Creating an Alert Rule¶

1. Go to Settings >> Knowledge Base from the navigation bar and click Alert Rules.

2. Click Add.

3. Enter the Name of the alert.

4. Enter the Query for which you want the alert to trigger an incident. You can either manually provide a search query or pick one query from the Advanced Query Picker using the Select option.

   Note

   • If you are creating an alert rule from a widget, LogPoint automatically adds the widget’s query in the Query field.

   • If the Data Privacy Module is enabled, the values for all the configured Data Privacy Module fields are encrypted. For queries that have specific configured fields values, Logpoint does not generate an incident. However, for the queries that have all their values an incident is generated with encrypted field values.

   For example, if you have configured the device_name field under the Data Privacy Module, then the query device_name=localhost does not generate any incident. However, the query device_name=* generates the incidents with encrypted values.

5. Select the Repo you want monitored to match the alert condition.

6. In the Limit field, enter the maximum number of logs to retrieve using the entered Query.

   Note

   The Limit selection field disappears if you enter an aggregation query in the Query field.

7. Enter a Description.

8. Select a Time-range for the alert.

   Note

   • You can set a time range of either only minutes or only day and hour.

   • The maximum limit for the day time range is 30.

9. Select Define Search Interval to apply a time interval to the search.

10. Provide the Search Interval in minutes. For example, if you set the search interval to two, LogPoint performs the search every two minutes.

Note

• The Search Interval should be a factor of the Time-range value in minutes. When you successfully create an alert rule or edit a previously configured alert rule you will get a validation message. Logpoint recommends changing the Search Interval of any previously configured alert rules to the factor of the Time-range value in minutes.

• Search Intervals do not work with correlation queries. Therefore, if you have used a correlation query in the Query field, the search is not performed in the specified Search Interval even if you select the Enable Search Interval checkbox.

11. Enable Delay Alert to define the delay threshold.

12. Enter the Delay Threshold in minutes. Logpoint waits until the delay threshold has passed before processing the logs, to ensure that all relevant logs are collected before generating the incidents.

    Note

    • Delay Threshold can only be used with log_ts based searches.

    • While defining Search Interval and Delay threshold, we recommend you define the delay threshold in the multiple of the search interval.

    • The maximum value of the Delay Threshold can be up to 24 hours.

13. Select Flush On Trigger if you want the next alert triggered only based on a new set of events.

14. Select Alert Throttling to ensure that LogPoint does not create multiple alerts for the same set of values for a specified time. Provide the Field and the time in Minutes.

    Once an alert is triggered for a value set of the particular Field, it does not trigger another alert for the same set of values until the time specified Minutes.

15. Provide the Field and the time in Minutes. Once an alert is triggered for a value of the particular Field, it does not trigger another alert for the same value specified in Minutes.

16. Click Next.

17. Select the Attack Tag from the drop-down. You can select multiple tags to categorize the alert.

18. Attack Category is selected based on the associated Attack Tags selected.

19. Provide custom Metadata as Field and Value to categorize the alert rules. You can add new fields and values by clicking ADD NEW VALUE.

20. Select Log Sources from the drop-down or provide new log sources associated with the alert rule. New log sources are also updated in the drop-down after submission.

21. Click Next.

22. Select the Condition, Risk, and Risk Calculating Function from the drop-downs.

    Based on the Risk level and Risk Calculation Function, Logpoint calculates the Risk Value of the alerts and incidents they generated. If the search result of the query contains the device_ip, the Risk Calculation Function takes the Risk Value of the devices and Risk level of the alert as arguments.

    For example:

    If the Risk level of an alert is Medium, Risk Calculation Function is Maximum, and the Risk Value of its associated device(s) is Critical, the Risk Value of the generated alert and incident is: Maximum(Risk level, Risk value of device(s)). That means the Risk value of the incident is Critical.

    The risk value of a device is calculated from the values of Confidentiality, Availability, and Integrity.

    Whereas for search queries with pipeline commands or without device_ip in the search results, the Risk Value of the alert and its generated incident(s) is equal to the Risk level of the alert.

    Note

    • Condition is the number of logs the search will return. Setting a limit controls the number of logs for the search. The number of logs you select should not exceed the previously set limit. Logpoint compares the limit value to the value set in the condition to the added alert rule. For example, you set the limit to 30 logs. Then you need to make sure that your condition is 30 or less. It cannot be greater than 30.

    • Average returns the average of the sum of Confidentiality, Availability, Integrity, and Risk divided by the number of times they happened. Maximum returns the highest value and Minimum returns the lowest.

23. Click Next.

24. Select a user from the Assigned to drop-down. You need to assign the Alert rule to a user or user group. To select an individual user, select them in Assigned to. You can assign an Alert Rule to yourself by deselecting all of the Incident User Groups in Manageable by.

25. To assign the alert rule to a group, select the group in Manageable by.

    Users selected in both the Assigned to and Manageable by section can re-assign, comment on and view the data of the generated incident. However, only the Assigned to user can resolve it.

    Note

    If you do not belong to any of the Incident User Groups, the Assigned to and Manageable by are hidden and in Logpoint you get the following:

    

    Creating Alert Rule - Step 4¶

26. LogPoint allows you to view the details of the incidents triggering the alert in a specific format. Enable Apply Jinja template and provide the template in the Template syntax field.

27. You can view incident details in Jinja format. Click Incident Data in the incident the alert rule generated.

28. If the Jinja template has a timestamp, the datetime filter is mandatory when you want the date clearly displayed. The timestamp will be in raw epoch format if the filter is not included.

29. Select Toggle Simple View to enable or disable the advanced text editor.

30. If the Data Privacy Module is enabled, you will now see Data Privacy Request. This controls whether the data is encrypted or not. By default they are encrypted. To decrypt them, select Alert using original data.

31. Click Finish.

If you selected to decrypt data, is decrypted, you get a confirmation message. To create a data privacy request for the alert, click Yes. The alert created will be deactivated until the data privacy request is granted.

After configuring the Alert Rule, you can setup a notification for it. Click Yes in the dialogue. You can always change notifications by clicking the notification icon the Actions column of the corresponding alert rule.

An alert is triggered and an incident for the alert is generated every time the search query meets all the alerting criteria.

To view all incidents, go to the Navigation bar and click Incidents.