With InsightIDR, you also have the option of creating custom alerts when built-in alerts might not necessarily suit your needs.
- To create a custom alert, select the Lightning Bolt icon from the top right of InsightIDR.
- You will see two tabs of alert types: built in, and custom. Select the Custom Alerts & Tags tab.
- Identify the event that will generate an alert
- Build a query that will select that event from a log set. Learn how to Build a Query.
- Copy that query into the Pattern field on the custom alert page, using only the information inside of the parentheses in
For instance, if the LEQL query was
where(direction = "OUTBOUND" AND connection_status = "ACCEPT" AND destination_address = "xx.xxx.x.xxx")
- You would use
"OUTBOUND" AND connection_status = "ACCEPT" AND destination_address = "xx.xxx.x.xxx"as your pattern
- Choose one or more log sets.
- For Match, select "Once" if you want to receive alerts on every single occurrence, or define a threshold.
- For example, if you define an alert to match 100x/hour, that specifies that the pattern must match at least 100 times in the last 60 minutes, and will trigger a single alert when alert counter reaches this limit.
- For Report, select how often you receive a report about the alert. Use this feature to avoid receiving multiple reports about the same alert, or "alert flooding."
After you create an alert, it will appear in the Custom Tags and Alerts table.
- Click on the Pencil icon to edit the alert.
- If applicable, select the check box to enable the alert.
- Click the trashcan icon to delete the alert.