Overview
To monitor alert definitions, you can use the data search to access the devo.audit.alert.definition data table. All alert definitions are registered in this table upon creation, as well as any subsequent changes they undergo.
To manage alert definitions, users with the necessary administrative permissions can perform the tasks shown below with existing alerts. All of these tasks are carried out in the Available Alerts tab of the Administration → Alert Configuration area.
What permissions do I need?
To access the Administration → Alert Configuration area you need to have a role with the Manage version of the Alert configuration permission. If you only have the View version of this permission, you will not be able to perform any task here (more info about permissions here).
Additionally, you need to have alerts assigned (see Assign resources to a role). You will only see alert definitions for those alerts assigned and allowing only the interaction level specified for them. In other words, the permissions grants theoretical access to alerts while assigning a specific alert grants the actual access.
Filter alerts
Since the number of existing alerts in a domain is potentially high, the process of filtering alerts provides a quick way of finding them and is, therefore, an instrumental step prior to any other task. There are three different methods with different scopes:
The top filter is a global method somehow similar to the Data Search finder in the sense that the lists are hierarchical. The box on the left represents the categories, the box on the right represents the subcategories and the list below shows the alerts that correspond to the category-subcategory combination selected.
Selecting a category in the box on the left will cause a cascade filtering to show only the category, its subcategories and the alerts inside those subcategories.
Selecting a subcategory will cause further cascading to show only the alerts inside that subcategory. If it is selected without selecting a category before, the filtering is performed in both directions of the hierarchy to show only the parent category and the child alerts.
Clicking the Unselect button that appears next to the Categories and Subcategories headers upon selection will reset the filters up to that level. This means Categories will show everything again while Subcategories will show everything inside the selected category.
Delete categories
As alerts are created and deleted over time, it's possible that a subcategory no longer contains any alerts. When this happens, Devo lets you know by displaying a Delete button when you hover over the subcategory.
The general filter is one of the methods to filter directly on the alert list displayed. Write the desired string on the Contains text search box and click on the magnifying glass next to it to show only those alerts that contain such a string in any of their fields (category, subcategory, name, owner, etc.). Click the circle marked X that appears upon inserting a filtering criteria to remove it.
The column filter on each column header is one of the methods to filter directly on the alert list displayed, on a specific column. Click on the desired column filter and write the desired string. The alerts will be filtered as you type, showing only those that contain such a string in that specific column. To remove the filtering criteria, just delete the string.
You can also click a value on the list and that value will be used as filtering criteria (clicking a value on the Category or Subcategory columns is the same as using the top filter, while clicking a value on the Name or Owner columns is the same as using the column filter).
These methods are independent but can be used in combination for a more concise approach. However, be aware that each reset option only reaches the scope of its corresponding method, in other words, they can reset only the filters they are capable of applying.
Assign a sending policy to an alert
Once you've created a sending policy (visit Manage sending policies to know how), it is available to be assigned to alerts in this area. Find the desired alert and click the paper airplane icon that appears under the Active Policies column.
The Sending Policy window opens for you to specify the Alert notification method and Assigned policies (see the options explained in the table below). Click Apply when you finish.
Alert notification method | ||
|---|---|---|
Policy based: if you select this option, the notification procedure will be based on existing sending policies. | No notification: if you select this option, no user will be notified when an alert is triggered. This simply means that the alert will not be notified, not that it is not triggered or registered (they will be listed in the Alerts History area and the siem.logtrust.alert.info table). | Default method: if you select this option, only the default sending policy will be used for the notification procedure. This is the default option when you create an alert. |
Assigned policies | ||
If you select the policy-based option, you must check one or more checkboxes corresponding to the sending policies you want to assign. | ||
The names of the chosen policies appear under the Policy column. If you choose not to send notifications, a hyphen (-) appears instead so that you can easily recognize alerts that will not be notified.
Edit alert definition and query
You can modify an alert in the Edit Alert Definition window, which you can open by clicking the ellipsis menu and selecting Edit, as shown in the picture below. Once you have made the necessary changes, click Save to apply them.
In this window, you can modify Summary, Description, and Priority, as well as the Query that sets the alert conditions or some of the parameters inherent to the triggering method (see table below). However, you cannot change the name, category, subcategory, or triggering method itself.
Changing triggering parameters
These are the parameters you may or may not edit for each triggering method:
Parameter | Trigger method | Editable |
|---|---|---|
Include all fields | Each | ✓ |
Period | Several, Low | ✓ |
Threshold | Several, Low, Gradient, Deviation | ✓ |
Keys (Keep counter for each value in field) | Several | ✘ |
Threshold type (Absolute/Percentage) | Gradient, Deviation | ✓ |
Aggregation fields (Add a numeric field) | Gradient, Deviation | ✘ |
Run every | Rolling | ✓ |
Check last | Rolling | ✓ |
Changing the query
To change the alert query, simply make the necessary changes in the Query area. Here you can modify the operations performed as well as the source table.
Alternatively, you can open the alert query in the search window to make the necessary changes there by clicking the Edit in search window window button above the query. When you finish, select Options menu → Set query change in alert (or the button on the toolbar) to go back to the Edit Alert Definition window.
Alerts & Timezones
Alerts will run according to the timezone of the user who created it. If the user changes the timezone, the alert definition must be manually updated to change the underlying timezone as well.
This is especially relevant for alerts with queries that contain time-based groupings.
Activate or deactivate an alert
If you want to stop an alert temporarily so that you can start it again in the future, you can deactivate it.
To activate or deactivate an alert, you need to find the desired alert (you can use the filters explained in the section above) and then simply use the ON/OFF slider a the end of the row.
Active defined alerts limit
You can have up to 300 alert definitions activated in your domain. You will not be able to activate an alert that exceeds that limit. To activate it, you can either deactivate or delete some others to free up some slots.
If you need to adjust this limit, contact Devo support.
Clone an alert
You can clone an alert definition to quickly edit its details or assign it a different sending policy.
To clone an alert, you need to find the alert in question (you can use the filters explained in the section above), click the ellipsis at the end of the alert row, and select Clone. Then, edit the alert parameters in the Clone Alert Definition window and click Clone.
In this window, you can change everything except the category, query and triggering method. Even though the triggering method cannot be changed, some of its parameters can be modified (see edit section above). If you want to modify the query, simply finish the cloning and then edit it.
Once cloned, it is activated by default.
Delete an alert
You can delete an alert when you find it no longer useful to your domain users. This has no impact on the query whose data has been feeding the alert.
To delete an alert, you need to find the alert in question (you can use the filters explained in the section above) and click the ellipsis at the end of the alert row. Select Delete and then Yes in the warning message that appears.
Remember that you can deactivate an alert if you think it might be useful in the future and you only need to stop it temporarily.
Related articles: