Alerts
Learn how you can use alarms to take security and automation to a new level.
Last updated
Was this helpful?
Learn how you can use alarms to take security and automation to a new level.
Last updated
Was this helpful?
Alerts are a key component of the Enginsight platform. They allow you to be alerted when a specific event or problem occurs in your IT infrastructure. This can be a website failure, newly installed software, certain behavior of captured metrics and much more.
You can also use Alarm to react autonomously to a system event. Via you can run a script on one of your hosts or use alarms triggered by outside the Enginsight platform, e.g. for a ticket system.
In the overview, you can check all the alarms you have added and search them using the search bar. You can also sort the alarms according to when they were last modified or created.
You can also see from the alerts overview...
which and how many assets are being monitored.
whether there is an for an alert.
who should be notified when the alert is triggered.
From the overview you can also disable and delete alerts.
At Issues you can display all triggered alerts.
You can create a new alert under 'Alerts' → 'Create Alert'. First define an 'Kind of Alert'. Here you define whether the alert should be triggered by a event of a host, endpoint, observation or watchdog.
Events
An account was reenabled (only Windows)
Alerts when a user account has been reactivated. (event 4722)
An admin account was reenabled (only Windows)
An admin account was reactivated. (event 4722, 4732, 4728)
A user has gotten more privileges (only Windows)
A user has elevated privileges. (event 4732, 4728)
Failed login attempt
As soon as a user has not logged in successfully. (event 4625) - limit value can be set independently
Loggon attemptof an non existent user
As soon as an attempt is made to log in with a user name or user ID that does not exist in the system, the alert is triggered.
New admin account created (only Windows)
A new user has been created. (Event 4720)
New user account created (only Windows)
A new admin has been created. (event 4720, 4732, 4728)
Successful login attempt
Triggers as soon as a user has successfully logged on to a system. (event 4624)
Hard Disk
Disc will be removed
Alerts as soon as a hard disk is removed.
Hard disk (available %)
Alerts as soon as only n% storage space is available (monitoring of all hard disks).
Hard disk (available %): /
Alerts as soon as only n% storage space is available, whereby X is automatically recognized by the system.
Hard disk (available %): /boot/efi
Alerts as soon as only n% disk space is available on the EFI system partition.
Hard disk (used %)
Alerts as soon as n% storage space is used (monitoring of all hard disks).
Hard disk (used %): /
Alerts as soon as n% storage space is used, whereby X is automatically recognized by the system.
Hard disk (used %): /boot/efi
Alerts as soon as n% disk space is used on the EFI system partition.
New disk will be detected
Alerts as soon as a new hard disk is detected.
Machine Learning
Unusal behavior
Alert is triggered if the value of the metric to be monitored is outside the calculated normal state.
Metrics
CPU io wait
Alerts if the proportion of the load that the CPU spends waiting for input and output operations exceeds the set threshold value
CPU steal
Alerts if the proportion of the load that a virtual CPU spends waiting for the host CPU exceeds the set threshold value.
CPU total
Alerts if the CPU load exceeds the set threshold value
CPU user
Alerts when the user's CPU load reaches a certain threshold value.
Host temperature (All sensors)
As soon as a certain temperature is exceeded, the alert triggers.
Networktraffic per second (inbound)
If the incoming network traffic exceeds the set limit value, the alert is triggered.
Networktraffic per second (outbound)
If the outgoing network traffic exceeds the set limit value, the alert is triggered.
RAM (available %)
Alerts as soon as only n% RAM is available.
RAM (available MB)
Alerts as soon as n MB RAM is available.
RAM (used %)
Alerts as soon as only n% RAM is used.
SWAP (available %)
Alerts as soon as only n% SWAP is available.
SWAP (available MB)
Alerts as soon as n MB SWAP is availble.
SWAP (used %)
Alerts as soon as only n% SWAP is used.
Network analysis
Blocked network attack (Shield)
Alerts you as soon as the IPS has blocked an incoming attack. This enables you to recognize in real time whether an attack is currently taking place and to take countermeasures if necessary.
Suspicious network traffic
Alerts you as soon as the IDS detects a network attack. Define the criticality (HIGH, MEDIUM, LOW) at which the alert is triggered.
Plugins
Failed plugin
Alerts as soon as a plug-in does not work properly or does not interact correctly with the host application.
Scenario
File Integrity Monitoring
Alerts as soon as changes to folders or files monitored by FIM are detected.
Group policy change
Alerts you when a change is made to the group policies of a system.
Host reboot
Alerts as soon as the host is restarted.
Host reboot is required
Alerts as soon as a restart of the host is necessary, e.g. in the event of an update.
Host unavailable
Alerts as soon as a host is unavailable for a defined period of time.
New autostart
Alerts as soon as an autostart is performed on the host.
New infection
Alerts as soon as a system or network is infected by malware or a virus.
New open Port
Alerts as soon as an open port is detected on the host.
New security updates available
Alerts you as soon as new security updates are available for the host.
New updates available
Alerts you as soon as new updates are available for the host.
New vulnerabilities
Alerts as soon as a new vulnerability is detected on the host.
New vulnerabilities (CVSS Score)
Alerts as soon as the CVSS score of a vulnerability on the host corresponds to the defined value.
Object access outside business hours
After defining the usual business hours, an alert is triggered if an object is accessed outside these times.
Port unavailable (TCP)
Alerts as soon as access to a specific port for TCP communication is not possible.
Unauthorized object access
Alerts as soon as an object or resource is accessed without the required authorization.
Services and Processes
Process is executed
Alerts as soon as a selected process is started.
Process is not executed
Alerts as soon as a selected process has been stopped.
Service is executed
Alerts as soon as a selected service is started.
Service is not executed
Alerts as soon as a selected service has been stopped.
System relevant service is not executed
Alerts as soon as a selected system-relevant service has been started. This must be marked as such beforehand.
Software
Installed/Uninstalled Software
Alerts as soon as any software is installed or removed from the host.
Software is installed
Alerts as soon as a certain software is installed on the host.
Software is not installed
Alerts as soon as a certain software is not installed on the host.
By clicking on a Quick Alert button, you can immediately switch the corresponding alerts.
First define a 'Reference', i.e. which host, endpoint, observation or watchdog an alert should be set to. You can either switch alerts to a specific asset (Exclusive) or via tags ("All with the tags") to multiple assets at once.
Under 'Requirement' you define the scenario that should trigger the alert, e.g. an increased CPU usage.
Now define a 'Description' of your alert. You can either give it a title or enter complete step-by-step instructions on how to react to the alert. If your description is longer, you can also enter an alias so that you can still see a handy title in the alert overview.
The team members added to Enginsight can be grouped together. This makes the management of alerts much more effective as they can be assigned to a group of people with a single click. For example, groups for specific departments can help you ensure that the right team members are getting notified.
You can create new groups and edit existing groups under 'Settings' → 'Groups'.
Microsoft Teams is an instant messaging service for communication within work groups. With Enginsight it is possible to connect a desired team channel to the alert system with just a few clicks.
To connect a Team Channel to Enginsight, first switch to Teams (either as an app or in the browser). Then use the left navigation menu to go to Teams. Here you can now select the channel where you want to be notified by alerts. If you want to create a new channel for this purpose, use the button on the bottom left.
Now switch to the desired channel. In this example, we will use the 'General' Channel of the 'Enginsight Development Team'. Then click on the 3 dots next to the channel and select 'Manage Teams'.
Then go to 'Apps' and then click 'More Apps' to prepare this channel for incoming Webhooks.
Then search for Webhook and click on the suggested App 'Incoming Webhooks'.
This will open a window in which you can see the team to which you are adding this app. If this is not the desired team, switch to the team you want to be notified and search for 'Webhook' among the different apps. Then click on Install.
Now you can select the channel of the team where you want to be alerted. Then click on 'Set up'.
Now you can assign a name that will be displayed as the sender of incoming alerts. You can then, if you want, upload a logo which will be displayed as sender image. Then click 'Create' to get a link that you need to place in the Enginsight platform.
Copy the link and then click Done. You have already set up everything you need in teams and can switch to the Enginsight platform.
Just copy the link and paste it into your Enginsightaccount, under the section Additional Notification via Microsoft Teams, for all desired alerts.
You will then receive the following messages for triggered and corrected alarms:
Slack is an instant messaging service for communication within working groups. With Enginsight it is possible to set up an alert that will alert you via Slack in addition to mail.
Go to the desired alarm, which shall cause a slack notification when triggered. Under the item 'Other Options' you will find the option 'Additional notification via Slack'. Select the checkbox to open the tab and then click on 'Connect to Slack'.
Then log in to any of your workspaces in the popup window. You should then be able to select a channel in which the notifications should be sent. Then click on 'Authorize' and the linking is complete.
If the automatic linking fails and no slack channel has been set, you can also add slack manually. The instructions for this can be found right below this paragraph.
If you already use Mattermost, you can connect your Enginsight to any channel with a few clicks.
First switch to Mattermost. Call up the 'Main Menu' in any channel by clicking on your name or the menu icon in the upper left corner. Then select 'Integrations' to release incoming webhooks.
A new window will be opened. Click here on 'Incoming Webhooks'.
Now you have an overview of all allowed webhooks. You can delete or edit them at any time. To create a new Webhook click on 'Add Incoming Webhook' in the upper right corner.
Now you can name the Webhook, give it a short description and select the channel where the alarms should be posted.
That was it already. Just copy the link and add it to all desired alerts in your Enginsightaccount under the section 'Additional Notifications via Mattermost' within each alert.
Webhooks offer you the possibility to use triggered alerts outside the Enginsight platform. For example, do you have an internal messenger in your company? Use Webhooks to use information about alerts directly in other applications.
Under the navigation item 'Alerts' you will find the subitem 'Webhooks' on the left side. If you have not yet created a Webhook, you can click on the 'Create Webhook' tile in the middle of the screen. If not, you will find the same button in the upper right corner.
In addition to a meaningful name and a description, you can now specify the target, the method and the type of content. You also have the option of transmitting user-defined HTTP headers to your webhook, which enables flexible customization and control of HTTP requests.
Then click 'Add Webhook' to create the Webhook.
Here you can find information about the format of a webhook:
This example shows a POST Method Webhook that was triggered by an alert that controls the response time of an endpoint. Under 'Alert' you get the internal ID and the name of the corresponding alert. Under 'Scenario' you find the payload with all relevant functions such as threshold, measured value and information about the type of alert (scenario, property, ...). Under 'Reference' you find the information about the reference of the alarm. The field 'Resolved' indicates whether the alert is currently triggered or has been resolved. The attribute 'belongsTo' defines the type of reference (host, endpoint, observation).
By using plugins you can set autonomous reactions to your host in response to a triggered alarm.
As further settings you can assign an alert category to the alert, namely either "Information", "Warning" or "Critical condition". This determines how often the new alert is triggered and thus also how often an e-mail is sent.
Critical condition: 1 time per day
Warning: 1 time per week
Information: 1 time per month
The alert option 'Inform Responsible Persons' allows you to automatically notify the responsible persons defined for the asset about triggered alerts, even if they have not been manually defined as recipients.
You can also activate an 'Additional Notification' when the alert has been resolved, i.e. the alert scenario no longer exists.
Finally, you can also 'deactivate' the alert directly. This allows you to prepare alerts without directly activating them.
Further information on issues can be found .
Next, you configure the alarm by making '', specifying the type of '', setting '' and ''.
You will also find Quick Alert buttons distributed throughout the platform. For example, on , or .
Under 'Notifications' you can define who should be informed by e-mail or additional notification channels ( or SMS). The alerts always appear in the , visible to all team members.
You can either select individual users or add the alert to a .
Besides the possibility to be notified by email or SMS, we are working on integrating different messenger services. So far, these include Slack, Mattermost and Microsoft Teams. To be informed in this way, you only need a simple link between your Enginsightaccount and the messenger service. Here you can find the instructions for the messenger integration of , and .
about incoming webhooks.
You have automation possibilities via alerts either with or with .
As a special use case, a Microsoft Team Integration can be used. You can find the instructions .
You can read more about plugins .
you can learn more about how to assign responsibilities for the entire organization.
