Implementing Lists in ObserveIT

Implementing Lists in ObserveIT

ITM On-Prem (ObserveIT) allows the implementation of Lists which enable you to configure and operate alert rules more efficiently.

Using Lists enhances alert rule operations by enabling you to:

  • Assign alert rules to specific users or and Active Directory groups. In this way, irrelevant "noise" is removed for other users for whom the alerts are not relevant.

  • Apply the same List of users to different alert rules.

  • Speed up the configuration of a long list of items by assigning them to a List.

  • Easily locate and identify Lists for updating their content.

  • Integrate with external HR systems. You can populate the content of a user List by importing a file of users that was exported from an HR System.

You can define the following types of Lists:

  • General: for free text items. For example, "Keywords in sensitive file names" (this would contain a list of keywords that define sensitive file names or file extensions).

  • Users: for users and Active Directory groups, with an option to exclude specific ones.

  • Public lists: content can be viewed and edited by all Web Console users who have access to the ITM On-Prem (ObserveIT) configuration.

  • Private lists: content can be viewed and edited (or deleted) only by the last Console User that defined the list as Private. Even Admin role users cannot view or edit the content unless they made the list Private.

  • Note: The names of Private lists are not hidden from any Console User; only the content is invisible and disabled for editing.

System-Configured Lists

ITM On-Prem (ObserveIT) provides a comprehensive library of alert rules configured to handle Insider Threat. These alert rules are already assigned to the relevant system-configured user lists.

Following are the built-in ITM On-Prem (ObserveIT) system-configured lists of Users type:

  • Everyday Users: regular business users and groups who do not have privileged permissions. This list also includes users that operate from remote applications running on Unix/Linux machines.

  • Privileged Users: users and groups with high privileges, including all type of administrators. This list is populated with users and groups that exist in any Active Directory deployment.

  • Remote Vendors: users and groups of remote vendors that provide 3rd party services to the organization. These users are considered high risk as they usually have access to sensitive information although they are not part of the organization.

  • Users in Watch-List: users whose actions are "being watched" for various reasons, such as alcoholism or financial debt issues, employees that are possibly looking for other jobs, and so on. These users are considered high risk from the point-of-view of insider threat.

  • Termination List: users whose employment has been terminated are considered high risk during their termination period. This list can be easily populated by importing CSV files create by an external HR system.

  • Executives: users and groups in executive positions that usually have access to highly sensitive information.

  • Developers & DevOps: users and groups of developers and DevOps that are part of the organization. These users require access to sensitive systems as part of their job (as opposed to Everyday Users).

  • Following are some examples of alert rules and their relevancy to users:

  • Alert for large file/folder copy: this rule which should trigger an alert when a user copies a large file/folder, would be relevant for users on a company Termination List or Users in Watch-List as they might be trying to exfiltrate sensitive and confidential data from the company; whereas for Everyday and Privileged Users this activity is not so risky.

  • Alert for privilege elevation: for example, a rule that would trigger an alert when a user with privileged permissions creates a local admin user (with root permissions) could be a potential security risk to the system. This rule would be useful for Everyday Users and Remote Vendors but less relevant for Privileged Users.

In the Alert & Prevent Rules page, you can view all the rules assigned to each user list. You can also assign rules from other user lists. For details, see Assigning Rules to User Lists.