Skip to content

Configuring and Managing Alerts

Set up alerts to notify your organization when certain activity patterns are detected. Alerts are sent immediately when an activity exceeds a defined alert threshold.

You can configure the following types of alerts:

  • Failed Access from Actors
  • Failed Access to Targets

The Alert icon Alert icon flags the presence of an active alert, which can then be viewed on the Alerts page. View configured alerts by selecting View and Configure Alerts Alert icon > Definitions. Select an alert definition to view or edit the alert configuration.

Prerequisites

Before you can set up an alert, you'll need to configure a data provider to pull the activity data that will be monitored for alert detection. Identity Risk integrates with the following providers:

Configuring Alerts

  1. Select View and Configure Alerts Alerts icon.
  2. Select Definitions.
  3. In the ALERT DEFINITIONS pane, select Create Alert +.

  4. Select one of the following alert types from the Alert Type dropdown list.

    Alert Type Definition
    Failed Access From Actors Failed Access alerts define the actors of interest and the thresholds for failure events to detect and alert when the failure rate exceeds these thresholds.
    Failed Access To Targets Failed Access alerts define the targets of interest and the thresholds for failure events to detect and alert when the failure rate exceeds these thresholds.

  5. Enter a name for your alert.

  6. If you have selected Failed Access From Actors or Failed Access To Targets, select Actors of interest and enter a node (actor or target). A list of matching actors or targets will display as you type. Select a node from the list. Repeat to add more nodes.
  7. In the Alert Massage field, enter a message describing the purpose of the alert. The alert message provides context for the alert to assist with alert analysis and filtering when reported.

  8. In the Select Thresholds section, select appropriate values for the Alert Threshold and Warning Threshold using the increment and decrement buttons.

    Two severity levels are supported for failed access alerts:

    Severity level Threshold
    Alert A high severity alert triggered when failure activity exceeds the defined Alert threshold value. This value must be greater than 1 and greater than the value set for the Warning threshold.
    Warning Triggered when failure activity exceeds the defined Warning threshold value. This value must be greater than zero and less than the value set for the Alert threshold.

    Within each one-hour period:

    • If matching activity is detected that exceeds the Warning threshold, an alert is triggered at a Warning severity level.
    • Activity continues to be tracked, and an alert upgrades to Alert severity level if the activity count for that alert definition exceeds the Alert threshold within the same time period.
    • Alert activity counts are reset each hour and triggered again if the matching activity exceeds the threshold in a new period.

  9. Select Save Alert to save the new alert definition.

Managing Alerts

When an alert is triggered, you'll receive notifications by the active alert count indicator. The indicator count shows the total number of active alerts generated in the past hour.

Viewing Active Alerts

  1. Select View and Configure Alerts Alerts > Definitions.

  2. Select Alerts.

    In the ACTIVE ALERTS pane, a summary of active alerts is displayed:

    Active Alert Summary

    The columns included in this pane are described in the below table.

    Column Description
    Raised At The timestamp of the alert generation. As alerts are generated each hour, this timestamp will indicate the hourly time window during which the failure events occurred. Details of the individual events can be found in Identity Map > Event Details.
    Name The name of the alert that was triggered.
    Alert Level The highest alert level that was triggered.
    Count The number of matching events (failures) reported in this interval.
    Triggered Node The configured node to or from which these events were reported.

  3. Select the expander button on an alert to view additional fields describing the alert configuration.

  4. To further investigate the triggered alert activity, select Triggered Node to display options:

    • View Profile
    • View Permissions
    • Add to explorer list
    • Add to explorer and search
    • Filter by this node

  5. Select an option and explore related activity, event details, and more.

Filtering Active Alerts

The Active Alerts page allows filtering and sorting to help refine the alert view to show a subset of alert records.

  1. In Active Alerts pane, select the Filter icon .

  2. Enter values in one or more of the option fields to display only the alerts that match the values provided.

Resolving Active Alerts

You can mark active alerts as resolved by selecting the Resolve button at the alert level or by selecting multiple alerts and selecting the Resolve Selected button.

Once an alert has been resolved, it is removed from the Active Alerts pane. All alerts, including active and resolved alerts, may be retrieved through the Identity Risk API.