Alerts create logon config
CYBERQUEST's alerting feature is a completely customizable module for each connected user. The event triggering an alert can be user-defined to respond to specific event needs, ensuring great accuracy and reducing false alerting to a minimum.
Follow the steps to create a new alert:
To access Web Interface, open a web browser and type the application's address or DNS name. The default address initially assigned to Web Interface is: https://CyberquestIPAddress (example).
The browser automatically redirects you to CYBERQUEST's authentication page:
Navigate to Alerts
From Settings menu, select Alerts > Realtime. Page Realtime alert will open:
Create new alert definition
On the "Alerts" page, select the "Create new alert definition" button to create a new alert.
After that, the following page will open allowing you to define the new alert. The following alert will be triggered when a Windows Logon event is found( eg: EventID = 4624 ). Alerts can be sent to an email address. Triggered alerts appear in the Alerts module.
Alert Name: The name of the new alert.
Alert Active: Select ALERT ACTIVE checkbox if the alert is active or uncheck to deactivate it.
Sent as Alert: Send as Alert checkbox has a similar effect to ALERT ACTIVE checkbox. When unchecked, the alert is active but will not produce any visible effect. This setting ensures backend correlation of anomaly analysis over multiple events, triggers and alerts.
Has Action: If a script execution can be associated with the alert, check also Has Action checkbox. Press Actions Parameters button and choose Script Editor window where you can create a custom script to apply as rule.
Notification Template: Choose a notification template to apply to your alert. You can choose from built-in or custom notification templates. Default is Default notification.
Rule Settings pane assists you defining the rule logic. Rule logic consists of field, report and correlation conditions separated by logical operators AND, OR and NOT.
Each rule has:
Description: A Description where you enter a text describing the rule.
Add field condition: In Select Field drop-down, select a representative event field. From the next drop-down select the appropriate value operator. In the third field enter desired value.
Add report condition: The rule condition presents you with a drop-down list from which you can select a report from all existing reports.
Delete: You can delete a rule condition.
When adding a rule condition, a logical operator is automatically added for correlation to the previous condition. The default operator is AND. Click on AND switch to change the logical value to OR. Click again to change back to AND.
If logical chain requires, a NOT operator is also added in the form of a checkbox. By default, the operator is not selected. Click NOT to select the operator.