Creating alert definitions
What permissions do I need?
In order to define new alerts, you need to have a role with the Manage version of the Alert configuration permission, as well as Manage rights for My Alerts or any other subcategory of assigned alerts (more info about permissions here).
Additionally, as you need to access data searches to create alerts, you need the permission required for that, the Finders permission (visit Run a search using a finder to know more).
How do I create new alerts?
Alerts are tasks that continually monitor active queries to look for and report on specific events or conditions. Therefore, alerts are created from within the Data Search area where queries are made.
Open the required data table and perform the operations and filters necessary to identify the alert condition.
Then, select New Alert Definition on the toolbar
Specify the settings you need for your alert in the Alert definition window. You can find the different fields described here.
Click Create to save the alert.
The new alert is automatically associated with the default sending policy. You can choose a different one in the Administration → Alert Configuration area, which you can access directly by clicking the Configure Alerts button on the confirmation message (see the instructions in Assign a sending policy to an alert definition).
Active alert definitions limit
Newly created domains can have up to 10 alert definitions activated while domains with a full subscription can have up to 300.
When you create a new alert that exceeds that limit, it will be automatically deactivated upon creation. To activate it, you can either deactivate other alerts or delete them to free up some slots.
If you need to adjust this limit, contact Devo support.
Alert definition window
This is where you must specify the information to configure your alert as precisely as possible to create the alert as you require it. Find the different fields and settings explained in the articles below.
Create an alert based on triggered alerts
Once alerts are triggered by the occurrence of the conditions specified during the creation process, they will be registered in a table called siem.logtrust.alert.info
. By querying the data in this table, you can access the complete history of alerts and therefore create an alert based on other alerts.
You just need to follow the procedure explained above: perform the necessary operations as you would do in any other table to prepare the data and then use the new alert definition menu to specify the settings.
For example, you may want to be notified when a set of related alerts all occur within a short period of time or if a single alert triggers more than n times in a single hour.
Can I create alerts with all queries?
You can create alerts with a variety of queries and tables, however, there are some restrictions.
Restriction 1: blocked queries
You cannot create an alert on a query that has been blocked or added to your aliased finder. The New Alert Definition button will not appear in the toolbar and you will see the Incognito Mode button. Click it and select to clone the query in order to be able to create the alert.
Restriction 2: injected tables
You must not create alerts on tables that have been injected with data from another table (my.app tables) as they will not work as expected.
Restriction 3: lookup tables
You cannot create alerts on tables that contain lookup data (my.lookuplist tables) as the New Alert Definition button will not appear in the toolbar.
Restriction 4: subqueries
You cannot create alerts using queries that contain subqueries. If you try, the alert definition window will show a warning at the bottom, and clicking the create button will have no effect.
The only exception to this rule is the each-type alert, which allows the use of subqueries with specific limitations. For more details on these restrictions and all the features of this type of alerts, please visit this article.