Create Alerts
To create new alerts and modify existing alerts, the account used to connect to Auditor Server must be assigned the Global administrator or Global reviewer role in the product.
To set up a response action, this account must also be a member of the local Administrators group on Auditor Server.
See the Role-Based Access and Delegation topic for additional information.
Create a Custom Alert
Follow the steps to create a custom alert.
Step 1 – On the main Auditor page, click the Alert settings link under the Configuration section on the left:
See the Navigation topic for additional information.
Step 2 – In the All Alerts window, click Add. Configure the following:
| Option | Description |
|---|---|
| General | - Specify a name and enter the description for the new alert. NOTE: Make sure that the Send alert when the action occurs option is enabled. Otherwise, the new alert will be disabled. - Email subject — Specify the subject of the email. It is possible to insert variables into the subject line. You can choose between "Who", "What" and"Where" variables. Consider the following: - Only one variable of each type can be added - You need to cut off the full path from the object names in "What" alert and leave only the actual name. For example, "\com\Corp\Users\Departments\IT\Username" should be just "Username". If you want to get back to the default Email subject line, click the Restore Default button. - Apply tags — Create a set of tags to more efficiently identify and sort your alerts. Select Edit under Apply tags to associate tags with your alert. Later, you can quickly find an alert of interest using Filter by tags in the upper part of the All Alerts window. To see a full list of alerts ever created in the product, navigate to Settings > Tags. |
| Recipients | Select alert recipients. Click Add Recipient and select alert delivery type: - Email — Specify the email address where notifications will be delivered. You can add as many recipients as necessary. RECOMMENDED: click Send Test Email. The system will send a test message to the specified email address and inform you if any problems are detected. - SMS-enabled email — Netwrix uses the sms gateway technology to deliver notifications to a phone number assigned to a dedicated email address. Specify email address to receive SMS notifications. Make sure that your carrier supports sms to email gateway technology. |
| Filters | Apply a set of filters to narrow events that trigger a new alert. Alerts use the same interface and logic as search. - Filter — Select general type of filter (e.g., "Who", "Data Source", "Monitoring plan", etc.) - Operator — Configure match types for selected filter (e.g., "Equals", "Does not contain", etc.) - Value — Specify filter value. See the View and Search Collected Data topic for additional information on how to create and modify filters. The Filters section contains required fields highlighted with red. Once you completed all filters, click Preview on the right pane to see search-based list of events that will trigger your alert.  |
| Thresholds | If necessary, enable threshold to trigger the new alert. In this case, a single alert will be sent instead of many alerts. This can be helpful when Auditor detects many activity records matching the filters you specified. Slide the switch under the Send alert when the threshold is exceeded option and configure the following: - Limit alerting to activity records with the same... — Select a filter in the drop-down list (e.g., who). Note that, Auditor will search for activity records with the same value in the filter you selected. Only alerts grouped by the Who parameter can be included in the Behavior Anomalies list. Mind that in this case, the product does not summarize risk scores and shows the value you associated with this alert. This may significantly reduce risk score accuracy. - Send alert for <...> activity records within <...> seconds — Select a number of changes that occurred in a given period (in seconds). For example, you want to receive an alert on suspicious activity. You select "Action" in the Limit alerting to activity records with the same list and specify a number of actions to be considered an unexpected behavior: 1000 changes in 60 seconds. When the selected threshold exceeded, an alert will be delivered to the specified recipients: one for every 1000 removals in 60 seconds, one for every 1000 failed removals in 60 seconds. So you can easily discover what is going on in your IT infrastructure. |
| Risk Score | - Slide the switch to On under Include this alert in Behavior Anomalies assessment. See the Behavior Anomalies topic for additional information. - Associate a risk score with the alert — Assign a risk score based on the type of anomaly and the severity of the deviation from the normal behavior. An action's risk score is a numerical value from 1 (Low) to 100 (High) that designates the level of risk with 100 being the riskiest and 1 the least risky. These are general guidelines you can adopt when setting a risk score: - High score — Assign to an action that requires your immediate response (e.g., adding account to a privileged group). Configure a non-threshold alert with email recipients. - Above medium score — Assign to a repetitive action occurring during a short period of time. While a standalone action is not suspicious, multiple actions merit your attention (e.g., mass deletions from a SharePoint site). Configure a threshold-based alert with email recipients. - Low score — Assign to an infrequent action. While a single action is safe, multiple occurrences aggregated over a long period of time may indicate a potential in-house bad actor (e.g., creation of potentially harmful files on a file share). Configure a non-threshold alert, email recipients are optional but make sure to regularly review the Behavior Anomalies dashboard. - Low score — Assign to a repetitive action that does not occur too often (e.g., rapid logons). Multiple occurrences of action sets may indicate a potential in-house bad actor or account compromise. Configure a threshold-based alert, email recipients are optional but make sure to regularly review the Behavior Anomalies dashboard. |
| Response Action | You can instruct Auditor to perform a response action when the alert occurs — for example, start an executable file (command, batch file, or other) that will remediate the issue, or open a ticket with the help desk, and so on. For that, you will need an executable file stored locally on the Auditor server. Slide the switch to turn the feature ON, and see the Configure a Response Action for Alert topic for additional information. |
Manage Alerts
For your convenience, Netwrix provides you with a set of predefined alerts that are commonly used for IT infrastructure monitoring. The out-of-the-box alerts include those that help you detect suspicious activity and inform you on critical changes to your environment. The alerts contain pre-configured filters and in most cases you only need to enable an alert and select who will receive notifications.
You can add any elements (a dashboard, report, alert, risk, etc.) to the Auditor Home screen to access them instantly. See the Navigation and Customize Home Screen topics for additional information.
| To... | Follow the steps... |
|---|---|
| Enable / disable an existing alert | Step 1 – Select an alert from the list and enable it using the slider in the Mode column. Step 2 – Double-click the selected alert and specify alert recipients or set a risk score want to include an alert in Behavior Anomalies assessment. You can go on with a score suggested by Netwrix industry experts or fine-tune it to fit your organization's priorities. See the Risk Score topic for additional information on how to configure scoring settings. Step 3 – Review and update filters. For some alerts you should provide filter values, such as group name or user. |
| Modify an existing alert | Select an alert from the list and click Edit. |
| Create a new alert from existing | Select an alert from the list and click Duplicate at the bottom of the window. |
| Remove an alert | Select an alert from the list and click  in the right pane. |
| Find an alert | Use the Filter by tags option to find an alert by tags associated with this alert. OR Use a search bar in the upper part of All Alerts window to find an alert by its name or tag. |