Alerts
Learn how you can use alarms to take security and automation to a new level.
Last updated
Learn how you can use alarms to take security and automation to a new level.
Last updated
Alerts are a key component of the Enginsight platform. They allow you to be alerted when a specific event or problem occurs in your IT infrastructure. This can be a website failure, newly installed software, certain behavior of captured metrics and much more.
You can also use Alarm to react autonomously to a system event. Via Plugins you can run a script on one of your hosts or use alarms triggered by Webhooks outside the Enginsight platform, e.g. for a ticket system.
In the overview, you can check all the alarms you have added and search them using the search bar. You can also sort the alarms according to when they were last modified or created.
You can also see from the alerts overview...
which and how many assets are being monitored.
whether there is an issue for an alert.
who should be notified when the alert is triggered.
From the overview you can also disable and delete alerts.
At Issues you can display all triggered alerts.
Further information on issues can be found here.
You can create a new alert under 'Alerts' → 'Create Alert'. First define an 'Kind of Alert'. Here you define whether the alert should be triggered by a event of a host, endpoint, observation or watchdog.
Next, you configure the alarm by making 'General Settings', specifying the type of 'Notification', setting 'Automation' and 'Additional Options'.
Events
Alert | Description |
---|---|
An account was reenabled (only Windows) | Alerts when a user account has been reactivated. (event 4722) |
An admin account was reenabled (only Windows) | An admin account was reactivated. (event 4722, 4732, 4728) |
A user has gotten more privileges (only Windows) | A user has elevated privileges. (event 4732, 4728) |
Failed login attempt | As soon as a user has not logged in successfully. (event 4625) - limit value can be set independently |
Loggon attemptof an non existent user | As soon as an attempt is made to log in with a user name or user ID that does not exist in the system, the alert is triggered. |
New admin account created (only Windows) | A new user has been created. (Event 4720) |
New user account created (only Windows) | A new admin has been created. (event 4720, 4732, 4728) |
Successful login attempt | Triggers as soon as a user has successfully logged on to a system. (event 4624) |
Hard Disk
Alert | Description |
---|---|
Disc will be removed | Alerts as soon as a hard disk is removed. |
Hard disk (available %) | Alerts as soon as only n% storage space is available (monitoring of all hard disks). |
Hard disk (available %): / | Alerts as soon as only n% storage space is available, whereby X is automatically recognized by the system. |
Hard disk (available %): /boot/efi | Alerts as soon as only n% disk space is available on the EFI system partition. |
Hard disk (used %) | Alerts as soon as n% storage space is used (monitoring of all hard disks). |
Hard disk (used %): / | Alerts as soon as n% storage space is used, whereby X is automatically recognized by the system. |
Hard disk (used %): /boot/efi | Alerts as soon as n% disk space is used on the EFI system partition. |
New disk will be detected | Alerts as soon as a new hard disk is detected. |
Machine Learning
Alert | Description |
---|---|
Unusal behavior | Alert is triggered if the value of the metric to be monitored is outside the calculated normal state. |
Metrics
Alert | Description |
---|---|
CPU io wait | Alerts if the proportion of the load that the CPU spends waiting for input and output operations exceeds the set threshold value |
CPU steal | Alerts if the proportion of the load that a virtual CPU spends waiting for the host CPU exceeds the set threshold value. |
CPU total | Alerts if the CPU load exceeds the set threshold value |
CPU user | Alerts when the user's CPU load reaches a certain threshold value. |
Host temperature (All sensors) | As soon as a certain temperature is exceeded, the alert triggers. |
Networktraffic per second (inbound) | If the incoming network traffic exceeds the set limit value, the alert is triggered. |
Networktraffic per second (outbound) | If the outgoing network traffic exceeds the set limit value, the alert is triggered. |
RAM (available %) | Alerts as soon as only n% RAM is available. |
RAM (available MB) | Alerts as soon as n MB RAM is available. |
RAM (used %) | Alerts as soon as only n% RAM is used. |
SWAP (available %) | Alerts as soon as only n% SWAP is available. |
SWAP (available MB) | Alerts as soon as n MB SWAP is availble. |
SWAP (used %) | Alerts as soon as only n% SWAP is used. |
Network analysis
Alert | Description |
---|---|
Blocked network attack (Shield) | Alerts you as soon as the IPS has blocked an incoming attack. This enables you to recognize in real time whether an attack is currently taking place and to take countermeasures if necessary. |
Suspicious network traffic | Alerts you as soon as the IDS detects a network attack. Define the criticality (HIGH, MEDIUM, LOW) at which the alert is triggered. |
Plugins
Alert | Description |
---|---|
Failed plugin | Alerts as soon as a plug-in does not work properly or does not interact correctly with the host application. |
Scenario
Alert | Description |
---|---|
File Integrity Monitoring | Alerts as soon as changes to folders or files monitored by FIM are detected. |
Group policy change | Alerts you when a change is made to the group policies of a system. |
Host reboot | Alerts as soon as the host is restarted. |
Host reboot is required | Alerts as soon as a restart of the host is necessary, e.g. in the event of an update. |
Host unavailable | Alerts as soon as a host is unavailable for a defined period of time. |
New autostart | Alerts as soon as an autostart is performed on the host. |
New infection | Alerts as soon as a system or network is infected by malware or a virus. |
New open Port | Alerts as soon as an open port is detected on the host. |
New security updates available | Alerts you as soon as new security updates are available for the host. |
New updates available | Alerts you as soon as new updates are available for the host. |
New vulnerabilities | Alerts as soon as a new vulnerability is detected on the host. |
New vulnerabilities (CVSS Score) | Alerts as soon as the CVSS score of a vulnerability on the host corresponds to the defined value. |
Object access outside business hours | After defining the usual business hours, an alert is triggered if an object is accessed outside these times. |
Port unavailable (TCP) | Alerts as soon as access to a specific port for TCP communication is not possible. |
Unauthorized object access | Alerts as soon as an object or resource is accessed without the required authorization. |
Services and Processes
Alert | Description |
---|---|
Process is executed | Alerts as soon as a selected process is started. |
Process is not executed | Alerts as soon as a selected process has been stopped. |
Service is executed | Alerts as soon as a selected service is started. |
Service is not executed | Alerts as soon as a selected service has been stopped. |
System relevant service is not executed | Alerts as soon as a selected system-relevant service has been started. This must be marked as such beforehand. |
Software
Alert | Description |
---|---|
Installed/Uninstalled Software | Alerts as soon as any software is installed or removed from the host. |
Software is installed | Alerts as soon as a certain software is installed on the host. |
Software is not installed | Alerts as soon as a certain software is not installed on the host. |
You will also find Quick Alert buttons distributed throughout the platform. For example, on metrics, processes or certificates.
By clicking on a Quick Alert button, you can immediately switch the corresponding alerts.
First define a 'Reference', i.e. which host, endpoint, observation or watchdog an alert should be set to. You can either switch alerts to a specific asset (Exclusive) or via tags ("All with the tags") to multiple assets at once.
Under 'Requirement' you define the scenario that should trigger the alert, e.g. an increased CPU usage.
Now define a 'Description' of your alert. You can either give it a title or enter complete step-by-step instructions on how to react to the alert. If your description is longer, you can also enter an alias so that you can still see a handy title in the alert overview.
Under 'Notifications' you can define who should be informed by e-mail or additional notification channels (Messenger integration or SMS). The alerts always appear in the issues overview, visible to all team members.
How often a notification is sent depends on the selected alert category.
You can either select individual users or add the alert to a group.
The team members added to Enginsight can be grouped together. This makes the management of alerts much more effective as they can be assigned to a group of people with a single click. For example, groups for specific departments can help you ensure that the right team members are getting notified.
You can create new groups and edit existing groups under 'Settings' → 'Groups'.
Besides the possibility to be notified by email or SMS, we are working on integrating different messenger services. So far, these include Slack, Mattermost and Microsoft Teams. To be informed in this way, you only need a simple link between your Enginsightaccount and the messenger service. Here you can find the instructions for the messenger integration of Slack, Mattermost and Microsoft Teams.
Microsoft Teams is an instant messaging service for communication within work groups. With Enginsight it is possible to connect a desired team channel to the alert system with just a few clicks.
To connect a Team Channel to Enginsight, first switch to Teams (either as an app or in the browser). Then use the left navigation menu to go to Teams. Here you can now select the channel where you want to be notified by alerts. If you want to create a new channel for this purpose, use the button on the bottom left.
Now switch to the desired channel. In this example, we will use the 'General' Channel of the 'Enginsight Development Team'. Then click on the 3 dots next to the channel and select 'Manage Teams'.
Then go to 'Apps' and then click 'More Apps' to prepare this channel for incoming Webhooks.
Then search for Webhook and click on the suggested App 'Incoming Webhooks'.
This will open a window in which you can see the team to which you are adding this app. If this is not the desired team, switch to the team you want to be notified and search for 'Webhook' among the different apps. Then click on Install.
Now you can select the channel of the team where you want to be alerted. Then click on 'Set up'.
Now you can assign a name that will be displayed as the sender of incoming alerts. You can then, if you want, upload a logo which will be displayed as sender image. Then click 'Create' to get a link that you need to place in the Enginsight platform.
Copy the link and then click Done. You have already set up everything you need in teams and can switch to the Enginsight platform.
Just copy the link and paste it into your Enginsightaccount, under the section Additional Notification via Microsoft Teams, for all desired alerts.
You will then receive the following messages for triggered and corrected alarms:
Slack is an instant messaging service for communication within working groups. With Enginsight it is possible to set up an alert that will alert you via Slack in addition to mail.
Go to the desired alarm, which shall cause a slack notification when triggered. Under the item 'Other Options' you will find the option 'Additional notification via Slack'. Select the checkbox to open the tab and then click on 'Connect to Slack'.
Then log in to any of your workspaces in the popup window. You should then be able to select a channel in which the notifications should be sent. Then click on 'Authorize' and the linking is complete.
If the automatic linking fails and no slack channel has been set, you can also add slack manually. The instructions for this can be found right below this paragraph.
If you already use Mattermost, you can connect your Enginsight to any channel with a few clicks.
First switch to Mattermost. Call up the 'Main Menu' in any channel by clicking on your name or the menu icon in the upper left corner. Then select 'Integrations' to release incoming webhooks.
Mattermost documentation about incoming webhooks.
A new window will be opened. Click here on 'Incoming Webhooks'.
Now you have an overview of all allowed webhooks. You can delete or edit them at any time. To create a new Webhook click on 'Add Incoming Webhook' in the upper right corner.
Now you can name the Webhook, give it a short description and select the channel where the alarms should be posted.
That was it already. Just copy the link and add it to all desired alerts in your Enginsightaccount under the section 'Additional Notifications via Mattermost' within each alert.
You have automation possibilities via alerts either with webhooks or with plugins.
Webhooks offer you the possibility to use triggered alerts outside the Enginsight platform. For example, do you have an internal messenger in your company? Use Webhooks to use information about alerts directly in other applications.
As a special use case, a Microsoft Team Integration can be used. You can find the instructions here.
Under the navigation item 'Alerts' you will find the subitem 'Webhooks' on the left side. If you have not yet created a Webhook, you can click on the 'Create Webhook' tile in the middle of the screen. If not, you will find the same button in the upper right corner.
In addition to a meaningful name and a description, you can now specify the target, the method and the type of content. You also have the option of transmitting user-defined HTTP headers to your webhook, which enables flexible customization and control of HTTP requests.
Then click 'Add Webhook' to create the Webhook.
You can select webhooks when creating/editing alerts.
Here you can find information about the format of a webhook:
This example shows a POST Method Webhook that was triggered by an alert that controls the response time of an endpoint. Under 'Alert' you get the internal ID and the name of the corresponding alert. Under 'Scenario' you find the payload with all relevant functions such as threshold, measured value and information about the type of alert (scenario, property, ...). Under 'Reference' you find the information about the reference of the alarm. The field 'Resolved' indicates whether the alert is currently triggered or has been resolved. The attribute 'belongsTo' defines the type of reference (host, endpoint, observation).
By using plugins you can set autonomous reactions to your host in response to a triggered alarm.
You can read more about plugins here.
As further settings you can assign an alert category to the alert, namely either "Information", "Warning" or "Critical condition". This determines how often the new alert is triggered and thus also how often an e-mail is sent.
Critical condition: 1 time per day
Warning: 1 time per week
Information: 1 time per month
The alert option 'Inform Responsible Persons' allows you to automatically notify the responsible persons defined for the asset about triggered alerts, even if they have not been manually defined as recipients.
If the "Inform responsible persons" option is enabled, the following team members will receive a notification, provided that the responsibilities are assigned.
Technical responsible (of the individual asset)
Security responsible (of the organization)
Alarms on host: Hosts responsible (of the organization)
Alarms on Endpoints: Endpoints responsible (of the organization)
Here you can learn more about how to assign responsibilities for the entire organization.
You can also activate an 'Additional Notification' when the alert has been resolved, i.e. the alert scenario no longer exists.
Finally, you can also 'deactivate' the alert directly. This allows you to prepare alerts without directly activating them.