ENGINSIGHT
WebsiteLoginKostenloser Testzugang
English
English
  • Overview
  • Features
  • Operation
    • Platform overview
    • Start Guide
    • Platform
      • Dashboard
        • Vulnerability Management
        • Operation Centers
        • My Dashboards
        • Configurations
      • Issues
      • Hosts (Pulsar Agent)
        • Pulsar Agent
        • Host details
        • Policy Manager
        • Software Inventory
        • Intrusion Detection System
        • File Integrity Monitoring
        • System events
        • Update Manager
        • Plugins
        • Machine Learning
      • Host (Pulsar-Agent) BETA
        • Pulsar Agent
        • Hostdetails
        • Softwareinventar
        • Plugins
        • Policies
        • Globale Tags
        • Tag Manager
        • System Events
        • Vulnerability Manager
        • Compliance
        • Intrusion Detection System
        • File Integrity Monitoring
        • Advanced Persistent Threats
      • Endpoints (Observer)
        • Endpoint details
        • Domains
        • Certificate Manager
        • Observer
      • Observations
      • Shield
      • Penetration Testing (Hacktor)
        • Run pentest
        • Audits
        • Audit Definitions
        • Target Groups
        • Auth-Providers
        • Hacktor
        • Custom Scripts
      • Discoveries
      • SIEM
        • Data Lake
        • Cockpits
        • Obfuscators
        • Workflows
        • Incidents
        • Extractors
        • Collectors
        • Loggernaut
        • Advanced Settings
        • Models
      • Alerts
      • Settings
      • Organisations
      • Tags
      • Searchbar
  • On-Premises
    • Requirements
    • Installation
      • Automatic Installation
      • Manual Installation
      • Load Balancing
      • SIEM
      • Deinstallation
    • Update
    • Configuration
      • HTTPS and Certificates
      • Licences and Organisations
      • Mail Server
      • 2-Factor Authentication
      • SSO via Office 365
      • Storage Times
      • White Label
      • NGINX Extractor
      • Field Level Encryption
      • Loggernaut-Configurations
  • Technical Details
    • System Requirements
      • Pulsar: Operating Systems
    • Current version numbers
    • Pentest Vectors
    • API
  • Partner section
    • Licenses and organizations
Powered by GitBook
On this page
  • What is an Alert?
  • Alert Overview
  • Issues-Overview
  • Create an Alert
  • Listing of all alerts
  • Quick Alerts
  • General Settings
  • Notifications
  • Groups
  • Messenger integrations
  • Automation
  • Webhooks
  • Plugins
  • Additional Options

Was this helpful?

  1. Operation
  2. Platform

Alerts

Learn how you can use alarms to take security and automation to a new level.

PreviousModelsNextSettings

Last updated 1 year ago

Was this helpful?

What is an Alert?

Alerts are a key component of the Enginsight platform. They allow you to be alerted when a specific event or problem occurs in your IT infrastructure. This can be a website failure, newly installed software, certain behavior of captured metrics and much more.

You can also use Alarm to react autonomously to a system event. Via you can run a script on one of your hosts or use alarms triggered by outside the Enginsight platform, e.g. for a ticket system.

Alert Overview

In the overview, you can check all the alarms you have added and search them using the search bar. You can also sort the alarms according to when they were last modified or created.

You can also see from the alerts overview...

  • which and how many assets are being monitored.

  • whether there is an for an alert.

  • who should be notified when the alert is triggered.

From the overview you can also disable and delete alerts.

Issues-Overview

At Issues you can display all triggered alerts.

Create an Alert

You can create a new alert under 'Alerts' → 'Create Alert'. First define an 'Kind of Alert'. Here you define whether the alert should be triggered by a event of a host, endpoint, observation or watchdog.

Listing of all alerts

Events

Alert
Description

An account was reenabled (only Windows)

Alerts when a user account has been reactivated. (event 4722)

An admin account was reenabled (only Windows)

An admin account was reactivated. (event 4722, 4732, 4728)

A user has gotten more privileges (only Windows)

A user has elevated privileges. (event 4732, 4728)

Failed login attempt

As soon as a user has not logged in successfully. (event 4625) - limit value can be set independently

Loggon attemptof an non existent user

As soon as an attempt is made to log in with a user name or user ID that does not exist in the system, the alert is triggered.

New admin account created (only Windows)

A new user has been created. (Event 4720)

New user account created (only Windows)

A new admin has been created. (event 4720, 4732, 4728)

Successful login attempt

Triggers as soon as a user has successfully logged on to a system. (event 4624)

Hard Disk

Alert
Description

Disc will be removed

Alerts as soon as a hard disk is removed.

Hard disk (available %)

Alerts as soon as only n% storage space is available (monitoring of all hard disks).

Hard disk (available %): /

Alerts as soon as only n% storage space is available, whereby X is automatically recognized by the system.

Hard disk (available %): /boot/efi

Alerts as soon as only n% disk space is available on the EFI system partition.

Hard disk (used %)

Alerts as soon as n% storage space is used (monitoring of all hard disks).

Hard disk (used %): /

Alerts as soon as n% storage space is used, whereby X is automatically recognized by the system.

Hard disk (used %): /boot/efi

Alerts as soon as n% disk space is used on the EFI system partition.

New disk will be detected

Alerts as soon as a new hard disk is detected.

Machine Learning

Alert
Description

Unusal behavior

Alert is triggered if the value of the metric to be monitored is outside the calculated normal state.

Metrics

Alert
Description

CPU io wait

Alerts if the proportion of the load that the CPU spends waiting for input and output operations exceeds the set threshold value

CPU steal

Alerts if the proportion of the load that a virtual CPU spends waiting for the host CPU exceeds the set threshold value.

CPU total

Alerts if the CPU load exceeds the set threshold value

CPU user

Alerts when the user's CPU load reaches a certain threshold value.

Host temperature (All sensors)

As soon as a certain temperature is exceeded, the alert triggers.

Networktraffic per second (inbound)

If the incoming network traffic exceeds the set limit value, the alert is triggered.

Networktraffic per second (outbound)

If the outgoing network traffic exceeds the set limit value, the alert is triggered.

RAM (available %)

Alerts as soon as only n% RAM is available.

RAM (available MB)

Alerts as soon as n MB RAM is available.

RAM (used %)

Alerts as soon as only n% RAM is used.

SWAP (available %)

Alerts as soon as only n% SWAP is available.

SWAP (available MB)

Alerts as soon as n MB SWAP is availble.

SWAP (used %)

Alerts as soon as only n% SWAP is used.

Network analysis

Alert
Description

Blocked network attack (Shield)

Alerts you as soon as the IPS has blocked an incoming attack. This enables you to recognize in real time whether an attack is currently taking place and to take countermeasures if necessary.

Suspicious network traffic

Alerts you as soon as the IDS detects a network attack. Define the criticality (HIGH, MEDIUM, LOW) at which the alert is triggered.

Plugins

Alert
Description

Failed plugin

Alerts as soon as a plug-in does not work properly or does not interact correctly with the host application.

Scenario

Alert
Description

File Integrity Monitoring

Alerts as soon as changes to folders or files monitored by FIM are detected.

Group policy change

Alerts you when a change is made to the group policies of a system.

Host reboot

Alerts as soon as the host is restarted.

Host reboot is required

Alerts as soon as a restart of the host is necessary, e.g. in the event of an update.

Host unavailable

Alerts as soon as a host is unavailable for a defined period of time.

New autostart

Alerts as soon as an autostart is performed on the host.

New infection

Alerts as soon as a system or network is infected by malware or a virus.

New open Port

Alerts as soon as an open port is detected on the host.

New security updates available

Alerts you as soon as new security updates are available for the host.

New updates available

Alerts you as soon as new updates are available for the host.

New vulnerabilities

Alerts as soon as a new vulnerability is detected on the host.

New vulnerabilities (CVSS Score)

Alerts as soon as the CVSS score of a vulnerability on the host corresponds to the defined value.

Object access outside business hours

After defining the usual business hours, an alert is triggered if an object is accessed outside these times.

Port unavailable (TCP)

Alerts as soon as access to a specific port for TCP communication is not possible.

Unauthorized object access

Alerts as soon as an object or resource is accessed without the required authorization.

Services and Processes

Alert
Description

Process is executed

Alerts as soon as a selected process is started.

Process is not executed

Alerts as soon as a selected process has been stopped.

Service is executed

Alerts as soon as a selected service is started.

Service is not executed

Alerts as soon as a selected service has been stopped.

System relevant service is not executed

Alerts as soon as a selected system-relevant service has been started. This must be marked as such beforehand.

Software

Alert
Description

Installed/Uninstalled Software

Alerts as soon as any software is installed or removed from the host.

Software is installed

Alerts as soon as a certain software is installed on the host.

Software is not installed

Alerts as soon as a certain software is not installed on the host.

Certificate

Alert
Description

Days until certificate expires

Alerts as soon as the defined limit value is exceeded until the certificate expires.

DNS

Alert
Description

Invalid CAA DNS-record

Alerts as soon as a faulty or non-compliant CAA DNS record is detected.

Invalid SPF DNS-record

Alerts as soon as an SPF DNS record does not meet the intended standards.

Events

Alert
Description

Connection refused

Alerts as soon as a request from outside the system is blocked.

Data protection

Alerts you if a data protection breach occurs, e.g. unauthorized access to personal data.

DNS record changed

Alerts as soon as the entries in the Domain Name System (DNS) have been changed.

Endpoint rating got worse

Alerts as soon as the specific endpoint drops in its endpoint rating, e.g. due to potential new vulnerabilities.

New open port

Alerts as soon as the endpoint opens a new port.

New vulerability

Alerts as soon as a new vulnerability is identified at the endpoint.

Unexpected redirect

As soon as a forwarding reaches an unexpected destination, the alert is triggered.

Website not available

Alerts as soon as the specific endpoint cannot be loaded or accessed.

Metrics

Alert
Description

Response Time

Alerts as soon as the response time of the end point exceeds the defined limit value.

Reference (SNMP)

Alert
Description

Observations (SNMP) unavailble

Alerts as soon as the results cannot be retrieved or obtained via SNMP.

Unexpected SNMP Status

Alerts as soon as the status or the response expected from a device via SNMP does not correspond to the specified or expected parameters.

Reference (Ping)

Alert
Description

Ping (Host unavailble)

Alerts if a host cannot be reached via ping.

Ping (Round Trip Time)

Alerts when the round trip time for a ping request exceeds a threshold defined in the alert.

Alert
Description

New device detected

Alerts as soon as a previously unknown device enters the network.

Alert
Description

New SIEM incident

Alerts as soon as a new SIEM event is detected.

Quick Alerts

By clicking on a Quick Alert button, you can immediately switch the corresponding alerts.

General Settings

First define a 'Reference', i.e. which host, endpoint, observation or watchdog an alert should be set to. You can either switch alerts to a specific asset (Exclusive) or via tags ("All with the tags") to multiple assets at once.

Under 'Requirement' you define the scenario that should trigger the alert, e.g. an increased CPU usage.

Now define a 'Description' of your alert. You can either give it a title or enter complete step-by-step instructions on how to react to the alert. If your description is longer, you can also enter an alias so that you can still see a handy title in the alert overview.

Notifications

How often a notification is sent depends on the selected alert category.

Groups

The team members added to Enginsight can be grouped together. This makes the management of alerts much more effective as they can be assigned to a group of people with a single click. For example, groups for specific departments can help you ensure that the right team members are getting notified.

You can create new groups and edit existing groups under 'Settings' → 'Groups'.

Messenger integrations

Teams Notification

Microsoft Teams is an instant messaging service for communication within work groups. With Enginsight it is possible to connect a desired team channel to the alert system with just a few clicks.

Linking of Teams and Enginsight

To connect a Team Channel to Enginsight, first switch to Teams (either as an app or in the browser). Then use the left navigation menu to go to Teams. Here you can now select the channel where you want to be notified by alerts. If you want to create a new channel for this purpose, use the button on the bottom left.

Now switch to the desired channel. In this example, we will use the 'General' Channel of the 'Enginsight Development Team'. Then click on the 3 dots next to the channel and select 'Manage Teams'.

Then go to 'Apps' and then click 'More Apps' to prepare this channel for incoming Webhooks.

Then search for Webhook and click on the suggested App 'Incoming Webhooks'.

This will open a window in which you can see the team to which you are adding this app. If this is not the desired team, switch to the team you want to be notified and search for 'Webhook' among the different apps. Then click on Install.

Now you can select the channel of the team where you want to be alerted. Then click on 'Set up'.

Now you can assign a name that will be displayed as the sender of incoming alerts. You can then, if you want, upload a logo which will be displayed as sender image. Then click 'Create' to get a link that you need to place in the Enginsight platform.

Copy the link and then click Done. You have already set up everything you need in teams and can switch to the Enginsight platform.

Just copy the link and paste it into your Enginsightaccount, under the section Additional Notification via Microsoft Teams, for all desired alerts.

You will then receive the following messages for triggered and corrected alarms:

Slack Notifications

Slack is an instant messaging service for communication within working groups. With Enginsight it is possible to set up an alert that will alert you via Slack in addition to mail.

Linking of Slack and Enginsight (automatic)

Go to the desired alarm, which shall cause a slack notification when triggered. Under the item 'Other Options' you will find the option 'Additional notification via Slack'. Select the checkbox to open the tab and then click on 'Connect to Slack'.

Then log in to any of your workspaces in the popup window. You should then be able to select a channel in which the notifications should be sent. Then click on 'Authorize' and the linking is complete.

If the automatic linking fails and no slack channel has been set, you can also add slack manually. The instructions for this can be found right below this paragraph.

Mattermost Notification

If you already use Mattermost, you can connect your Enginsight to any channel with a few clicks.

Linking of Mattermost and Enginsight

First switch to Mattermost. Call up the 'Main Menu' in any channel by clicking on your name or the menu icon in the upper left corner. Then select 'Integrations' to release incoming webhooks.

A new window will be opened. Click here on 'Incoming Webhooks'.

Now you have an overview of all allowed webhooks. You can delete or edit them at any time. To create a new Webhook click on 'Add Incoming Webhook' in the upper right corner.

Now you can name the Webhook, give it a short description and select the channel where the alarms should be posted.

That was it already. Just copy the link and add it to all desired alerts in your Enginsightaccount under the section 'Additional Notifications via Mattermost' within each alert.

Automation

Webhooks

Webhooks offer you the possibility to use triggered alerts outside the Enginsight platform. For example, do you have an internal messenger in your company? Use Webhooks to use information about alerts directly in other applications.

Create Webhook

Under the navigation item 'Alerts' you will find the subitem 'Webhooks' on the left side. If you have not yet created a Webhook, you can click on the 'Create Webhook' tile in the middle of the screen. If not, you will find the same button in the upper right corner.

In addition to a meaningful name and a description, you can now specify the target, the method and the type of content. You also have the option of transmitting user-defined HTTP headers to your webhook, which enables flexible customization and control of HTTP requests.

Then click 'Add Webhook' to create the Webhook.

You can select webhooks when creating/editing alerts.

Format of a Webhook

Here you can find information about the format of a webhook:

{
    "resolved": false,
    "belongsTo": "endpoint",
    "alert": {
        "name": "Testalarm",
        "_id": "123456789abcdefAlert"
    },
    "scenario": {
        "payload": [{
            "triggered": true,
            "value": 1000,
            "threshold": 100,
            "operator": "gt",
            "aggregator": "avg",
            "scenario": "property",
            "property": "endpoints_websites.website.total"
        }]
    },
    "reference": {
        "hostname": "https://www.         .com/",
        "_id": "123456789abcdefReference"
    }
}

This example shows a POST Method Webhook that was triggered by an alert that controls the response time of an endpoint. Under 'Alert' you get the internal ID and the name of the corresponding alert. Under 'Scenario' you find the payload with all relevant functions such as threshold, measured value and information about the type of alert (scenario, property, ...). Under 'Reference' you find the information about the reference of the alarm. The field 'Resolved' indicates whether the alert is currently triggered or has been resolved. The attribute 'belongsTo' defines the type of reference (host, endpoint, observation).

Plugins

By using plugins you can set autonomous reactions to your host in response to a triggered alarm.

Additional Options

As further settings you can assign an alert category to the alert, namely either "Information", "Warning" or "Critical condition". This determines how often the new alert is triggered and thus also how often an e-mail is sent.

  • Critical condition: 1 time per day

  • Warning: 1 time per week

  • Information: 1 time per month

The alert option 'Inform Responsible Persons' allows you to automatically notify the responsible persons defined for the asset about triggered alerts, even if they have not been manually defined as recipients.

If the "Inform responsible persons" option is enabled, the following team members will receive a notification, provided that the responsibilities are assigned.

  • Technical responsible (of the individual asset)

  • Security responsible (of the organization)

  • Alarms on host: Hosts responsible (of the organization)

  • Alarms on Endpoints: Endpoints responsible (of the organization)

You can also activate an 'Additional Notification' when the alert has been resolved, i.e. the alert scenario no longer exists.

Finally, you can also 'deactivate' the alert directly. This allows you to prepare alerts without directly activating them.

Further information on issues can be found .

Next, you configure the alarm by making '', specifying the type of '', setting '' and ''.

You will also find Quick Alert buttons distributed throughout the platform. For example, on , or .

Under 'Notifications' you can define who should be informed by e-mail or additional notification channels ( or SMS). The alerts always appear in the , visible to all team members.

You can either select individual users or add the alert to a .

Besides the possibility to be notified by email or SMS, we are working on integrating different messenger services. So far, these include Slack, Mattermost and Microsoft Teams. To be informed in this way, you only need a simple link between your Enginsightaccount and the messenger service. Here you can find the instructions for the messenger integration of , and .

about incoming webhooks.

You have automation possibilities via alerts either with or with .

As a special use case, a Microsoft Team Integration can be used. You can find the instructions .

You can read more about plugins .

you can learn more about how to assign responsibilities for the entire organization.

here
Mattermost documentation
here
General Settings
Notification
Automation
Additional Options
issues overview
Messenger integration
group
Slack
Mattermost
Microsoft Teams
webhooks
plugins
here
issue
Plugins
Webhooks
certificates
Here
metrics
processes