How to create an alert profile and manage incidents


  • Create an alert profile
  • Incident Management

  • To create an alert profile, use any one of the following menu options:

     

    Follow the given procedure to create an alert profile:

     

    1. Enter a unique name for the alert profile.

    2. Assign a criticality to the alerts generated using this profile. Choose from High, Medium, and Low.

    3. Click on + icon to select device(s) and/or device groups(s) which should generate this alert.
    4. Click on + icon to define alert criteria.

    Alert criteria can be chosen from the following categories:

    1. Select an alert notification method (email/SMS), or choose the Run Program option to trigger an automated response (as designated by a script, provided by you).
    2. Click the Add Alert Profile button.

     

    Predefined Alerts

     

                 Select Predefined Alert under Define Criteria:

    1. Select the LogType and then choose the desired category.
    2. Among the reports, select the desired report by clicking on the radio button next to it.
    3. Append new criteria to predefined alert by clicking + Add Criteria.
    4. You can use the Advanced settings to tweak the alert trigger conditions in order to reduce alert noise. Here you can set the threshold (number of occurrences of an event within a specific time frame) and time range (working hours) for the alert profile.

    You can then specify the notification type for the alert profile.

     Compliance Alerts

    1. Compliance Type field allows you to select specific compliance type like FISMA, PCI, HIPAA, SOX, GLBA and ISO 27001:2013 and generate alerts for the events like Failed Logon Attempts, Policy changes, Account Changes, and Audit Logs Cleared.
    2. If you want to exclude certain event id from the alert criteria, specify that event ID in Exclude Event ID field.

    3. You can use the Advanced settings to tweak the alert trigger conditions in order to reduce the alert noise. Here you can set the threshold (number of occurrences of the event within a specific time frame) and the time range (working hours) for the alert profile.

    You can then specify the notification type for the alert profile created.

    Custom Alerts

     

     

     

    • You can define 'n' number of criteria and group them with  AND/OR operations.

    • To define alert criteria, choose desired attributes from the predefined list.

    • Specify the values for the attributes. Select the comparator and then provide the value for the attributes.

    • With drag and drop, you can group and ungroup the alert criteria.

     

    Generating Alerts for Imported Logs

    With EventLog Analyzer's Advanced Custom Alert option, you can generate alerts for custom extracted fields for Oracle, Microsoft SQL, print Servers, IIS, and other imported application logs.

    To generate alert for specific custom extracted field of imported log, choose the log type and select the imported log for which you need to trigger alerts. Specify the custom field and its value, upon occurrence of which the alert has to be triggered. EventLog Analyzer will automatically populate all the custom extracted fields for the selected log type and you choose the field of your choice from the list and then specify the value for the selected custom field.

    Note: To add multiple custom extracted fields, make use of option.

    You can then specify the notification type for the alert profile created.

     

    Alert Notification & Remediation

    EventLog Analyzer provides you with two alert notification mechanisms

    Further, you can also remediate the alert condition by running a script.

     

    Settings to notify alert by Email

    Enter the details required for sending alert notification via email.

     

    1. Enable the Email Notification check box under the Notification Settings tab to enable email notifications.
    2. Specify the receiver's email address and for multiple emails, separate the addresses with commas (,).
    3. Add a subject line for the email notification. You can also append the alert argument(s) to the subject line. Select the arguments from the list available under Macros.
    4. The default mail content is shown above, you can modify this and also add arguments from the Macros list. Click Save Profile.

    Note: The mail content of correlation alerts can be customized further to include the rule name, correlated time, and the action. Further, you can select and add specific fields of the action by choosing them from the list that appears when the action is clicked. Please refer the image below.

    e. If the mail server is not configured in EventLog Analyzer, you will be prompted to when Notify by Email option is selected.

     

    Settings to notify alert by SMS

    Enter the details required for sending alert notification using SMS.

    1. Enable the SMS Notification check box under Notification Settings tab checkbox to enable SMS notifications.
    2. Enter the recipient’s number.
    3. You can customize the SMS content by clicking Add More Fields next to SMS Message field.

    If SMS settings is not configured in EventLog Analyzer, you will be prompted to set it when Notify by SMS option is selected.

     

    Settings to notify alert by Run Program

    Enter the details required for running a script or program when the alert notification is triggered.

    1. Navigate to the Run Program tab to run a script program when alert notification is triggered.
    2. Locate the file.
    3. If arguments are required to run the script, you can select them from the Arguments field. Add More Fields can be used to add additional fields as arguments.

    After defining alert criteria, specifying the notification method, click the Add Alert Profile button to complete the alert profile creation. The created alert profile will be listed in the Alert Profile Details screen. Created profiles can be enabled, disabled, modified, or deleted from the list

    Assigning workflows to security incidents

    You can associate incident workflows with the security alerts configured in the product. This way, when a security alert is triggered, the corresponding workflow automatically starts executing, and you can view its status on the Manage Workflows page.

     

    To assign a workflow to a new security alert:

    And configure your alert as given above.

     

    To assign a workflow to an existing alert:

     

     

     

    Once you are done, click Save Profile.

    Incident Management


    With EventLog Analyzer, you can efficiently manage security incidents by raising tickets and assigning them to administrators for alerts that are generated. You can easily manage the incident within the EventLog Analyzer console itself or use an external help desk software for raising tickets. Under Alert Configurations, click on Incidents Management to configure an external help desk - ServiceNow, ManageEngine ServiceDesk Plus, Jira Service Desk, Zendesk, Kayako, or BMC Remedy Service Desk. Click Assign Rules to automatically assign tickets to admins based on devices/device groups upon the generation of alerts. In the Alerts page, you can always assign or update a ticket manually by clicking on the Update icon.

    Assign Rules


    To create a new rule to automatically assign tickets to technicians based on devices/device groups, click the Add New Rule Button.

    1. Enter the name of the rule, along with an optional description.

    2. Define the rule criteria i.e. the devices/device groups for which you would like to automatically assign the alerts as tickets.

    3. Select the technician to whom the ticket must be assigned.

    4. Click Save.

    Manage Incident Configuration


    To configure incident management with ticketing tools, click on Incident Management under Alert Configuration. From the Incident Tool drop-down list, select the ticketing tool that you want to configure EventLog Analyzer with. Then, follow the following steps based on the ticketing tool used.

    For ServiceNow:



    1. Enter the ServiceNow subdomain name or IP address.

    2. Enter the login name and password of a valid account in the ticketing tool.

    3. Enter a short description and a description for the alert. You can select them from a predefined list available under Macros or type your own descriptions.

    4. Click the Test and Save button to establish communication and complete configuration.

    For ManageEngine ServiceDesk Plus:



    1. Enter the ManageEngine ServiceDesk Plus server name or IP address.

    2. Enter the port number.

    3. Choose the protocol for communication - HTTP/HTTPS.

    4. Select the mode of authentication - Local or Active Directory.

    5. Enter the login name and password of the account having admin privileges.

    6. Enter a subject for the alert. You can choose the subject from a predefined list available under Macros or type your own.

    6. Click the Test and Save button to establish communication and complete configuration.

    For Jira Service Desk:

    To configure EventLog Analyzer with Jira Service Desk, you would first need to get a few details from your Jira ticketing tool.

    1. After logging into your Jira Service Desk account, click the settings icon on the top right corner and select Projects.

    2. In the project list, note down the Key corresponding to the project in which you want your tickets to be raised.

    3. Navigate to the Issues tab and reenter your username and password when prompted.

    4. Note down the type of issues that the particular project can hold. The issues raised from EventLog Analyzer should of the same type for a ticket to be successfully raised in Jira Service Desk.

    5. Close Jira Service Desk and open EventLog Analyzer to complete the configuration process.

    In EventLog Analyzer, navigate to the Alerts tab and click on Incident Management under Alert Configuration. From the Incident Tool drop-down list, select Jira Service Desk.

    1. Enter the Jira Service Desk server name or IP address.

    2. Enter the port number.

    3. Choose the protocol for communication - HTTP/HTTPS.

    4. Enter the login name and password of the account having admin privileges.

    5. Enter the project ID. This is the Key of the particular project noted from the ticketing tool.

    6. Enter the type of issue. This needs to be same as the issue type that the project has been configured to hold.

    7. Enter a summary for the alert. You can select it from a predefined list available under Macros or type your own summary.

    8. Click the Test and Save button to establish communication and complete configuration.


    For Zendesk:

    To configure EventLog Analyzer with Zendesk, you would first need to get a few details from your Zendesk ticketing tool.

    1. After logging into your Zendesk account, click the settings icon on the leftmost pane.

    2. In the left tab of the page, click API under Channels.

    3. In the right pane, move to OAuth Clients and click the + icon to create a new OAuth Client.

    4. Enter the client name, description, and name of the company. Select a logo.

    5. The value that appears corresponding to Unique Identifier needs to be saved in a separate document. This would be needed while configuring Zendesk in EventLog Analyzer.

    6. Once you click Save, a secret code will appear above the Save button. Click Copy and save it in some separate document. This would also be needed while configuring Zendesk in EventLog Analyzer.

    7. Click Close and open EventLog Analyzer to complete the configuration process.

    In EventLog Analyzer, navigate to the Alerts tab and click on Incident Management under Alert Configuration. From the Incident Tool drop-down list, select Zendesk.

    1. Enter the Zendesk subdomain name.

    2. Enter the login name and password of a valid account in the ticketing tool.

    3. Enter the client ID. This is value of Unique Identifier noted from the ticketing tool.

    4. Enter the client secret ID. This is the value of the secret code obtained from the ticketing tool.

    5. Enter a subject and a message for the alert. You can select them from a predefined list available under Macros or type your own.

    6. Click the Test and Save button to establish communication and complete configuration.


    For Kayako:



    1. Enter the Kayako subdomain name.

    2. Enter the login name and password of a valid user in the ticketing tool.

    3. Enter a short description and a description for the alert. You can select the descriptions from a predefined list available under Macros or type your own descriptions.

    4. Click the Test and Save button to establish communication and complete configuration.

    For BMC Remedy Service Desk:



    1. Enter the BMC Remedy Service Desk server name or IP address.

    2. Enter the port number.

    3. Choose the protocol for communication - HTTP/HTTPS.

    4. Enter the login name and password of the account having admin privilege.

    5. Enter a description for the alert. You can choose the description from a predefined list available under Macros or type your own description.

    6. Click the Test and Save button to establish communication and complete the configuration.

    After configuring EventLog Analyzer with the ticketing software, you can select the alert profiles for which tickets need to be raised.

    In the Manage Incident Tool Configuration page, you will have a list of existing alert profiles. Select the ones for which you want a ticket to be raised. You can search for specific alert profiles using the search box. You can also select all the alert profiles by ticking the Select All check box. If Select All is checked, all the alert profiles added in the future will be automatically selected and tickets will be raised for them as well. Once you've completed selecting the alert profiles, click Update.


     

    Update an Alert


    Select an alert and click the Update icon.

     

     

    1. Select the technician to whom you would like to assign the alert as a ticket using the Assign To drop down menu.

    2. You can add optional notes for the ticket.

    3. Select the status of the ticket using the Status drop down menu.

    4. Click the Save button.

    Get download link