Document toolboxDocument toolbox

Manage defined alerts

Devo users with the necessary administrative permissions can perform the tasks shown below with existing alerts. All of these tasks are carried out in the Available Alerts tab of the Administration → Alert Configuration area (see Configuring alerts to see the permissions needed).

Filter alerts

Since the number of existing alerts in a domain is potentially high, the process of filtering alerts provides a quick way of finding them and is, therefore, an instrumental step prior to any other task. There are three different methods with different scopes:

  • Top filter: it affects the whole structure

  • General filter: it affects the alert list displayed

  • Column filter: it affects only a specific column on the alert list displayed.

You can also click a value on the list and that value will be used as filtering criteria (clicking a value on the Category or Subcategory columns is the same as using the top filter while clicking a value on the Name or Owner columns is the same as using the column filter).

These methods are independent but can be used in combination for a more concise approach. However, be aware that each reset option only reaches the scope of its corresponding method, in other words, they can reset only the filters they are capable of applying.

The top filter is a global method somehow similar to the Data Search finder in the sense that the lists are hierarchical. The box on the left represents the categories, the box on the right represents the subcategories and the list below shows the alerts that correspond to the category-subcategory combination selected.

  • Selecting a category in the box on the left will cause a cascade filtering to show only the category, its subcategories and the alerts inside those subcategories.

  • Selecting a subcategory will cause further cascading to show only the alerts inside that subcategory. If it is selected without selecting a category before, the filtering is performed in both directions of the hierarchy to show only the parent category and the child alerts.

  • Clicking All Categories/Subcategories will reset the filters up to that level. This means All Categories will show everything again while All Subcategories will show everything inside the selected category. These options will be disabled until a selection is made on the corresponding box.

Delete categories

As alerts are created and deleted over time, it's possible that a subcategory no longer contains any alerts. When this happens, Devo lets you know by displaying a Delete button when you hover over the subcategory.

The general filter is one of the methods to filter directly on the alert list displayed. Write the desired string and click on Filter to show only those alerts that contain such a string in any of their fields (category, subcategory, name, owner, etc.). Click Clear Filter to remove the filtering criteria.

The column filter on each column header is one of the methods to filter directly on the alert list displayed, on a specific column. Click on the desired column filter and write the desired string. The alerts will be filtered as you type, showing only those that contain such a string in that specific column. To remove the filtering criteria, just delete the string.

Assign a sending policy to an alert

Once you've created a sending policy (visit Manage sending policies to know how), it is available to be assigned to alerts in this area. Find the desired alert and click the paper airplane icon that appears under the Active Policies column.

The Sending Policy window opens for you to specify the Alert notification method and Assigned policies (see the options explained in the table below). Click Apply when you finish.

Alert notification method

Alert notification method

Policy based: if you select this option, the notification procedure will be based on existing sending policies.

No notification: if you select this option, no user will be notified when an alert is triggered. This simply means that the alert will not be notified, not that it is not triggered or registered (they will be listed in the Alerts History area and the siem.logtrust.alert.info table).

Default method: if you select this option, only the default sending policy will be used for the notification procedure. This is the default option when you create an alert.

Assigned policies

If you select the policy-based option, you must check one or more checkboxes corresponding to the sending policies you want to assign.

The names of the chosen policies appear under the Policy column. If you choose not to send notifications, a hyphen (-) appears instead so that you can easily recognize alerts that will not be notified.

Edit alert definition and query

You can modify an alert in the Edit Alert Definition window, which you can open by clicking the ellipsis menu and selecting Edit as shown in the picture below. Once you have made the necessary changes, click Update to apply them.

In this window, you can modify Summary, Description, and Priority, as well as the Query that sets the alert definition parameters. However, you cannot change the trigger method.

The specific parameters of each trigger method may or may not be edited as follows:

Parameter

Trigger method

Editable

Parameter

Trigger method

Editable

Period

Several, Low

✓

Threshold

Several, Low, Gradient, Deviation

✓

Keys (Keep counter for each value in column)

Several

✘

Threshold type (Absolute/Percentage)

Gradient, Deviation

✓

Aggregation columns (Add a numeric column)

Gradient, Deviation

✘

Run every

Rolling

✓

Check last

Rolling

✓

To change the alert query, simply make the necessary changes in the Query area. Here you can modify the operations performed as well as the source table.

Alternatively, you can open the alert query in the search window to make the necessary changes there by clicking the Edit in Data Search window button above the query. When you finish, select Additional Tools → Set query change in alert (or the button on the toolbar) to go back to the Edit Alert Definition window.

Alerts & Timezones

Alerts will run according to the timezone of the user who created it. If the user changes the timezone, the alert definition must be manually updated to change the underlying timezone as well.

This is especially relevant for alerts with queries that contain time-based groupings.

Activate or deactivate an alert

If you want to stop an alert temporarily so that you can start it again in the future, you can deactivate it.

To activate or deactivate an alert, you need to find the desired alert (you can use the filters explained in the section above) and then simply use the ON/OFF slider a the end of the row.

Active defined alerts limit

You can have up to 300 alert definitions activated in your domain. You will not be able to activate an alert that exceeds that limit. To activate it, you can either deactivate or delete some others to free up some slots.

If you need to adjust this limit, contact Devo support.

Clone an alert

You can clone an alert definition to quickly edit its details or assign it a different sending policy.

You need to find the alert in question (you can use the filters explained in the section above) and click the ellipsis at the end of the alert row. Then, select Clone, and the Clone Alert Definition window will open. Edit the alert details and parameters, then click Clone. If you want to modify the alert query, you can do so after cloning it (see Edit alert definition and query section above).

Once cloned, it is activated by default.

Delete an alert

You can delete an alert when you find it no longer useful to your domain users. This has no impact on the query whose data has been feeding the alert.

To delete an alert, you need to find the alert in question (you can use the filters explained in the section above) and click the ellipsis at the end of the alert row. Select Delete and then Yes in the warning message that appears.

Remember that you can deactivate an alert if you think it might be useful in the future and you only need to stop it temporarily.

 

Related articles: