ITM On-Prem (ObserveIT) Insider Threat Library

Insider Threat Intelligence

ITM On-Prem (ObserveIT) provides an extensive library of out-of-the-box detection scenarios that can be used by Business users and Administrators to detect insider threat on Windows, Mac, and Unix/Linux systems.

The ITM On-Prem (ObserveIT) Analytics Library Package contains over 300 rules that cover the most common scenarios of risky user activities that might generate alerts. These rules have built-in policy notifications that are designed to increase the security awareness of users, and reduce overall company risk.

To help you use the Alert Rules, ITM On-Prem (ObserveIT) has determined which Alert Rules (Windows/Mac) bring the highest value to customers. These “top” Alert Rules for Windows/Mac are now active by default. All other Window/Mac rules are deactivated by default. (See List of Active Alert Rules.)

ObserveIT’s Library of alert rule scenarios are grouped according to security Categories to help navigation and facilitate their operation and maintenance. Rules can also be mapped to types of user groups, such as Privileged Users, Everyday Users, Remote Vendors, and so on, each with a specific risk level.

Each alert rule in the ITM On-Prem (ObserveIT) Insider Threat Library is associated with at least one Category. Categories apply to Windows, Mac, or Unix/Linux systems; some are relevant for all systems.

The Insider Threat Library is maintained by an ITM On-Prem (ObserveIT) Content Manager and released as a ZIP file to customers, providing them with the most up-to-date insider threat scenarios.

For detailed information about ObserveIT's Insider Threat Library, its categories, and the alert rules within each category, see Alert Rule Categories.

For information about fine tuning rules, see ITL Tuning Guide Overview.