An alert is a rule that you can schedule to run on a continuous basis and log its findings to different alerting outputs, including the Reporting > Manage > Alerts module, Record, SMTP, SNMP, and Syslog. You can take any rule that exists in Security Analytics and create an alert from it if that rule has a unique where clause. After you create an alert, you can add that alert to the alert queue. After you add an alert to the queue, it runs every minute (by default).
An alert consists of the following:
Note: For Name field, the icon to extend the column size is not displayed at the end of the column field. You have to hover the mouse a little to the left side to see the icon for extending the column.
|Used to identify the alert. Clicking the alert name displays the rule on which this alert is based in the Define Rules panel.||Alert1|
|Description||Used to describe the alert.||Template messages|
Note: In the Reporting user interface, wherever Date and Time or an input entered for this field are displayed, it is always according to the user selected time zone profile. By default, Reporting Engine displays all the repeated values for a meta key. If you do not want the meta values to repeat in the Alert Output, enable the "removeRepeatedMetaValue" option by navigating to "Configuration > AlertConfiguration available for the Reporting Engine in the Services Configuration > Explore view. For example, in an HTTP Session the value for action is displayed as get, get, put, put, post, get. When this option is enabled, the value is displayed as get, put, post.