Notifications



If your account subscriptions provide you with the new Alert Logic Notifications console and its features (pictured above), see Notifications page to view documentation for that console.

All other customers will receive the updated Notifications console in the coming months and can continue using the documentation on this page. Contact Technical Support with any questions about the availability of these new features.

The Notifications feature provides a centralized user interface to manage alerts created in Alert Rules, Scans, Reports, Case Management, and Incidents. Using the feature, you can manage the contacts to be notified when specified alerts or incidents occur. The feature also lets you specify the time and frequency of notifications, as well as set up WebHooks for notifications.

The Alert Logic Security Operations Center (SOC) will send you services notifications by email when a security incident or Log Review report needs to be escalated.

To access the Notifications page in the Alert Logic console click the CONFIGURATION tab, and then click Notifications. This feature appears with bothCloud Defender and Cloud Insight subscriptions.

Configure notification policies

You can use the Alert Logic console to configure notifications for alerts, incidents, reports, scans, and cases. Though you create the alerts separately in the Alert Logic console, the Notification Policies page provides a central location through which you can add, edit, and remove notifications created for available alerts. This feature also lets you monitor alerts for child customers.

You cannot use Notification Policies to create an alert. You must create an alert through Alert Rules, Incident Escalations, Case Management, Scans, or Reports before you can add a notification policy to that alert.

Add a notification policy

To add a notification policy:

  1. Navigate to the Notifications page, and then click Policies.
  2. Click Add New.
  3. Enter the following information, where applicable, for the notification policy:
    • Name/Title—Enter a name for the notification policy.
    • Product/Alert Type—From the drop-down list, select the available product and alert types to create.
    • Alert Recipients—Enter contact names, group names, and/or WebHooks to receive the alerts.
    • Applies to—Specify whether the notification policy applies to all customers, child customers, parent customers, and/or your enterprise.
  4. Click Save.

Edit a notification policy

To edit the details of a notification policy:

  1. Navigate to the Notifications page, and then click Policies.
  2. Click the drop-down icon () for the notification policy to edit.
  3. Select View / Edit.
  4. Modify any of the policy information.
  5. Click Save.

Delete a notification policy

To delete a notification policy:

  1. Navigate to the Notifications page, and then click Policies.
  2. Click the drop-down icon () for the notification policy to delete.
  3. Click Delete.

Set up contacts and groups

Using the list of contacts, you can create notification policies that specify the contacts to receive alerts. In addition, you can create groups of contacts to more efficiently classify and distribute notifications, sending notifications to more than one contact for each alert.

The Contacts and Groups page includes tab listing all contacts, and a tabbed display of all groups. From this page, you can add, modify, and delete contacts, and you can add, modify, and delete groups. In addition, the Search Contacts field lets you easily find a contact on any tab by typing all or part of a contact name.

Add a contact

To add a contact:

  1. Navigate to the Notifications page, and then click Contacts & Groups.
  2. To add a new contact, on the All Contacts tab, click Add New.
  3. Enter the following information for the contact:
    • First Name—Enter the first name of the contact.
    • Last Name—Enter the last name of the contact.
    • Display Name—Enter the full name of the contact, as you want it displayed.
    • Position—Enter the position on the team, or in the company, for the contact.
    • Email Address—Enter the email address of the contact. If you list more than one email address, use the star button next to the email address to denote the default email address.
    • Advanced options—For each email address, click the gear icon next to the email address () to set the following advanced options:
      • Limits—Specify the maximum number of alerts that the contact receives within a specified time period. To use the limits set in the Notifications Options feature, select Use account settings. For more information about notifications options and preferences, see Configure notification preferences.
      • Blackout hours—Specify a time period during which the device does not send alerts to the contact.
  1. Click Save.

Edit a contact

To edit a contact:

  1. Navigate to the Notifications page, and then click Contacts & Groups.
  2. On the All Contacts tab, select the check box to the left of a contact name.
  3. Click the contact drop-down icon ().
  4. Select View / Edit.
  5. Modify any of the contact information.
  6. Click Save.

You can use this function to add a contact to one or more groups. After you select the contact drop-down icon (), select the check boxes that correspond with the groups in which you want to place the contact.

Delete a contact

To delete a contact:

  1. Navigate to the Notifications page, and then click Contacts & Groups.
  2. On the All Contacts tab, select the check box to the left of a contact name.
  3. Click the contact drop-down icon ().
  4. Click Delete.

Create a group

To create a group:

  1. Navigate to the Notifications page, and then click Contacts & Groups.
  2. Click the Add Group tab.
  3. Type the name of the group to add.
  4. Click the check icon ().

Modify a group name

To modify a group name:

  1. Navigate to the Notifications page, and then click Contacts & Groups.
  2. Click the tab of the group to rename.
  3. Click the gear icon ().
  4. Type the new name for the group.
  5. Click the check icon ().

Delete a group

To delete a group:

  1. Navigate to the Notifications page, and then click Contacts & Groups.
  2. Click the tab of the group to delete.
  3. Click the gear icon ().
  4. Click the trash can icon ().

If you delete a group, you do not delete the contacts listed in the group.

Add a contact to a group

To add a contact to a group:

  1. Navigate to the Notifications page, and then click Contacts & Groups.
  2. On the All Contacts tab, select the check box to the left of a contact name.
  3. Click the contact drop-down icon ().
  4. Under Groups, select the check box of one or more groups to which to assign the contact.

You can remove a contact from one or more groups by clearing check boxes of the groups from which you want to remove the contact.

Add multiple contacts to a group

To add multiple contacts to a group:

  1. Navigate to the Notifications page, and then click Contacts & Groups.
  2. On the All Contacts tab, select the check boxes for the contacts to add to specified groups.
  3. Click With Selected > Manage Groups.
  4. Click the Manage Groups for Multiple Contacts field, and then select from a list of groups to which to assign the contacts.
  5. Click Save.

Set up WebHooks

The Notifications feature provides the ability to use WebHooks to send alert notifications to any public-facing web server configured to handle HTTP callbacks. WebHooks allow Alert Logic products to send real-time data directly to a third-party application, such as your ticketing system or instant messaging system, rather than to one or more email addresses or groups.

On the WebHooks page, you can add, modify, and delete WebHooks. The Search WebHooks field lets you easily find a WebHook, to either edit or remove, by typing all or part of a WebHook name.

Add a WebHook

To set up a WebHook:

  1. Navigate to the Notifications page, and then click WebHooks.
  2. Click Add New.
  3. Enter the following information for the WebHook:
    • Name/Title—Enter a name for the WebHook.
    • URL—Enter the URL for the server where to send WebHook requests.
    • Test Request—To send a test to your web server and monitor real-time results, use or edit the sample request in this field, and then click Send Test to Server.
  4. Click Save.

Edit a WebHook

To edit the details of a WebHook:

  1. Navigate to the Notifications page, and then click WebHooks.
  2. Select the check box to the left of a WebHook name.
  3. Click the drop-down icon ().
  4. Select View / Edit.
  5. Modify any of the WebHook information.
  6. Click Save.

Delete a WebHook

To delete a WebHook:

  1. Navigate to the Notifications page, and then click WebHooks.
  2. Click the WebHook drop-down icon ().
  3. Click Delete.

View the alert history

Using the History page, you can review all alerts sent to contacts and groups. You can also easily find and obtain details about specific alerts.

The History page is the only way to view alerts that occur after reaching a limit set in the preferences function.

Filter alerts

Use the Search field to easily find an alert by typing all or part of an alert product, description, or details. You can narrow the search result further by using a date range.

Click the date range button to restrict the search to one of the following ranges:

  • Just today
  • The last 24 hours
  • The last seven days
  • Last month
  • A custom range

View alert details

To view the details of an alert:

  1. Navigate to the Notifications page, and then click History.
  2. Click the contact drop-down icon ().

Alert details include the following information:

  • In either formatted or JSON output
  • Contacts or groups that received the alert
  • Any files attached to the alert

Configure notification preferences

Under Options, you can set notification preferences in which you can limit the number of notifications sent to your contacts and groups, and specify whether notifications include IP addresses.

If the number of alerts you receive exceeds your set limit, you can see additional notifications only in your alert history archive. See View the alert history.

To set notification preferences:

  1. Navigate to the Notifications page, and then click Options.
  2. Select the frequency of notifications from the drop-down. The options are: Always, Never, Per Hour, or Per Day.
  3. Select Include or Do not Include from the next drop-down to specify whether notifications include IP addresses.
  4. To Apply IP Scrubbing to all child customers, select the check box.
  5. Click Save.

Incident notifications

Network IDS, Log Management, and Web Application IDS customers deployed after August 7, 2019 andAlert Logic Cloud Insight customers with Amazon GuardDuty enabled, have access to the Incident notifications available in the new Alert Logic Incident console. To learn more about the new Incident notification feature, see Incident Notifications. The section below applies to all other customers.

You can set incident alert rules to send an email to specified contacts when incidents of specified threat levels and statuses occur for your account and accounts you manage. When you receive an incident notification, click the INCIDENTS tab.

Create an incident alert rule

To configure incident notifications:

  1. Navigate to the Notifications page, and then click Incidents.
  2. Enter the following information, where applicable, for the incident alert rule:
    • Name/Title—Enter a name for the alert rule.
    • Minimum Severity to Trigger Rule—From the drop-down list, select an incident severity for which you want an alert.
    • Time Between Alert Occurrences—Enter the time you want to elapse before receiving another alert.
    • Choose Child Customers to Apply Rule to—If you manage accounts, you can choose a managed account to which you want to apply the rule.
    • Send Alerts to—Provide one or more email addresses for contacts you want to receive the alerts.
  3. Click Save.

Edit an incident rule

To edit the details of an incident rule:

  1. Navigate to the Notifications page, and then click Incidents.
  2. Under Existing Incident Alert Rules, select the incident alert rule you want to modify.
  3. Modify any of the incident alert rule options.
  4. Click Save.

Delete an incident rule

To delete an incident rule:

  1. Navigate to the Notifications page, and then click Incidents.
  2. Under Existing Incident Alert Rules, select the incident alert rule you want to delete.
  3. Click Delete.

Event notifications

You can set event alert rules to send an email to specified contacts when specific events occur for your account and accounts you manage. Events appear on the Events page, which you access from the SEARCH tab.

Create event alert rule

To configure event notifications:

  1. Navigate to the Notifications page, and then click Events.
  2. Enter the following information, where applicable, for the event alert rule:
    • Name/Title—Enter a name for the alert rule.
    • Minimum Severity to Trigger Rule—From the drop-down list, select the lowest level of incident severity for which you want an alert. You will receive an alert for each incident at or above the selected level of severity.
    • Minimum Time Between Alerts—Enter the minimum number of minutes you want to elapse before receiving another alert.
    • Choose Child Customers to Apply Rule to—If you manage accounts, you can choose a managed account to which you want to apply this event alert rule.
    • Send Alerts to—Provide one or more email addresses for contacts you want to receive the alerts.
    • Rule Triggers—Specify one or more of the following parameters to trigger the alert.
      • Minimum event severity
      • A signature triggers on an appliance the first time
      • An event signature is in the selected signature
      • An event signature is not in the selected signature
  3. Click Save.

Edit an event alert rule

To edit the details of an event alert rule:

  1. Navigate to the Notifications page, and then click Events.
  2. Under Existing Event Alert Rules, select the event alert rule you want to modify.
  3. Modify any of the event alert rule options.
  4. Click Save.

Delete an event alert rule

To delete an event alert rule:

  1. Navigate to the Notifications page, and then click Events.
  2. Under Existing Event Alert Rules, select the event alert rule you want to delete.
  3. Click Delete.

Case notifications

Case management groups together identified security issues, or case items, that require investigation, action, or followup. You can configure alerts to send emails to specified contacts in your organization when someone creates, assigns, or modifies a case. In addition, you can configure a notification if a case passes its due date.

Add a case alert rule

To configure case notifications:

  1. Navigate to the Notifications page, and then click Cases.
  2. Enter the following information, where applicable, for the case alert rule:
    • Rule Name—Enter a name for the alert rule.
    • Choose Case Status to Trigger Rule—From the drop-down list, select a case status for which you want an alert.
    • Time Between Alert Occurrences—Enter the minimum number of minutes you want to elapse before receiving another alert.
    • Choose Child Customers to Apply Rule to—If you manage accounts, you can choose a managed account to which you want to apply the rule.
    • Send Alerts to—Provide one or more email addresses for contacts you want to receive the alerts.
  3. Click Save.

Edit a case alert rule

To edit the details of a case alert rule:

  1. Navigate to the Notifications page, and then click Cases.
  2. Under Existing Case Alert Rules, select the case alert rule you want to modify.
  3. Modify any of the case alert rule options.
  4. Click Save.

Delete a case alert rule

To delete an event alert rule

  1. Navigate to the Notifications page, and then click Cases.
  2. Under Existing Case Alert Rules, select the case alert rule you want to delete.
  3. Click Delete.

Defense notifications

Defense notifications alert you when a blocking action occurs through Network IDS. The Blocks page, accessible under the SEARCH tab, allows you to access, view details of, and search blocking actions instituted in your organization. You can also roll back or reissue blocks. The Blocks page is available only if you have a physical appliance.

Add a defense alert rule

To configure defense notifications:

  1. Navigate to the Notifications page, and then click Defenses.
  2. Enter the following information, where applicable, for the defense alert rule:
    • Rule Name—Enter a name for the alert rule.
    • Select one or more of the following blocking actions for which to send an alert:
      • Event
      • Incident
      • Rollback
    • Time Between Alert Occurrences—Enter the minimum number of minutes you want to elapse before receiving another alert.
    • Choose Child Customers to Apply Rule to—If you manage accounts, you can choose a managed account to which you want to apply the rule.
    • Send Alerts to—Provide one or more email addresses for contacts you want to receive the alerts.
  3. Click Save.

Edit a defense alert rule

To edit the details of a defense alert rule:

  1. Navigate to the Notifications page, and then click Defenses.
  2. Under Existing Defense Alert Rules, select the defense alert rule you want to modify.
  3. Modify any of the defense alert rule options.
  4. Click Save.

Delete a case alert rule

To delete a defense alert rule:

  1. Navigate to the Notifications page, and then click Defenses.
  2. Under Existing Defense Alert Rules, select the defense alert rule you want to delete.
  3. Click Delete.