Submit Search

Creating Alerts

QUICK TIP: Not sure what alerts you need? Try asking yourself, "What is the most important piece of my business environment? What changes have the highest impact both from the security and operability point of view?''.

For example, creating a new user in Active Directory is a relatively routine task that does not require supervision or immediate response. On the contrary, adding a user to the Domain Admins group may have a great impact on your domain operability and security. Such changes should be carefully reviewed and approved by authorized personnel as soon as they occur.

To create a new alert:

Note: The procedure below applies to the Active Directory source. Alert creation may vary slightly for other sources.

On the home page, pick a source.
Select Alerts.
Select Create to create a search-based alert.

Customize your search—create a search query tailored to look for the information you are specifically interested in. Make sure to use full names as filters are designed to search for exact entries (e.g., cygnalabsdemo.com\ian.rush instead of ian.rush). To retrieve all activity, keep the search filters blank.

On the Filter tab, specify parameters to narrow down your search results (for example, specify a user name in the Who filter to narrow down your search to activity of a specific user).

More about filters

FILTER	DESCRIPTION	EXAMPLE
Domain	The domain where the activity took place. Specify a domain name.	cygnalabsdemo.com
Who	The user who made the change. Specify a username in the DOMAIN\username (FQDN) or user@domain (UPN) format.	cygnalabsdemo.com\cygna cygna@cygnalabsdemo.com
What	The action performed in your domain environment. Specify one or more actions from the drop-down list.	Create
Object type	The type of the object that was changed.	Group
Attributes	Details related to changes. Specify an attribute's AD name to search for a specific change. For a complete list of AD attributes, check out: Microsoft documentation.	pwdLastSet
Where	The domain controller where the action took place; or AD group or any path where the changed object belongs to. Tip: Use %name% to search for group names.	%Domain Admins%

On the Exclusions tab, specify entities you do not care about at the moment and do not want to show up in this search query (for example, a trustworthy administrators group).

On the Actions tab, specify alert recipients.

Click Save.
In the Save Alert dialog, specify a new alert name and provide description. Set the Enabled status to "Yes" to turn on the alert. Also, you can assign tags to your alerts. e.g., security, critical, moderate risk.

After saving, a new alert will appear in the list. Later, you can update, disable, or delete your alerts.

The example below demonstrates the alert email that notifies about a user being deleted in your Active Directory domain.

For more information on interpreting the data, refer to Reading Search Results.

Quick tip: Check out tutorials that will guide you through the process of creating the most commonly used security alerts. See Best Security Alerts.