Managing Alerts

The Alerts page provides information about alerts enabling administrators to view and manage activity alerts in the Web Console. If configured as the default user page, the Alerts page will open by default when the user logs on to the Web Console. See Creating and Managing Local Console Users.

You can print the Alerts list and/or export it to Excel. Alerts can be deleted ONLY by ObserveIT Administrators.

Important: Alerts are triggered by alert rules which define the conditions that could signify suspicious user activity on ObserveIT monitored endpoints. ObserveIT administrators can create and manage alert rules from the Alert & Prevent Rules page (by selecting Configuration > Alert & Prevent Rules in the ITM On-Prem Web Console). For details, see Managing Rules.

To open the Alerts page

In the ITM On-Prem Web Console, click Management Console, then Alerts.
The Alerts page opens in List view (the default mode), displaying a list of triggered alerts according to the default specified time period, alerts' status, risk level, rule type, OS type, and other filtered criteria.

The number of alerts on the page out of the total number of alerts is displayed. By default, the page shows up to 20 alerts; you can change the default by selecting 50 or 100 from the Items per page drop-down list above the table.

Alert Viewing Modes

You can view alerts in different modes. To switch between modes, click the required icon in the area.

List view

In this view, you can see at a glance all the alerts that are already configured according to the specified filter criteria.

Details view

In this view, you can see for each alert exactly Who? Did What? On Which Computer? When? and From Which client?

Gallery view

The Gallery view provides a slideshow of the screenshots for each alert alongside the alert's details.

By viewing alerts in this mode, you can see clearly the user environment and the context of exactly what the user was doing when an alert was triggered.

Click the icon next to an alert to open Ongoing Alerts Tuning where you can perform several quick alert tuning actions.

Activity Alert Tasks

The tasks you can perform on alerts include:

Filtering Alerts: Display the alerts according to your own specified criteria.
Viewing a List of Alerts: View the alerts that were generated during a specified time period and according to specified criteria.
Viewing Alert Details (Who? Did? What?...): View exactly Who? Did what? On which computer? From which client? When? for each alert.
Ongoing Alerts Tuning: Quickly tune alerts for more accurate detection
Viewing Alerts in Gallery Mode: Browse through the screenshots of each alert while showing the full details near each screen.
Changing the Status of Alerts: Change the status of selected alerts according to administrator assessment.
Adding Comments to Alerts: Add comments to alerts to provide feedback.
Flagging Alerts for Follow-Up: Highlight alerts that require more attention by flagging them.
Exporting and Printing the Alerts List: Print the Alerts list and/or export it to Excel.
Exporting Alerts to a PDF File: Export alert metadata to a PDF file in order to share information on risky user activity.
Deleting Alerts: Delete alerts that are no longer required.
Receiving Alert Notifications by Email: Receive email alerts to quickly identify alerts and respond accordingly.
Viewing Sessions with Alerts: View recorded sessions which contain alerts (marked alert indications) in the Endpoint Diary, User Diary, and/or Search lists.
Viewing Alerts in the Session's Video: Replay videos of sessions with alerts in the Session Player.
Searching for Sessions by Alert ID: From the Alerts Details view, click an Alert ID link to open the Search page filtered to display a session according to a particular alert ID, in order to view additional information about the session and the context of the activity that caused the alert with that ID.