To create new alerts and modify existing alerts, the account used to connect to Netwrix Auditor Server via Netwrix Auditor client must be assigned the Global administrator or Global reviewer role in the product.
To set up a response action, this account must also be a member of the local Administrators group on Netwrix Auditor Server.
See Role-Based Access and Delegation for more information.
On the main Netwrix Auditor page, navigate to the Configuration section and click the Alerts tile.
NOTE: You can also create new alert directly from the interactive search results. Navigate to Tools and select Create alert to add a new alert with the same set of filters as your search.
In the All Alerts window, click Add. Configure the following:
Specify a name and enter the description for the new alert.
NOTE: Make sure that the Send alert when the action occurs option is enabled. Otherwise, the new alert will be disabled.
Apply tags—Create a set of tags to more efficiently identify and sort your alerts. Select Edit under Apply tags to associate tags with your alert. Later, you can quickly find an alert of interest using Filter by tags in the upper part of the All Alerts window.
NOTE: To see a full list of alerts ever created in the product, navigate to Settings → Tags.
See Tags for more information.
Select alert recipients. Click Add Recipient and select alert delivery type:
Email—Specify the email address where notifications will be delivered. You can add as many recipients as necessary.
NOTE: It is recommended to click Send Test Email. The system will send a test message to the specified email address and inform you if any problems are detected.
SMS-enabled email—Netwrix uses the sms gateway technology to deliver notifications to a phone number assigned to a dedicated email address. Specify email address to receive SMS notifications.
NOTE: Make sure that your carrier supports sms to email gateway technology.
Apply a set of filters to narrow events that trigger a new alert. Alerts use the same interface and logic as search.
- Filter—Select general type of filter (e.g., "Who", "Data Source", "Monitoring plan", etc.)
- Operator—Configure match types for selected filter (e.g., "Equals", "Does not contain", etc.)
Value—Specify filter value.
Refer to Interactive Search for detailed instructions on how to create and modify filters.
NOTE: The Filters section contains required fields highlighted with red.
Once you completed all filters, click Preview on the right pane to see search-based list of events that will trigger your alert.
If necessary, enable threshold to trigger the new alert. In this case, a single alert will be sent instead of many alerts. This can be helpful when Netwrix Auditor detects many activity records matching the filters you specified.
Slide the switch under the Send alert when the threshold is exceeded option and configure the following:
Limit alerting to activity records with the same...—Select a filter in the drop-down list (e.g., who). Note that, Netwrix Auditor will search for activity records with the same value in the filter you selected.
NOTE: Only alerts grouped by the Who parameter can be included in the Behavior Anomalies list. Mind that in this case, the product does not summarize risk scores and shows the value you associated with this alert. This may significantly reduce risk score accuracy.
Send alert for <...> activity records within <...> seconds—Select a number of changes that occurred in a given period (in seconds).
For example, you want to receive an alert on suspicious activity. You select "Action" in the Limit alerting to activity records with the same list and specify a number of actions to be considered an unexpected behavior: 1000 changes in 60 seconds. When the selected threshold exceeded, an alert will be delivered to the specified recipients: one for every 1000 removals in 60 seconds, one for every 1000 failed removals in 60 seconds. So you can easily discover what is going on in your IT infrastructure.
- Slide the switch to On under Include this alert in Behavior Anomalies assessment. See Behavior Anomalies for more information.
Associate a risk score with the alert—Assign a risk score based on the type of anomaly and the severity of the deviation from the normal behavior. An action's risk score is a numerical value from 1 (Low) to 100 (High) that designates the level of risk with 100 being the riskiest and 1 the least risky.
These are general guidelines you can adopt when setting a risk score:
- High score—Assign to an action that requires your immediate response (e.g., adding account to a privileged group). Configure a non-threshold alert with email recipients.
- Above medium score—Assign to a repetitive action occurring during a short period of time. While a standalone action is not suspicious, multiple actions merit your attention (e.g., mass deletions from a SharePoint site). Configure a threshold-based alert with email recipients.
- Low score—Assign to an infrequent action. While a single action is safe, multiple occurrences aggregated over a long period of time may indicate a potential in-house bad actor (e.g., creation of potentially harmful files on a file share). Configure a non-threshold alert, email recipients are optional but make sure to regularly review the Behavior Anomalies dashboard.
- Low score—Assign to a repetitive action that does not occur too often (e.g., rapid logons). Multiple occurrences of action sets may indicate a potential in-house bad actor or account compromise. Configure a threshold-based alert, email recipients are optional but make sure to regularly review the Behavior Anomalies dashboard.
You can instruct Netwrix Auditor to perform a response action when the alert occurs — for example, start an executable file (PowerShell script, batch file, or other) that will remediate the issue, or open a ticket with the help desk, and so on. For that, you will need an executable file stored locally on the Netwrix Auditor server.
- Slide the switch to turn the feature ON.
- In the Run field, specify a path to executable file. It must be located on the local Netwrix Auditor server; absolute or relative path can be used.
- In the With parameters field, enter the parameters required by executable file (if any).
NOTE: Netwrix Auditor will also pass the following parameters to the command line in the background:
• alert_ID — internal alert ID
• activity_record_ID — ID of the activity record that triggered the alert