Monitor when a detection occurs by configuring an alert for specific conditions, such as a particular device or type of protocol traffic. For example, if you are worried about spikes in SSH sessions, you can configure an alert to watch for security detections that occur over SSH on specific devices.
|Note:||This topic applies to all ExtraHop systems, including ExtraHop Reveal(x).|
Detection alerts are useful for monitoring unusual behavior that you want to be notified of right away. For example, if you are worried about spikes in SSH sessions on specific servers, you can configure alert settings to watch for detections that occur over SSH and assign the alert configuration to SSH servers.
- Log into the Web UI on a Discover or Command appliance.
- Click the System Settings icon and then click Alerts.
- Click Create.
- Type a unique name for the alert configuration in the Name field.
In the Description field, add information about the
Tip: Alert descriptions support Markdown, which is a simple formatting syntax that converts plain text into HTML. For more information, see the Alerts FAQ.
- In the Alert Type section, click Detection Alert.
- In the Assigned Sources field, type the name of a device, device group, or application and then select from the search results.
Click Add Source to assign the alert to multiple
sources. Multiple sources must be of the same type, such as only devices and
device groups or only applications.
Tip: Assign an alert to a device group to efficiently manage assignments to multiple devices.
From the Detection Categories drop-down list, select one
or more categories that you want the alert to monitor. The following groups of
categories are also available:
Option Description Any category Monitors detections on assigned sources that occur in any detection category. IT Operations Monitors detections that occur on assigned sources in any IT operations category. Security Monitors detections that occur on assigned sources in any Security category. Note: Detection categories vary by your ExtraHop system.
- (Optional): From the Protocols drop-down list, select each protocol you want the alert to monitor.
In the Alert Behavior section, select an option to specify when to generate an
- Alert once when the alert condition is met
- Alert every <time interval> while the alert
condition is met
You can select a time interval from 5 minutes up to 4 hours.
From the Severity drop-down list, select a severity level for the alert:
When an alert is generated, the severity level is displayed on the Alerts page and in alert notifications.
- (Optional): In the Notifications section, add an email notification to an alert to receive emails or SNMP traps when an alert is generated.
- In the Status section, click an option to enable or disable the alert.
- (Optional): Add an exclusion interval to suppress alerts during specific times.
- Click Save.