Creating an Alert Rule
Go to Compliance > Alert Rules and select Create New. Complete the following steps:
Base Configuration
- Provide a name for the rule.
- Provide a description of the rule.
-
In the Severity dropdown list, select the level of rule severity.
- High Severity: Use for important and urgent alerts for your organization. This could be potential rogue behavior, sensitive data leakage, or noncompliant access to sensitive data.
- Medium Severity: Apply to alerts that indicate potentially non-compliant or harmful activity that requires investigation but might not require immediate response.
- Low Severity: Assign to alerts that indicate minor or routine issues that require attention but are unlikely to cause serious harm. These alerts can be monitored with less urgency, for example by scheduling a report and reviewing them as needed.
-
Change the rule status to Active to enable this rule upon creation.
- Select Next.
Rule Criteria
Define the scope of the rule.
- From the Scope Type dropdown list, select All, Application Type, Applications, or Resources. Then select the appropriate value in the next dropdown list.
- To remove parameters from the rule, set exclusions. From the Scope Type dropdown list, select what type needs to be excluded. Then select the appropriate value in the next dropdown list.
-
You can use and combine filters to specify the criteria that trigger the alerts, and ensure only relevant and actionable activities are flagged.
Combine filters (e.g., action type + actor attributes + data classification on the object that alert was performed on) to refine and focus the behavior according to your organizational needs.
-
Select Next.
Response
Choose a response for the alert.
-
Enter an identity's name in the search field and select the identities who will receive an email with the alert properties once it’s triggered. The email includes the alert rule and the following properties:
- User name
- Department
- Action Type
- Application
- Resource Path
-
To complete the alert rule creation, select Continue.
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.