Creating an investigation-based alert
Creating an investigation-based alert
To define your own alerts on any kind of object, use investigation-based alerts. As their name indicates, investigation-based alerts express their triggering condition in the form of an investigation. The Engine periodically executes the investigations associated to alerts, depending on the frequency specified for each alert.
You can create an investigation-based alert by either:
- Defining the alert from scratch.
- Using an existing investigation as starting point.
The dialog to create alerts in the Finder is very similar to the dialog for designing investigations. There are a couple differences though:
- Investigations associated to an alert must be based on objects. You cannot associate an investigation based on activities or events to an alert.
- The time frame of the investigation depends on the frequency of the alert. You cannot specify a different time frame in the dialog for designing the investigation.
- An additional section at the end of the dialog for alerts let you specify the criticality, the frequency and the action to take when the alert is triggered.
Creating an investigation-based alert from scratch
To create an investigation-based alert from scratch:
- Log in to the Finder.
- Go to the Settings section in the accordion.
- Inside the Settings panel, click the drop down list Section and either:
- Select Global alerts to create an alert visible to every user. This option is only available if your account has the right privileges to create global alerts. Currently, every user can see global alerts only in the timeline of the Device view. The investigation of the alert must therefore be based on devices for the alert to be visible in the Finder.
- Select My alerts to create an alert that is visible to you only in the Finder. This option is available to every user. If the alert is based on devices, it is displayed in the timeline of the Device view.
- Right-click the area of the section and select Create new alert or type Ctrl+N. The dialog for designing a new alert shows up.
- Enter a name for the alert by replacing the default Untitled alert x at the top of the dialog.
- Optional: Type a brief description of the alert below the name.
- Edit the investigation part of the alert as any other investigation, with the restrictions that you must retrieve an object and not an activity or an event and that you do not have to specify the time frame. After specifying the attributes to display, you reach the specific ALERT section.
- Set the level of the alert in the drop down list Criticality:
- Select Normal for non-critical alerts. Normal alerts based on devices are displayed in yellow in the timeline of the Device view.
- Select High for critical alerts. Critical alerts based on devices are displayed in red in the timeline of the Device view.
- Specify the frequency with which the system will check the conditions to trigger the alert:
- Select Immediate for the system to check the conditions that trigger the alert almost continuously (every 30 seconds). Due to the nature of immediate alerts, you cannot select many display attributes that are usually available for the investigation. The Finder warns you when you select a display attribute that is incompatible with immediate alerts by showing a red cross to the right of the Immediate keyword. Hover the mouse cursor over the red cross to see the list of incompatible attributes that you selected. To avoid flooding, one hour must elapse between two consecutive immediate alerts for the same object.
- Select Hourly to evaluate the conditions 15 minutes after the end of every hour and get the results for the whole hour that just passed by.
- Select Daily to evaluate the conditions 15 minutes after midnight every day and return the results for the past day.
- Select Weekly to evaluate the conditions 15 minutes after midnight every Monday and send the results of the investigation for the last week.
- Choose the action to take when the alert is triggered. Note that the results of an investigation-based alert are limited to a maximum of 250 objects with 15 attributes per object. Results exceeding these values are cut down to avoid sending too much data.
- Check Send syslog to write the results of the investigation associated to the alert to the system log of the Appliance. This option is only supported by global alerts.
- Check Send e-mail to send the results of the alert by email to selected recipients. Note that any recipient can receive both global and non-global alerts.
- Click Save & Preview to save the new alert and run the associated investigation.
Creating an alert from an existing investigation
To create an investigation-based alert from an existing investigation:
- Log in to the Finder.
- Find the desired investigation in the accordion.
- Right-click the name of the investigation and select Add to My alerts... (or Add to Global alerts... if you have the right privileges). The dialog to design the alert shows up with the data of the investigation prefilled, so you only need to fill the ALERT section.
- Optional: Change the name of the alert at the top of the dialog. By default, the alert borrows its name from the investigation.
- Optional: Change the description of the alert that you find below the name. By default, the description of the alert is inherited from the investigation as well.
- Set the criticality, frequency and actions of the alert as described above.
- Optional: Modify the investigation settings to meet your needs. The original investigation is not modified.
- Click Save & Preview to save the alert and execute the associated investigation.
Limit on the number of alerts
Using the methods described above, you can create and enable up to a maximum of 50 global alerts. For their part, users can create (or receive from their roles) and enable up to 10 additional local alerts per account on each Engine.
The total number of enabled alerts in an Engine, including the global alerts and the local or role-based alerts of all users, is limited to 150 alerts.
Timing considerations for immediate alerts on Application Library fields
Because fetching data from the Application Library is not instantaneous, immediate alerts that rely on the value of Application Library fields may fail to fulfill their purpose.
For instance, an immediate alert that is configured to detect the appearance of new binaries with high threat level in the system will fail to detect the first execution of such binaries. In effect, soon after the execution of a new binary and its creation in the Engine, the conditions of the immediate alert are evaluated. At that point, however, the Engine has not updated the threat level of the binary yet. It is only around 5 minutes later that the Engine connects to the Application Library and sets the value for the threat level.
Thus, the best practice in this case is to create an hourly alert in addition to the immediate alert and with the same conditions of the immediate alert. In this way, the first execution of a binary with a high threat level may escape the immediate alert, but will be detected by the hourly alert at the end of the current hour interval, once the Engine has set the correct threat level of the binary.