lhs-panel Click here to expand

How to create an alert profile

EventLog Analyzer provides predefined alert profiles and the ability to define customized criteria for specific requirements.

Creating Alert Profiles

To create an alert profile, click on +Add in the top right corner of the navigation bar. You can also add an alert profile by clicking on the "Add Profile" button in the Manage Profile page.

add-alert-profile

Here's what you can do to create an an alert profile:

add-alert-profile
  1. Enter a unique name for the alert profile.
  2. Assign a criticality to the alerts generated using this profile. Choose from Critical, Trouble and Attention.
  3. Click on the + icon to select device(s) and/or device groups(s) which should generate this alert.
  4. Click on the + icon to define the alert criteria.
  5. The Alert criteria can be chosen from the following categories:
    • Predefined Alerts - choose from a vast collection of predefined alert criteria. This saves time and you can set up an alert profile with minimum effort.
    • Compliance Alerts - Contains a list of pre-defined alert criteria to help you comply with all the IT regulations.
    • Custom Alerts - customize your own alert conditions based on log message, type, and more. This option is useful to set alerts for imported logs.
  6. You can customize your alert message by adding information such as User Account Name and more.
  7. advaned-config-alert
  8. Clicking on +Add near the Alert Format Message section will open another pop-up. There you can set the variables by clicking on the drop down and enter the required message format in the space provided.
  9. alert-format
  10. You can use the Advanced Configuration to tweak the alert trigger conditions in order to reduce alert noise. The Advanced Configuration has 2 fields:

    Threshold

    You can set the threshold for alerts based on the number of occurrences of an event within a specific time frame. There are 2 threshold modes: Manual and Smart.

    • Using the Manual Threshold mode, you will have to manually assess and set the values for the number of events and the time interval in minutes.
    • alert-format
    • Using the Smart Threshold mode, you will only have to enter the time interval. EventLog Analyzer will analyze the usual occurrence of events based on ML algorithms and automatically determine the number of events that will be ideal for reducing false positive triggers.
    • alert-format

    Time Range

    You can use Time Range to configure working hours.

  11. Under Alert Notifications, you can configure the Notification Settings and the Workflow for the alert profile.
  12. Notification Settings

    • Select the preferred time during which the notification has to be sent.
    • Notification Settings
    • Choose the preferred medium for receiving notifications. You can either choose Email Notification or SMS Notification or both. You can find the steps to configure the mail server and SMS server here.

    Workflow

    • Check the Enable Workflow box to select the required workflow, or to add a new workflow for the alert profile.
    • Notification Settings
  13. Click Save Profile.

Predefined Alerts

Select Predefined Alert under Define Criteria:

  • Select the log type and then choose the desired category.
  • Among the reports, select the desired report by clicking on the radio button next to it.
  • Append new criteria to predefined alert by clicking + Add Criteria.
  • You can use the Advanced settings to tweak the alert trigger conditions in order to reduce alert noise. Here you can set the threshold (number of occurrences of an event within a specific time frame) and time range (working hours) for the alert profile.

You can then specify the notification type for the alert profile.

Compliance Alerts

Compliance alerts contain sets of pre-defined compliance related alerting criteria to notify you of any violation of IT regulations. EventLog Analyzer provides granular audit reports to help you comply with compliance regulations such as PCI DSS, SOX, HIPAA, GLBA, PDPA, NIST, CCPA, GDPR, ISO 27001:2013, and more. The compliance alerts detects anomalies such as policy changes, privilege escalations, sensitive file access and modification events, and unauthorized logons to help you mitigate internal and external threats.

You can then specify the notification type for the alert profile created.

Custom Alerts

custom-alert
  • You can define 'n' number of criteria and group them with AND/OR operations.
  • To define alert criteria, choose desired attributes from the predefined list.
  • Specify the values for the attributes. Select the comparator and then provide the value for the attributes.
  • With drag and drop, you can group and ungroup the alert criteria.

Generating Alerts for Imported Logs

With EventLog Analyzer's Advanced Custom Alert option, you can generate alerts for custom extracted fields for Oracle, Microsoft SQL, print Servers, IIS, and other imported application logs.

To generate alert for specific custom extracted field of imported log, choose the log type and select the imported log for which you need to trigger alerts. Specify the custom field and its value, upon the occurrence of which the alert has to be triggered. EventLog Analyzer will automatically populate all the custom extracted fields for the selected log type and you choose the field of your choice from the list and then specify the value for the selected custom field.

Note: To add multiple custom extracted fields, make use of + option.

You can then specify the notification type for the alert profile created.

Using vulnerability and misconfiguration comparators:

  • Is Vulnerable: Check if a device is tagged as vulnerable in Endpoint Central.
  • Vulnerable To: Identify devices vulnerable to specific attacks (e.g., CVE-2023-38831).
  • Misconfigured For: Detect devices with misconfigurations identified by Endpoint Central (e.g., Windows Credential Guard disabled).
custom-alert

Note: To utilize the vulnerability and misconfiguration comparators, please configure data enrichment for ManageEngine Endpoint Central. Click here to know how.

Default Alert Profiles

EventLog Analyzer has prebuilt alert profiles that are enabled by default. To make it easier for users, newly added devices will also get added automatically to the corresponding alert profile(s) based on the device types selected in the alert profile. For example, firewalls will be automatically added to alert profiles based on network devices.

You can edit, enable, disable, and delete the default alert profiles.

Note: When you edit a default custom alert profile, auto-addition will be stopped. For example, if you manually add devices to an alert profile, devices will not be automatically added to that alert profile from then on.
default-custom-profile

Copyright © 2020, ZOHO Corp. All Rights Reserved.

Get download link