Skip to main content

Alerts

When you create an alert profile, several alerts are preconfigured for it. You can, however, choose to enable or disable them as well as add custom alerts to the profile. These alerts are triggered by specific events. This means that when the defined action (event) is detected within the organization the alert profile is assigned to, an alert is generated. Alerts notify you of critical actions that impact your organization's security, enabling you to respond swiftly to potential risks.

You can access the generated alerts in the following ways:

  • View the alerts generated for an organization on the Netwrix 1Secure dashboard. See the 1Secure Dashboard topic for additional information.
  • Receive alerts as email notifications sent to the specified email address(es). See the Manage Delivery Settings for an Alert Profile topic for setting up email notifications.

To view the alerts within an alert profile:

Step 1 – Navigate to Configuration > Alerts.

Step 2 – Click an alert profile. The alerts for the profile are displayed in a list.

Alerts List within an alert profile

You can view the following for each alert in the list:

  • Source – Indicates the origin or type of data that triggers the alert. For example, Activity Records.
  • Alert Name – The name of the alert
  • Is Active – Indicates whether the alert is activated. You can toggle it ON or OFF as required.
  • Grouping On – Indicates whether grouping is applied to the alert. If yes, then it displays the criteria, such as What, Who, Where, etc.
  • Threshold – The threshold value set for the alert. The threshold is the minimum number of activity records that must occur within a specified time frame (threshold period) to trigger an alert.
  • Threshold Period – The threshold period set for the alert. The threshold period is the maximum duration, starting from the first activity record, within which the specified number of activity records (threshold) must occur to trigger an alert.
  • Batching Period – The batching period set for the alert. With the batching period feature, you can receive a single notification that includes all alerts triggered during the specified period.

Add a Custom Alert

To add a custom alert:

Step 1 – Navigate to Configuration > Alerts.

Step 2 – Click an alert profile. The alerts for the profile are displayed in a list.

Step 3 – Click Add. The New Alert pane is displayed.

New Alert Pane

Step 4 – Select a custom report from the Report dropdown menu to trigger the alert when a new record is generated for the report. See the Custom Reports topic for additional information.

Step 5 – Specify a name and description for the alert.

Step 6 – Toggle the Is Active switch to ON to activate the alert. Notifications are sent for active alerts only.

Step 7 – Toggle the Is Grouped switch to ON, which displays the Grouped On dropdown menu. When grouping is enabled, alerts are organized based on the criteria you select in the Grouped On dropdown menu.

Step 8 – Select one of the following options from the Grouped On dropdown menu:

  • Who – Groups alerts by the user who performed the activity (deleted an account, created a record, etc.)
  • Where – Groups alerts by the location where the activity is performed. For example, SharePoint Online site, file server, etc.
  • What – Groups alerts by the object the activity is performed on, such as a computer, file, etc.

Example: You have two users, User 1 and User 2, each performing different actions. By setting "Grouped On" to "Who", alerts are generated per user, resulting in two separate alerts — one for User 1 and another for User 2. Each alert includes only the activity associated with that specific user. If grouping isn't enabled, all activities are consolidated into a single alert based on the specified threshold and threshold period.

Step 9 – In the Threshold field, specify a threshold for the alert. The threshold is the minimum number of activity records that must occur within a specified time frame (threshold period) to trigger an alert. For example, if the threshold is set to 3, an alert is triggered when at least 3 activity records are generated within the specified time frame.

Step 10 – In the Threshold Period field, specify a threshold period for the alert. The threshold period is the maximum duration, starting from the first activity record, within which the specified number of activity records (threshold) must occur to trigger an alert. For example, if the threshold is set to 5 and the threshold period is 10 minutes, at least 5 activity records must be generated within 10 minutes to trigger an alert.

Step 11 – To avoid receiving a notification each time an alert is generated, specify a batching period in the Batching Period field. With the batching period feature, you receive a single notification that includes all alerts triggered during the specified period. For example, if the batching period is set to 30 minutes (00:30:00) for an alert such as "Computer removed," you receive a single notification for all alerts generated during that time frame rather than individual notifications for each alert.

Step 12 – Click Save.

The alert is configured and added to the list.

Modify an Alert

To modify a preconfigured or custom alert:

Step 1 – Navigate to Configuration > Alerts.

Step 2 – Click an alert profile. The alerts for the profile are displayed in a list.

Step 3 – Click the Edit icon for an alert. The Edit alert pane is displayed.

Step 4 – Modify the required information. See the Add a Custom Alert topic, starting from Step 4 for additional information.

Step 5 – Click Save.

Delete a Custom Alert

To delete a custom alert:

Step 1 – Navigate to Configuration > Alerts.

Step 2 – Click an alert profile. The alerts for the profile are displayed in a list.

Step 3 – Click the Delete icon for an alert to delete it. A dialog box is displayed, prompting you to confirm the deletion of the alert.

Step 4 – Click Yes. The alert is deleted from the system.