Help Document

Alerts

The Alerts tab gives an overview of all the alerts raised based on the risk scores and detected anomalies.

alerts

These alerts are categorized based on their severity as critical, trouble, and attention. To view the alerts in each category, click on the required tab. For instance, clicking on Trouble Alerts will give you a list of all the alerts that indicate a moderate amount of risk in your environment.

Note: In this document, "Alert Profile" refers to the conditions set for an alert. "Alert" refers to an alert that has been triggered. An alert is triggered if the conditions set in the alert profile are met.

Enabling, disabling, and customizing alert profiles:

To enable pre-built alerts or to add new alert profiles, click on the Manage Profiles button in the top right corner of the alerts tab. The manage profiles page will open.

enabling-disabling-customizing-alert-profiles

Enabling and disabling alert profiles

The Manage Profiles page gives an overview of the alert profiles that are currently enabled or disabled. The green-tick icon in the Actions column signifies that an alert has been enabled.

To enable or disable an alert(s):

  • Click on the green-tick of the required alert profile to disable it.
  • Click on the red-slash of the alert profile to enable it.
  • Click on the delete icon to delete the alert profile.

This page also gives you a list of the alert profiles that are available. This includes both default, and created alerts. The number of alerts raised for each profile, the type, the severity, and the threshold will be displayed in the table.

Number of alerts

The Number of Alerts column displays the number of alerts raised for each alert profile. By clicking on the number, you will be taken to the list of alerts for that alert profile. There you can see the time at which each alert was raised, the alert format, entity type, status, and the risk score.

Customizing alert profiles

To customize an existing alert profile, click on the edit icon. The Add Alert Profile page will appear. The existing conditions set for the alert to be triggered will be filled-in. For instance, clicking on the edit icon for an existing profile FTP Logon Alert Profile will give you this page as shown below. You can modify the pre-set conditions here.

customizing-alert-profiles

Default Alert Profiles

The solution provides nine default alert profiles. These alert profiles can be enabled, disabled, or customized. The list of available default profiles is shown in the image below.

default-alert-profiles

Managing triggered alerts

managing-triggered-alerts

To manage an alert that has been raised, simply click on the alert and the Format Message popup will appear. All the granular details related to the alert and the options to manage it will be available here.

Assign to: Click on the dropdown to assign the technician to investigate the alert.

Severity: You can change the severity of the alert to critical, attention, or trouble by clicking on the drop down provided and selecting the required level.

Status: The status of the alert can be changed to open, closed, or unassigned by clicking on the drop down and selecting the required status.

More details: Clicking on more details will give you information on the threshold, the threshold interval, and more.

Notes: To add a note for an alert, type the message in the space under the notes section and click on save. If a note is added to an alert, it will be displayed next to the checkbox.

Contributed Anomalies: Clicking on Contributed Anomalies will give you details of each instance that contributed to the alert getting triggered.

contributed-anomalies

Assigning, deleting, and changing the status of alerts

assigning-deleting-changing-of-alerts

Click on the individual alert or click on the check boxes to select the multiple alerts.

Once the alerts are selected, the options Assign, Status, and Delete will appear. You could use these options to perform bulk enabling or disabling of alerts.

Adding an alert profile

To add an alert profile, click on the +Add Alert Profile button on the top right corner of the screen. The Add Alert Profile page will appear.

adding-an-alert-profile

  1. Enter the alert name and description. (The description is optional)
  2. Select the required severity level.
  3. Select report, entity, or risk card to enter what the alert is based on.
  4. Click on the + sign in the Select Report field to set the required reports.
  5. Click on the + sign in the in the Select Entity field to set the entity, host or Active Directory Group. If you choose an Active Directory group, all the users within that group will be configured for the alert at one go.
  6. Add an alert message in the format required.
  7. Click on Save Changes.

Adding a filter for selected reports

Once a report is selected in the Select Report field, the Add Filter option will appear.

adding-filter-fo-selected-reports

The conditions associated with the report can be granularly refined by selecting the report field and setting the values.

Note: Setting filters for reports is optional.

setting-filters

Advanced configuration for Report and Entity-based alerts

For report and entity-based alerts, there is an option to set the threshold and Time Range. The threshold is the number of anomalies to look for within a given time interval to raise an alert. Users can choose between Manual and Smart Thresholds while configuring alert profiles. Under Time Range, users can choose between Business Hours and Non-Business Hours.

Smart Threshold for Alerts

The Smart Threshold feature in Log360 UEBA leverages machine learning capabilities to learn and obtain a threshold value to raise alerts for anomalies. The threshold value is obtained by analyzing the usual number of anomalies occurring in a given time.

Users don't have to rely on entering a value (i.e., the number of anomalies to look for) manually while setting thresholds in alert profiles. Smart thresholds will help reduce the false positives and increase the true positives, as the ML algorithms constantly observe anomaly behavior and update the Threshold value.

Enabling Smart Threshold in alert profiles

  1. In the Advanced Configuration dropdown, enable Threshold and select Smart Threshold.
  2. Now enter the time frame in minutes. The number of anomalies to look for in the time frame is auto-assigned using ML.
    Note: The Number of anomalies value is assigned and updated when sufficient data points are available.

    3. Smart Threshold for Alerts

Alert Notification

You can enable notifications for the alert profile by choosing the notification template you want to use from the available list.

email-notification

Configuring the mail server: Please refer to the Server settings page.

Setting filters

Filtering alerts based on the time range

filtering-alerts-based-on-the-time-range

To view alerts in a specific time range, click on the calendar icon on the top right corner of the screen. Once the required range is set, only the alerts raised in that specific period will be displayed.

Filtering alerts based on Severity, Status, Technician, and the Profile

filtering-alerts-based

Click on the filter icon on the top right corner of the screen to filter alert profiles based on severity, status, technician, and the profile.

trouble-alerts

Click on the check boxes to set the necessary conditions for filtering alerts and click on Apply. The alerts that satisfy the conditions set will be displayed.

Exporting Alerts

You can export Alerts for a chosen time range in CSV, PDF, XLS and HTML report formats. This will help you submit the reports to management and aid intelligent decision-making.

Exporting Alerts

You can also review the history of alert exports.

Exporting Alerts

© 2024 Zoho Corporation Pvt. Ltd. All rights reserved.