Importing System Rules from the Insider Threat Library

ITM On-Prem (ObserveIT) allows you to import System Rules that were exported from the ITM On-Prem (ObserveIT) Insider Threat Library (ITL).

The export of System Rules from the ITM On-Prem (ObserveIT) Insider Threat Library (ITL) is managed by ObserveIT. System rules are exported with their List assignments; any changes that were made in List Items are included in the file to be imported.

The import wizard provides a preview screen enabling you to review the content of the file to be imported, and change the selection of files for import, if required.

To import system rules from the Insider Threat Library

  1. Click the Import button in the Alert & Prevent Rules page (see Importing Rules for details).

    A dialog box opens, asking if you want to back up all the rules in the system before continuing with the import process.

    • If you select Backup All Rules, all the existing rules will be exported to a file with their defined defaults.

    • If you select Continue Importing, the Import page opens directly.

    The Import page displays the 3 steps that comprise the import process:

    1. Choose the exported file for upload.

    2. Preview content of the file to be imported to your system.

    3. View confirmation that the import was successful.

  2. Click the Browse... button to locate the ZIP file containing the exported system rules that you want to import, and click the Upload File button.

    The exported ZIP file can be easily identified by the "ITL version number" prefix before the date and time; for example: "ITL 6.8.0.1 - 2016-12-18--10-37.zip".

    A preview screen opens, enabling you to review the content of the file to be imported, and change the selection of files for import, if required. For example:

    • If the uploaded ITL ZIP file contains rules that are identical to system rules that already exist, they will not be imported. The message <num> rules will be skipped and will not be imported is displayed in the preview screen on a black background, as shown in the above example.

    • If the uploaded ITL ZIP file contains existing system rules that have been modified, these will be automatically upgraded. The message <num> system rules already exist in the system and will be upgraded automatically is displayed in the preview screen on a yellow background, as shown in the above example. Note that the check boxes alongside these rules and their categories cannot be deselected.

    • If the uploaded ITL ZIP file contains new rules (system (ITL) or non-system) that do not already exist, these will be imported. The message <num> rule is new (deselect to skip)is displayed in the preview screen on a green background, as shown in the above example. Note that the check boxes alongside these rules can be selected/deselected.

    • If the uploaded ITL ZIP file includes system rules that were marked for removal, the following note is displayed at the bottom of the screen:
      Note: <num> system rules are obsolete and will be removed from your system.

  3. When you have finished previewing or making changes to the rules' selection, click the Continue Importing Selected Rules <num> button.

    The number of rules displayed on the button comprises the selected new rules - system and non-system.

    Upon successful completion of the file import process, a confirmation message is displayed showing the number of rules that were successfully imported, and the number of rules that were removed (if relevant).

The Alert & Prevent Rules page will be refreshed to display the newly imported rules.