Log360 Cloud's alerting and incident management modules help security teams detect and mitigate security threats at an early stage. This section elaborates on how you can trigger and manage alerts.
Creating Alert Profiles
Alert profiles allow you to define the criteria to trigger an alert. You can set up multiple alerts with different criteria by creating multiple alert profiles. Follow the steps given below to create an alert profile:
- Navigate to the Alerts tab and click on Manage Profiles in the top right corner.
- Click on the + Add Alert Profile button.
- Provide a unique name for the alert profile in the Alert Name field.
- Assign a criticality to the alert profile. Choose from Critical, Trouble and Attention.
- In the Select Device field, click on the + icon to select the device(s) and/or device groups(s) for which the alert profile must be configured.
- In the Select Alert field, click on the + icon to define the alert criteria.
- The alert criteria can be chosen from the following categories:
- Predefined alerts - This is a collection of predefined alert profiles that address common use cases. Using the predefined alerts, you can save time and set up an alert profile with minimal effort.
- Compliance alerts - This is a collection of predefined compliance-specific alerting conditions. These alerts will help you comply with regulations such as the CCPA, FISMA, PCI DSS, HIPAA, SOX, ISO 27001:2013. Each predefined set of compliance alerts tracks security events such as failed logon attempts, policy changes, and account changes that fall under the scope of the specified regulation.
- Custom alerts - Customize your alert condition based on the log message, type, and more. This option is useful to set alerts for specific requirements in your organization. You can define conditions and group them with AND/OR operations. Select the comparator and then provide the value for the attributes. With drag and drop functionality, you can group and ungroup the alert criteria.
- In the Alert Format Message field, you can customize your alert message by adding information such as the event name, source, and more. To set the variables, click on +Add near the Alert Format Message.
- Under Alert Notification, tick the Email Notification check box if you want to receive an email when the alert is triggered and provide the required details such as the reciever's email address, subject line, and message text. The default mail content is shown in the Message field. You can modify this message according to your requirement and add arguments from the Macros list.
- Tick the Threshold check box under Advanced Configuration to receive threshold-based alerts. Specifying the number of events that have to occur within the given time will trigger a threshold-based alert. For threshold alerts, the maximum range allowed is from 2 to 10 and the maximum time should be within 99 minutes. A single threshold alert can be evaluated 10000 times per hour. The log processing of threshold alert profiles is scheduled every 15 minutes. Hence a slight delay in the generated reports is to be expected as opposed to normal alerts. Upon meeting this set threshold, you will receive alerts.
Note: Alert notification emails are restricted to 5000 per day. Alert notification emails will stop once the limit is reached and will resume the next day.
- Click the Save Profile button once you have specified all the necessary fields.