This topic describes the fields you can specify when creating an alert.

Table 1. Alert Fields

Section

Field

Description

General

Alert name

Name for the Alert as will display in the Alerts table.

Message

Message to be sent when the alert is triggered. You can add tags to the message for an Event Alert so that it provides data specific to the alert instance. See Informational Tags for Event Alert Messages.

Priority

Priority level assigned to this alert. The choices are: High, Medium, Low. Priority level determines the color assigned to the alert in the user interface, and allows you to group alerts by priority to highlight the most critical items.

Status

Specifies whether the alert is enabled (on) or disabled (off). If you disable an alert after it is triggered, this does not automatically reset the alert.

Type

Type

Type of alert you want to configure:

  • File Activity: Propagating File
  • File Activity: Blocked File
  • Baseline Drift Alert
  • File Prevalence Alert
  • Event Alert

Description

Read-only text with more information about the specified alert Type.

Mail Template

Template to determine the format and content of the email you send subscribers of this alert. The default template can be used for any alert, but other standard templates might be more appropriate for the alert type they represent:

  • Default
  • Template for File
  • Template for Elevated Privilege
  • Template for Approval
  • Template for Certificate
  • Template for Reponse
  • Template for Event
  • Template for System Health

You can also create custom templates.

Criteria: File Activity and Prevalence alerts

Threshold

Threshold of affected computers required to trigger the alert. Displays only if applicable to the alert type. This can be a percentage or an absolute number.

Criteria: File Activity alerts

Time Period

Minimum time period within which activity must occur to trigger the alert. Appears only if applicable to the alert type.

Criteria:Baseline Drift alerts

Drift Report

Name of the drift report whose data you want to analyze to trigger alerts. Appears only if applicable to the alert type.

Alert When

The drift parameter to measure and the threshold at which it triggers an alert. Appears only if applicable to the alert type.

Criteria: File Prevalence alerts

Specify File By

The way you want to identify a file – the choices are Hash and Filename.

File Name

Filename to monitor for the alert. Appears only if you chose Filename for Specify file by.

Note: You cannot use wildcards in the file name for a prevalence alert.

Publisher Contains (optional)

The name of the publisher (if any) identified as the source of the file. Appears only if you chose Filename for Specify file by.

Hash Type

The type of Hash (MD5, SHA-1 or SHA-256) to identify the file. Appears only if you chose Hash for Specify file by.

Hash Value

The hash value of the file. Appears only if you chose Hash for Specify file by value type.

Criteria: Event Alerts

Threshold

Number of times an event or event rule must match the properties defined in this rule during the specified time period to trigger an alert. Appears only if applicable to the alert type.

Time Period

Time period during which the conditions defined in this rule must be met to trigger an alert.

Alert

Specifies how often to alert within the specified time period.

  • Always: Alerts on the same file every time during the time period.
  • Once per file: Alerts on the same file one time during the time period.
  • Once per file per computer: Alerts on the same file-computer combination one time during the time period.

This field is only available in the "Unapproved File Block Alert".

Trigger On

Specifies whether the alert is triggered by Event(s) or an Event Rule.

Select Event Properties

If you chose to trigger on Event(s), the properties of the event(s) that trigger this alert. The properties include:

  • Subtype – A rule set to trigger on events must include at least one subtype, and can contain more than one.
  • Other properties – The Add filter menu includes other event parameters that can be added to more narrowly specify the conditions under which an alert is triggered.

Select File Properties

If you chose to trigger on Event(s), you can optionally add properties that a file mentioned in the event must meet to trigger this alert. It is not necessary to include file properties, but if specified, the alert does not trigger if the property specified does not match the rule or if the value of property is unavailable for the event.

Select Process Properties

If you chose to trigger on Event(s), you can optionally add properties that the parent process of the file specified in file properties must meet to trigger this alert. It is not necessary to include process properties, but if specified, the alert will not trigger if the property specified does not match the rule or if the value of property is unavailable for the event.

Event Rule

If you chose to trigger on Event Rule, an Event Rule menu lists the existing rules.

Policies(appears only for appropriate alert types)

Rule Applies To

Click the radio button to activate this alert for All policies or Selected policies.

For Selected policies, select the check box next to each policy for which you want the alert enabled.

Selected

Policies that are subject to this alert.

Select the policies and use the arrow buttons to move them into the appropriate column.

Subscribers

Email

Note: You cannot add subscribers (the fields do not appear) until after the alert is created.

Add all email addresses to which you want alert notifications sent. Enter each address in the Email address box, and click the Add button each time to create a subscriber list. Add is enabled when you enter a qualified email address.

The dropdown menu to the right of the address box specifies the format of notification email. The choices are: text, HTML, or Auto. Auto allows the recipient’s mail server to define the format.

Reminder Mail

 

Status

Reminder Mail status determines whether alert email is resent after a specified period of time when the alert has not been reset. The choices here are Enabled or Disabled.

Remind Every

When Reminder Mail is enabled, the time between alert email re-sends for alerts that are not reset.

Auto Reset

 

Status

Auto Reset determines whether an alert is reset automatically, either after a specified time period or, for certain alerts, when conditions that triggered it are no longer in effect. When Enabled, alerts can be auto-reset. When Disabled, alerts must be reset manually.

Reset After

If Auto Reset is enabled, this setting determines the time period after which a triggered alert instance will auto-reset if it has not already been reset for another reason. The default value is 4 weeks. It can be changed to a different period, ranging from minutes to weeks.