Creating an Alert Rule

  1. Go to Settings >> Knowledge Base from the navigation bar and click Alert Rules.


Alert Rules


You can also create an alert rule from the widgets in dashboards and search templates. Go to the required widget, click the icon at the top-right corner, and click Alert.


Creating alert from widgets

  1. Click Add.


Creating an Alert Rule - Step 1

  1. Enter the Name of the alert.

  2. Enter the Query for which you want the alert to trigger an incident. You can either manually provide a search query or pick one query from the Advanced Query Picker using the Select option.


    • If you are creating an alert rule from a widget, LogPoint automatically adds the widget’s query in the Query field.

    • If the Data Privacy Module is enabled, the values for all the configured Data Privacy Module fields are encrypted. For queries that have specific configured fields values, Logpoint does not generate an incident. However, for the queries that have all their values an incident is generated with encrypted field values.

    For example, if you have configured the device_name field under the Data Privacy Module, then the query device_name=localhost does not generate any incident. However, the query device_name=* generates the incidents with encrypted values.

  3. Select the Repo you want monitored to match the alert condition.

  4. In the Limit field, enter the maximum number of logs to retrieve using the entered Query.


    The Limit selection field disappears if you enter an aggregation query in the Query field.

  5. Enter a Description.

  6. Select a Time-range for the alert.


    • You can set a time range of either only minutes or only day and hour.

    • The maximum limit for the day time range is 30.

  7. Select Define Search Interval to apply a time interval to the search.

  8. Provide the Search Interval in minutes. For example, if you set the search interval to two, LogPoint performs the search every two minutes.


  • The Search Interval should be a factor of the Time-range value in minutes. When you successfully create an alert rule or edit a previously configured alert rule you will get a validation message. Logpoint recommends changing the Search Interval of any previously configured alert rules to the factor of the Time-range value in minutes.

  • Search Intervals do not work with correlation queries. Therefore, if you have used a correlation query in the Query field, the search is not performed in the specified Search Interval even if you select the Enable Search Interval checkbox.

  1. Enable Delay Alert to define the delay threshold.

  2. Enter the Delay Threshold in minutes. Logpoint waits until the delay threshold has passed before processing the logs, to ensure that all relevant logs are collected before generating the incidents.


    • Delay Threshold can only be used with log_ts based searches.

    • While defining Search Interval and Delay threshold, we recommend you define the delay threshold in the multiple of the search interval.

    • The maximum value of the Delay Threshold can be up to 24 hours.

  3. Select Flush On Trigger if you want the next alert triggered only based on a new set of events.

  4. Select Alert Throttling to ensure that LogPoint does not create multiple alerts for the same set of values for a specified time. Provide the Field and the time in Minutes.

    Once an alert is triggered for a value set of the particular Field, it does not trigger another alert for the same set of values until the time specified Minutes.

  5. Provide the Field and the time in Minutes. Once an alert is triggered for a value of the particular Field, it does not trigger another alert for the same value specified in Minutes.

  6. Click Next.


Creating an Alert Rule - Step 2

  1. Select the Attack Tag from the drop-down. You can select multiple tags to categorize the alert.

  2. Attack Category is selected based on the associated Attack Tags selected.

  3. Provide custom Metadata as Field and Value to categorize the alert rules. You can add new fields and values by clicking ADD NEW VALUE.


  • You cannot provide LogPoint reserved Jinja placeholders as Metadata Field in the Field column. Refer to LogPoint Reserved Jinja Placeholders to view the list of publicly available LogPoint reserved Jinja placeholders.

  • The Metadata Field should contain letters or a combination of letters, numbers, or underscores (_), and must start with a letter.

  • You cannot repeat the Metadata Field.

  • Value associated with the Metadata Field cannot be empty and vice-versa.

  1. Select Log Sources from the drop-down or provide new log sources associated with the alert rule. New log sources are also updated in the drop-down after submission.

  2. Click Next.


Creating an Alert Rule - Step 3

  1. Select the Condition, Risk, and Risk Calculating Function from the drop-downs.

    Based on the Risk level and Risk Calculation Function, Logpoint calculates the Risk Value of the alerts and incidents they generated. If the search result of the query contains the device_ip, the Risk Calculation Function takes the Risk Value of the devices and Risk level of the alert as arguments.

    For example:

    If the Risk level of an alert is Medium, Risk Calculation Function is Maximum, and the Risk Value of its associated device(s) is Critical, the Risk Value of the generated alert and incident is: Maximum(Risk level, Risk value of device(s)). That means the Risk value of the incident is Critical.

    The risk value of a device is calculated from the values of Confidentiality, Availability, and Integrity.

    Whereas for search queries with pipeline commands or without device_ip in the search results, the Risk Value of the alert and its generated incident(s) is equal to the Risk level of the alert.


    • Condition is the number of logs the search will return. Setting a limit controls the number of logs for the search. The number of logs you select should not exceed the previously set limit. Logpoint compares the limit value to the value set in the condition to the added alert rule. For example, you set the limit to 30 logs. Then you need to make sure that your condition is 30 or less. It cannot be greater than 30.

    • Average returns the average of the sum of Confidentiality, Availability, Integrity, and Risk divided by the number of times they happened. Maximum returns the highest value and Minimum returns the lowest.

  2. Click Next.


Creating Alert Rule - Step 4

  1. Select a user from the Assigned to drop-down. You need to assign the Alert rule to a user or user group. To select an individual user, select them in Assigned to. You can assign an Alert Rule to yourself by deselecting all of the Incident User Groups in Manageable by.

  2. To assign the alert rule to a group, select the group in Manageable by.

    Users selected in both the Assigned to and Manageable by section can re-assign, comment on and view the data of the generated incident. However, only the Assigned to user can resolve it.


    If you do not belong to any of the Incident User Groups, the Assigned to and Manageable by are hidden and in Logpoint you get the following:


    Creating Alert Rule - Step 4

  3. LogPoint allows you to view the details of the incidents triggering the alert in a specific format. Enable Apply Jinja template and provide the template in the Template syntax field.

  4. You can view incident details in Jinja format. Click Incident Data in the incident the alert rule generated.

  5. If the Jinja template has a timestamp, the datetime filter is mandatory when you want the date clearly displayed. The timestamp will be in raw epoch format if the filter is not included.

  6. Select Toggle Simple View to enable or disable the advanced text editor.


Creating Alert Rule - Step 5

  1. If the Data Privacy Module is enabled, you will now see Data Privacy Request. This controls whether the data is encrypted or not. By default they are encrypted. To decrypt them, select Alert using original data.


Data Privacy Request Panel

  1. Click Finish.

If you selected to decrypt data, is decrypted, you get a confirmation message. To create a data privacy request for the alert, click Yes. The alert created will be deactivated until the data privacy request is granted.


Data Privacy Module Confirmation


Alert Rules can be exported and imported. If you export an Alert Rule, ownership is lost. If you import an Alert Rule, you get ownership or the person who performs the import will.

If Data Privacy Module is enabled, users with the Can Grant Access permission can grant access to alerts to users with the Can Request Access permission. If you are a user who can grant access, you can view the requests by going to Settings >> Configurations >> Data Privacy Module >> Pending Request.

If you are a user who requested access to an alert, you can view the status of your requests by going to Settings >> Configurations >> Data Privacy Module >> My Request.

After configuring the Alert Rule, you can setup a notification for it. Click Yes in the dialogue. You can always change notifications by clicking the notification icon the Actions column of the corresponding alert rule.


Alert Rules

An alert is triggered and an incident for the alert is generated every time the search query meets all the alerting criteria.

To view all incidents, go to the Navigation bar and click Incidents.


We are glad this guide helped.

Please don't include any personal information in your comment

Contact Support