How to create new alerts
Cyberquest's alerting feature is a completely customizable module for each connected user. The event triggering an alert can be user-defined to respond to specific event needs, ensuring great accuracy and reducing false alerting to a minimum.
Follow the steps to create a new alert:
Authenticate in the CyberQuest web interface as an user with administrative rights.
Navigate to “Settings>Alerts” and select the “Realtime” option.
On the "Alerts" page, select the "Create new alert definition" button to create a new alert.
Complete the form with the appropriate information and press "Save Alert & Exit" button.
Alert Name: The name of the new alert.
Alert Active: Select ALERT ACTIVE checkbox if the alert is active or uncheck to deactivate it.
Time Frame TTL(sec.) : This setting instructs the alert for how long to be active once triggered.
Alert Security Score: When an alert is triggered, its security score will dynamically change value starting from this defined baseline, depending on defined rules and number of events. A real time security score cannot be lower than defined baseline and higher than 100.
Alert Security Level: Security levels behave in a similar manner to security scores and support the same color coding.
Sent as Alert: Send as Alert checkbox has a similar effect to ALERT ACTIVE checkbox. When unchecked, the alert is active but will not produce any visible effect. This setting ensures backend correlation of anomaly analysis over multiple events, triggers and alerts.
Has Action: If a script execution can be associated with the alert, check also Has Action checkbox. Script rule is the last rule in rule conditions list and prevails all other rules. Press . button to open Script Editor window where you can create a custom script to apply as rule.
Send via Email: Send via Email checkbox allows the alert being sent to defined recipients.
Notification Template: Choose a notification template to apply to your alert. You can choose from built-in or custom notification templates. Default is Default notification.
Under Rules section, you can granularly define rules controlling the alert behaviour. You can define from single event rules to any correlation between events, order in which events occur, correlation to missing an event from a logical succession of events and so on.
Previous: Navigate through the condition of an alert.
Next: Navigate through the condition of an alert.
Add Rule: Add a new rule by pressing "Add Rule" button. The new rule is defined in Rule Settings pane to the right.
Rule Settings pane assists you defining the rule logic. Rule logic consists of field, report and correlation conditions separated by logical operators AND, OR and NOT.
Each rule has:
Description: A Description where you enter a text describing the rule.
Add field condition: In Select Field drop-down, select a representative event field. From the next drop-down select the appropriate value operator. In the third field enter desired value.
Add report condition: The rule condition presents you with a drop-down list from which you can select a report from all existing reports.
Delete: You can delete a rule condition.
When adding a rule condition, a logical operator is automatically added for correlation to the previous condition. The default operator is AND. Click on AND switch to change the logical value to OR. Click again to change back to AND.
If logical chain requires, a "NOT" operator is also added in the form of a checkbox. By default, the operator is not selected. Click NOT to select the operator.