libraries using commands within Terminal on Mac, potentially in order to stop being monitored by ObserveIT. |
| Looking for ObserveIT processes using Activity Monitor on Mac |
An alert is triggered upon looking for ITM On-Prem (ObserveIT) processes within Activity Monitor utility on Mac, potentially in order to kill them and stop being monitored by ObserveIT. |
| Looking for ObserveIT processes using Terminal on Mac |
An alert is triggered upon looking for ITM On-Prem (ObserveIT) processes using commands within Terminal on Mac, potentially in order to kill them and stop being monitored by ObserveIT. |
| Trying to Kill ObserveIT processes on Mac |
An alert is triggered upon trying to kill one of the ITM On-Prem (ObserveIT) processes running on Mac, potentially in order to stop being monitored by ObserveIT. |
| Trying to Kill ObserveIT processes on Unix or Linux |
An alert is triggered upon trying to kill one of the ITM On-Prem (ObserveIT) processes running on Unix or Linux, potentially in order to stop being monitored by ObserveIT. |
| Trying to Kill ObserveIT processes on Windows |
An alert is triggered upon trying to kill one of the ITM On-Prem (ObserveIT) processes running on Windows, potentially in order to stop being monitored by ObserveIT. |
| Trying to stop ObserveIT service on Unix or Linux |
An alert is triggered upon trying to execute a command that stops ITM On-Prem (ObserveIT) service on Unix or Linux, potentially in order to stop being monitored by ObserveIT. |
| Trying to stop ObserveIT service on Unix or Linux using INIT |
An alert is triggered upon trying to execute a command that stops ITM On-Prem (ObserveIT) service on Unix or Linux, potentially in order to stop being monitored by ObserveIT. |