Basic Tuning

To get started tuning alerts, do the following:

  1. Validate the prerequisites

    • Website Categorization module is installed successfully (if required)

    • LDAP Settings are defined to utilize Active Directory users/groups.

      Select Configuration > User Management >LDAP Settings.

    • SMTP Settings are defined to receive email notifications on Alerts.

      Select Configuration > Settings >SMTP Settings.

  2. Populate User Lists with User Login Names and Activity Directory Groups

    Select Configuration > Alerts >Lists, and add Users and Groups to the following lists:

    • Privileged Users
    • Developers & DevOps
    • Remote Vendors

    After adding a user or group to one of the above lists, remember to exclude it from the Everyday Users Group. This way no user or group is associated with more than one list.

  3. Populate the General Lists with items that correspond to the alert rule that will trigger

    Select Configuration > Lists, and add relevant Items to the following lists:

    • Sensitive files: keywords (e.g., “.pdf”, “salary”, “revenues.xlsx”) within file names that are sensitive for exfiltration via printing, sending out in email, copying/pasting, viewing, copying text from.
    • Sensitive folders: keywords within folder names that are sensitive for viewing or exfiltration via copying/pasting.
    • Keywords in file names to trigger alert on uploading: Keywords to be searched in uploaded file names (and extensions)
    • Keywords to be monitored upon copying them to clipboard: Keywords to be monitored in case they’re copies to the clipboard
    • Sensitive keywords to be detected in Subject of outgoing emails: Sensitive keywords in the Subject field of and email that trigger an alert
    • Unauthorized black-listed websites: Site names that are not allowed and unauthorized for browsing within the organization (e.g., “youtube”, “<competitor-name>.com”)
    • Sensitive Windows servers: Names of sensitive windows server in your organization (e.g. Production servers)
    • Sensitive Windows desktops: Names of sensitive windows desktops in your organization (e.g. the laptops of executives)

  4. Clean up the Alerts screen - Remove pre-tuning triggered Alerts

    After completing the above tuning, it is recommended that you clean the Alerts screen by deleting all the old alerts (select all Alerts in all pages and click the Delete icon) so you’ll be able to start getting only post-tuning alerts.

  5. Let ITM On-Prem (ObserveIT) run and review high-risk users in the User Risk Dashboard

    Let the system run for at least a week and as a starting point we recommend to start by reviewing the high-risk users that appear at the top of the User Risk Dashboard. To switch and view all alerts of a high-risk user, in the User Risk Dashboard screen, click the Investigate button by the relevant high-risk user.

    • You can fine-tune false-positive Alerts from the Tuning popup by clicking the Tuning icon. The Ongoing Alerts Tuning Options allow you to easily exclude users or Active Directory Groups from a specific Alert rule.

    • Alternatively, you can open an Alert rule directly from the Tuning popup for full editing capabilities by clicking Open this Alert Rule for editing.

    • Delete (or change status) of already triggered false-positive Alerts.

    • Fine-tune Lists from the Configuration > Alerts > Lists screen in order to add/remove list items from Lists or add/exclude users and Active Directory Groups from specific User Lists.