Configure a detection alert to monitor when detections from a specified protocol or category occur. For example, you can configure alert settings to watch for detections that occur over SSH and assign the alert configuration to SSH servers.
|Important:||Detection alerts are deprecated and will be removed in a future release. We recommend that you create a notification rule, which enables you to set more specific detection conditions.|
- Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
- Click the System Settings icon and then click Alerts.
- Click Create.
- Type a unique name for the alert configuration in the Name field.
In the Description field, add information about the
Tip: Alert descriptions support Markdown, which is a simple formatting syntax that converts plain text into HTML. For more information, see the Alerts FAQ.
- In the Alert Type section, click Detection Alert.
At the deprecation message, click one of the following links:
- Go to Notification Rules
- Continue with Detection Alert
- In the Assigned Sources field, type the name of a device, device group, or application and then select from the search results.
Click Add Source to assign the alert to multiple
sources. Multiple sources must be of the same type, such as only devices and
device groups or only applications.
Tip: Assign an alert to a device group to efficiently manage assignments to multiple devices.
From the Detection Categories drop-down list, select one
or more categories that you want the alert to monitor. The following groups of
categories are also available:
Option Description Any category Monitors detections on assigned sources that occur in any detection category. IT Operations Monitors detections that occur on assigned sources in any IT operations category. Security Monitors detections that occur on assigned sources in any Security category. Note: Detection categories vary by your ExtraHop system.
- (Optional): From the Protocols drop-down list, select each protocol you want the alert to monitor.
In the Alert Behavior section, select an option to specify when to generate an
- Alert once when the alert condition is met
- Alert every <time interval> while the alert
condition is met
You can select a time interval from 5 minutes up to 4 hours.
From the Severity drop-down list, select a severity level for the alert:
When an alert is generated, the severity level is displayed on the Alerts page and in alert notifications.
- (Optional): In the Notifications section, add an email notification to an alert to receive emails or SNMP traps when an alert is generated. (Reveal(x) Enterprise only.)
- In the Status section, click an option to enable or disable the alert.
- (Optional): Add an exclusion interval to suppress alerts during specific times.
- Click Save.