Manage defined alerts
Devo users with the necessary administrative permissions can perform the tasks shown below with existing alerts. All of these tasks are carried out in the Available Alerts tab of the Administration → Alert Configuration area (see Configuring alerts to see the permissions needed).
Filter alerts
Since the number of existing alerts in a domain is potentially high, the process of filtering alerts provides a quick way of finding them and is, therefore, an instrumental step prior to any other task. There are three different methods with different scopes:
Top filter: it affects the whole structure
General filter: it affects the alert list displayed
Column filter: it affects only a specific column on the alert list displayed.
You can also click a value on the list and that value will be used as filtering criteria (clicking a value on the Category or Subcategory columns is the same as using the top filter while clicking a value on the Name or Owner columns is the same as using the column filter).
These methods are independent but can be used in combination for a more concise approach. However, be aware that each reset option only reaches the scope of its corresponding method, in other words, they can reset only the filters they are capable of applying.
Assign a sending policy to an alert
Once you've created a sending policy (visit Manage sending policies to know how), it is available to be assigned to alerts in this area. Find the desired alert and click the paper airplane icon that appears under the Active Policies column.
The Sending Policy window opens for you to specify the Alert notification method and Assigned policies (see the options explained in the table below). Click Apply when you finish.
Alert notification method | ||
---|---|---|
Policy based: if you select this option, the notification procedure will be based on existing sending policies. | No notification: if you select this option, no user will be notified when an alert is triggered. This simply means that the alert will not be notified, not that it is not triggered or registered (they will be listed in the Alerts History area and the siem.logtrust.alert.info table). | Default method: if you select this option, only the default sending policy will be used for the notification procedure. This is the default option when you create an alert. |
Assigned policies | ||
If you select the policy-based option, you must check one or more checkboxes corresponding to the sending policies you want to assign. |
The names of the chosen policies appear under the Policy column. If you choose not to send notifications, a hyphen (-) appears instead so that you can easily recognize alerts that will not be notified.
Edit alert definition and query
You can modify an alert in the Edit Alert Definition window, which you can open by clicking the ellipsis menu and selecting Edit as shown in the picture below. Once you have made the necessary changes, click Update to apply them.
In this window, you can modify Summary, Description, and Priority, as well as the Query that sets the alert definition parameters. However, you cannot change the trigger method.
The specific parameters of each trigger method may or may not be edited as follows:
Parameter | Trigger method | Editable |
---|---|---|
Period | Several, Low | ✓ |
Threshold | Several, Low, Gradient, Deviation | ✓ |
Keys (Keep counter for each value in column) | Several | ✘ |
Threshold type (Absolute/Percentage) | Gradient, Deviation | ✓ |
Aggregation columns (Add a numeric column) | Gradient, Deviation | ✘ |
Run every | Rolling | ✓ |
Check last | Rolling | ✓ |
To change the alert query, simply make the necessary changes in the Query area. Here you can modify the operations performed as well as the source table.
Alternatively, you can open the alert query in the search window to make the necessary changes there by clicking the Edit in Data Search window button above the query. When you finish, select Additional Tools → Set query change in alert (or the button on the toolbar) to go back to the Edit Alert Definition window.
Alerts & Timezones
Alerts will run according to the timezone of the user who created it. If the user changes the timezone, the alert definition must be manually updated to change the underlying timezone as well.
This is especially relevant for alerts with queries that contain time-based groupings.
Activate or deactivate an alert
If you want to stop an alert temporarily so that you can start it again in the future, you can deactivate it.
To activate or deactivate an alert, you need to find the desired alert (you can use the filters explained in the section above) and then simply use the ON/OFF slider a the end of the row.
Active defined alerts limit
You can have up to 300 alert definitions activated in your domain. You will not be able to activate an alert that exceeds that limit. To activate it, you can either deactivate or delete some others to free up some slots.
If you need to adjust this limit, contact Devo support.
Clone an alert
You can clone an alert definition to quickly edit its details or assign it a different sending policy.
You need to find the alert in question (you can use the filters explained in the section above) and click the ellipsis at the end of the alert row. Then, select Clone, and the Clone Alert Definition window will open. Edit the alert details and parameters, then click Clone. If you want to modify the alert query, you can do so after cloning it (see Edit alert definition and query section above).
Once cloned, it is activated by default.
Delete an alert
You can delete an alert when you find it no longer useful to your domain users. This has no impact on the query whose data has been feeding the alert.
To delete an alert, you need to find the alert in question (you can use the filters explained in the section above) and click the ellipsis at the end of the alert row. Select Delete and then Yes in the warning message that appears.
Remember that you can deactivate an alert if you think it might be useful in the future and you only need to stop it temporarily.
Â
Related articles: