InsightIDR

Create and Manage Custom Alerts

With InsightIDR, you also have the option of creating custom alerts when built-in alerts might not necessarily suit your needs.

There are three kinds of custom alerts:

You can also specify more granular information in the Custom Alert Details, and manage your custom alerts.

Inactivity Detection Alerts

Also known as "Up Down Monitoring," inactivity alerts can be used to notify you when an entire log, log group, or particular pattern becomes inactive for a given time period.

Inactivity alerting is useful for system assets that must be running constantly (such as a critical server). The ability to set the time window of inactivity gives you control over your data, your environment, and your assets, and allows for damage control and prevention of data loss.

On the Log Search page, you can create alerts in two different ways:

  • auto-populate an alert
  • manually configure an alert

You can always switch to a different alert type during configuration.

Auto-Populate an Alert

To auto-populate an alert:

  1. Go to the Log Search page.
  2. Select the log or log sets you want in the alert, or use a search query to look for a specific set of logs.
  3. In the top right corner, select the Add Alert button and choose an alert type based on the selected logs. The “Create Alert” panel appears, with applicable steps already pre-populated.
  4. In the “Name” field, name your alert. Optionally provide a description.
  1. Optionally, select the Next button to complete the Trigger section.
  2. Click the Skip to Alert link.
  3. In the “Alert Notification” section, define how you will receive notifications. Read more about Notification Settings.
  4. Define a notification throttle to control how long the log or log sets are inactive before receiving an alert, and a throttle to control the quantity of alert notifications you will receive. Read more about Alert Throttling.
  5. Click Create Alert.

Notifications are enabled by default. Click the Alert Notification toggle to turn off all notifications.

Manually Create an Alert

To configure an inactivity alert:

  1. In InsightIDR, select the Manage Alerts page, or select the Log Search page from the left menu.
  2. In the top right corner, select the Add Alert button. An empty alert page will appear.
  3. Select Inactivity Detection Alert.
  4. In the “Name” section, name your alert.
  5. In the “Logs” section, select one or more logs or log sets you want to use in the alert.
  6. In the optional “Trigger” section, choose a saved query or optionally create a new query using keywords and regex.
    • If you do not add a trigger or pattern, the alert will automatically use the logs to detect inactivity.
  7. Optionally click the + OR button to add another pattern to monitor on the same logs.
  8. In “Trigger Settings,” customize the amount of time a log or pattern must be inactive before it triggers an alert. By default, an inactivity period of five days will trigger an alert.
  1. In the “Alert Notification” section, define how you will receive notifications. Read more about Notification Settings.
  2. Define a notification throttle to control how long the log or log sets are inactive before receiving an alert, and a throttle to control the quantity of alert notifications you will receive. Read more about Alert Throttling.
  3. Click Create Alert.

Pattern Detection Alert

In order for an alert to trigger, a log must match the exact pattern you enter as a search term.

Alerting on patterns can be useful in situations such as monitoring server errors, critical exceptions, and general performance, and allows you to only monitor events that are important to you.

On the Log Search page, you can create Pattern Detection alerts in two different ways:

  • auto-populate an alert
  • manually configure an alert

Auto-Populate an Alert

To auto-populate an alert:

  1. Go to the “Log Search” page.
  2. Select the log or log sets you want in the alert or use a search query to look for a specific set of logs.
  3. In the top right corner, click the Add Alert button and choose an alert type based on the selected logs. The “Create Alert” panel appears with applicable steps already pre-populated.
  4. In the “Name” section, name your alert and optionally add a description.
  5. Select the Next button to complete the Trigger section.
  6. Click the Skip to Alert link.
  7. In the “Alert Notification” section, choose whether you want to apply labels to the pattern or receive alerts from email or other integrations. See Alert Settings.for more information.
  1. Choose the notification trigger setting you want. You will not receive alerts outside of this specific alert.
  2. Define notification throttles to control how many alerts you receive in a specific window of time.
  3. Click Create Alert.

Manually Create an Alert

To configure a pattern detection alert:

  1. In InsightIDR, select the Manage Alerts page, or select the Log Search page from the left menu.
  2. In the top right corner, select the Add Alert button. An empty alert page will appear.
  3. Select Pattern Detection Alert.
  4. In the “Name” section, name your alert.
  5. In the “Logs” section, select one or more logs or the log sets you want to use in the alert.
  6. In the “Trigger” section, choose a saved query or create a new query using keywords and regex.
  7. Optionally click the + OR button to add up to five patterns on the same logs.
  8. In the “Alert Notification” section, choose whether you want to apply labels to the pattern, or receive alerts from email or other integrations. Or, you can choose both. See Alert Settings for more information.
  1. Choose which notification trigger setting you want. You will not receive alerts outside of this specific alert.
  2. Define a notification throttle to control how many alerts you receive in a specific window of time.
  3. Click Create Alert.

Change Detection Alert

Change detection alerts will notify you when a condition changes, such as HTTP 500 errors in your web access logs. They are based off of calculations that you apply to log(s) or logset(s).

Change detections will help you stay on top of critical conditions when something is broken and must be immediately addressed, or occurring errors that must be escalated. This alert will minimize your time to investigate and resolve any errors.

On the Log Search page, you can create alerts in two different ways:

  • auto-populate an alert
  • manually configure an alert

Auto-Populate an Alert

To auto-populate an alert:

  1. Go to the Log Search page.
  2. Select the log or log sets you want in the alert, or use a search query to look for a specific set of logs.
  3. In the top right corner, select the Add Alert button and choose an alert type based on the selected logs. The “Create Alert” panel appears, with applicable steps already pre-populated.
  4. In the “Name” field, name your alert. Optionally provide a description.
  5. If applicable, select the Next button to complete the Trigger section. Read more about Alert Settings.
  1. Click the Skip to Alert link.
  2. In the “Alert Notification” section, define how you will receive notifications. Read more about Alert Settings.
  3. Define a notification throttle to control how many alerts you receive in a specific window of time.
  4. Click Create Alert.

Manually Configure an Alert

To manually configure a change detection alert:

  1. In InsightIDR, select the Manage Alerts page, or select the Log Search page from the left menu.
  2. In the top right corner, select the Add Alert button. An empty alert page will appear.
  3. Select Change Detection alert.
  4. In the “Name” section, name your alert and optionally add a description.
  5. In the “Logs” section, select one or more logs or the log sets you want to use in the alert.
  6. In the “Trigger” section, choose a saved query or optionally create a new query using keywords, regex or LEQL.
    • New queries require that you specify a calculation to use, and a key to apply the calculation. Any changes of the key based off of the calculation will trigger an alert.
  7. Optionally customize the notification settings to define how severe the change is before triggering an alert.
  1. Optionally click the + OR button to add another pattern detection alert on the same logs.
  2. In the “Alert Notification” section, define how you will receive notifications. Read more about Alert Settings.
  3. Define a notification throttle to control how many alerts you receive in a specific window of time.
  4. Click Create Alert.

Manage Alerts

To manage your existing alerts:

  1. From the left navigation menu, select Settings > Alert Settings > Custom alerts.
    You can also access this page from anywhere in InsightIDR by clicking the Lightning icon in the top black bar and selecting the Manage Alerts link.
  1. On the right of an alert, click on the Pencil icon to edit the alert.
  2. If applicable, select the check box to enable the alert.
  3. Click the Trashcan icon to delete the alert.
  4. Select a Radio button to choose a bulk action to all of the custom alerts, and then click the Apply button.

Create and Manage Custom Alerts


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.