Document toolboxDocument toolbox

Alert definitions settings

Alert definition window explained

10_Alert definitions settings.png

Name

Required

This should be a descriptive title for this alert that clearly indicates its purpose. It will appear in the triggered alerts page in the Alert name column, and in the e-mail subject when delivered via e-mail.

The name must be unique in the domain (case insensitive with special characters allowed). To ensure that, this field includes a validation check to let you know if the intended name is already taken.

20_Alert definitions settings.png

Subcategory

Required

Alerts created by Devo users are always created under the My Alerts category. This is the subcategory you will use to group this alert.

Select one from the dropdown menu using the search box if needed. If the desired subcategory does not exist, you can create a new one. Simply type the desired name and click on the field below or press enter on your keyboard.

Summary

A short message used to identify the alert condition. This text is displayed in the triggered alerts page, found in the Summary column.

You can include in the alert Summary the field values associated with the alert using the case-sensitive variable $fieldName.Take into account that only those fields strictly related to the alert are valid and they depend on the trigger method used. See each Alert trigger method to know the accepted fields.

Mandatory in certain cases

Even though it is not mandatory, it is highly recommended. It determines the success of the alert integration and dispatching through certain delivery methods:

  • PagerDuty: if empty, the alert will not be notified when triggered.

Description

The full description of the alert condition. In the triggered alerts page, this is the information displayed when you use the drop-down control to expand the Summary.

You can include in the alert Description the field values associated with the alert using the case-sensitive variable $fieldName. Take into account that only those fields strictly related to the alert are valid and they depend on the trigger method used. See each Alert trigger method to know the accepted fields.

Mandatory in certain cases

Even though it is not mandatory, it is highly recommended. It determines the success of the alert integration and dispatching through certain delivery methods:

  • Email: this text will appear in the email body.

  • Jira: if empty, you will get an error message when the alert is triggered.

  • PagerDuty: if empty, the alert will not be notified when triggered.

Priority

Required

Indicates the priority assigned to this type of alert. Choose from five levels: Very Low, Low, Medium, High, and Very high.

Timezone

Required

This field indicates a timezone to adapt the query used to monitor alert conditions. The timezone selected by default will be extracted from your user session but you can select a different one using the dropdown.

Type (Trigger method)

Required

In the lower part of the window, you will see those methods you can use according to the transformations you applied in the query:

Sending policies

Required

  • None: no notification will be sent when an alert is triggered but triggered alerts will still be listed in the Alerts overview area and the siem.logtrust.alert.info table.

  • Default: only the default sending policy will be used for the notification process. Selecting this option will show the default policy details for reference, including the schedule, delivery method, and anti-flooding policy.

  • Existing policies: the notification procedure will be based on existing sending policies. Selecting this option will show a dropdown you can use to select the desired policies. Click the X on the right of the field to remove all selected policies or click the X next to each of them to remove them individually.

There is an option at the top right of the sending policies section to access the Alert configuration area in a different browser tab, where you can check the details of the existing ones. Learn more info about sending policies in this article.

Trigger methods explained

Â