|
1 | 1 | --- |
2 | 2 | title: Accelerate alert workflows |
3 | 3 | description: Improve alert and incident workflows. |
4 | | -ms.date: 11/09/2021 |
| 4 | +ms.date: 03/10/2022 |
5 | 5 | ms.topic: how-to |
6 | 6 | --- |
7 | 7 |
|
@@ -93,125 +93,47 @@ Alert groups are predefined. For details about alerts associated with alert grou |
93 | 93 |
|
94 | 94 | ## Customize alert rules |
95 | 95 |
|
96 | | -Use custom alert rules to more specifically pinpoint activity of interest to you. |
97 | | -You can add custom alert rules based on: |
| 96 | +Add custom alert rule to pinpoint specific activity as needed for your organization such as for specific protocols, source or destination addresses, or a combination of parameters. |
98 | 97 |
|
99 | | -- A category, for example a standard protocol, or port or file. |
| 98 | +For example, you might want to define an alert for an environment running MODBUS to detect any write commands to a memory register, on a specific IP address and ethernet destination. Another example would be an alert for any access to a specific IP address. |
100 | 99 |
|
101 | | -- Traffic detections based proprietary protocols developed in a Horizon plugin. (Horizon Open Development Environment ODE). |
| 100 | +Use custom alert rule actions to instruct Defender for IT to take specific action when the alert is triggered, such as allowing users to access PCAP files from the alert, assigning alert severity, or generating an event that shows in the event timeline. Alert messages indicate that the alert was generated from a custom alert rule. |
102 | 101 |
|
103 | | -- Source and destination addresses |
| 102 | +**To create a custom alert rule**: |
104 | 103 |
|
105 | | -- A combination of protocol fields from all protocol layers. For example, in an environment running MODBUS, you may want to generate an alert when the sensor detects a write command to a memory register on a specific IP address and ethernet destination, or an alert when any access is performed to a specific IP address. |
| 104 | +1. On the sensor console, select **Custom alert rules** > **+ Create rule**. |
106 | 105 |
|
107 | | -If the sensor detects the activity described in the rule, the alert is sent. |
| 106 | +1. In the **Create custom alert rule** pane that shows on the right, define the following fields: |
108 | 107 |
|
109 | | -You can also use alert rule actions to instruct Defender for IoT to: |
| 108 | + - **Alert name**. Enter a meaningful name for the alert. |
110 | 109 |
|
111 | | -- Allow users to access PCAP file from the alert. |
112 | | -- Assign an alert severity. |
113 | | -- Generate an event rather than alert. The detected information will appear in the event timeline. |
| 110 | + - **Alert protocol**. Select the protocol you want to detect. In specific cases, select one of the following protocols: |
114 | 111 |
|
| 112 | + - For a database data or structure manipulation event, select **TNS** or **TDS** |
| 113 | + - For a file event, select **HTTP**, **DELTAV**, **SMB**, or **FTP**, depending on the file type |
| 114 | + - For a package download event, select **HTTP** |
| 115 | + - For an open ports (dropped) event, select **TCP** or **UDP**, depending on the port type. |
115 | 116 |
|
116 | | -The alert message indicates that a user-defined rule triggered the alert. |
| 117 | + To create rules that monitor for specific changes in one of your OT protocols, such as S7 or CIP, use any parameters found on that protocol, such as `tag` or `sub-function`. |
| 118 | + |
| 119 | + - **Message**. Define a message to display when the alert is triggered. Alert messages support alphanumeric characters and any traffic variables detected. For example, you might want to include the detected source and destination addresses. Use curly brackets (**{}**) to add variables to the alert message. |
117 | 120 |
|
| 121 | + - **Direction**. Enter a source and/or destination IP address where you want to detect traffic. |
118 | 122 |
|
119 | | -### Create custom alerts |
| 123 | + - **Conditions**. Define one or more conditions that must be met to trigger the alert. Select the **+** sign to create a condition set with multiple conditions that use the **AND** operator. If you select a MAC address or IP address as a variable, you must convert the value from a dotted-decimal address to decimal format. |
120 | 124 |
|
121 | | -**To create a custom alert rule:** |
| 125 | + - **Detected**. Define a date and/or time range for the traffic you want to detect. |
| 126 | + - **Action**. Define an action you want Defender for IoT to take automatically when the alert is triggered. |
122 | 127 |
|
123 | | -1. Select **Custom Alerts** from the side menu of a sensor. |
124 | | - |
125 | | -1. Select **Create rule** (**+**). |
| 128 | +To edit a custom alert rule, select the rule and then select the options (**...**) menu > **Edit**. Modify the alert rule as needed and save your changes. |
126 | 129 |
|
127 | | - :::image type="content" source="media/how-to-work-with-alerts-sensor/custom-alerts-rules.png" alt-text="Screenshot of the Create custom alert rules pane."::: |
| 130 | +Edits made to custom alert rules, such as changing a severity level or protocol, are tracked in the **Event timeline** page on the sensor console. For more information, see [Track sensor activity](how-to-track-sensor-activity.md). |
128 | 131 |
|
129 | | -1. Define an alert name. |
130 | | -1. Select protocol to detect. |
131 | | -1. Define a message to display. Alert messages can contain alphanumeric characters you enter, as well as traffic variables detected. For example, include the detected source and destination addresses in the alert messages. Use { } to add variables to the message |
132 | | -1. Select the engine that should detect the activity. |
133 | | -1. Select the source and destination devices for the activity you want to detect. |
| 132 | +**To enable or disable custom alert rules** |
134 | 133 |
|
135 | | -#### Create rule conditions |
136 | | - |
137 | | -Define one or several rule conditions. Two categories of conditions can be created: |
138 | | - |
139 | | -**Condition based on unique values** |
140 | | - |
141 | | -Create conditions based on unique values associated with the category selected. Rule conditions can comprise one or several sets of fields, operators, and values. Create condition sets, by using AND. |
142 | | - |
143 | | -**To create a rule condition:** |
144 | | - |
145 | | -1. Select a **Variable**. Variables represent fields configured in the plugin. |
146 | | - |
147 | | -7. Select an **Operator**: |
148 | | - |
149 | | - - (==) Equal to |
150 | | - |
151 | | - - (!=) Not equal to |
152 | | - |
153 | | - - (>) Greater than |
154 | | - |
155 | | - |
156 | | - - In Range |
157 | | - |
158 | | - - Not in Range |
159 | | - - Same as (field X same as field Y) |
160 | | - |
161 | | - - (>=) Greater than or equal to |
162 | | - - (<) Less than |
163 | | - |
164 | | - - (<=) Less than or equal to |
165 | | - |
166 | | -8. Enter a **Value** as a number. If the variable you selected is a MAC address or IP address, the value must be converted from a dotted-decimal address to decimal format. Use an IP address conversion tool, for example <https://www.ipaddressguide.com/ip>. |
167 | | - |
168 | | - :::image type="content" source="media/how-to-work-with-alerts-sensor/custom-rule-conditions.png" alt-text="Screenshot of the Custom rule condition options."::: |
169 | | - |
170 | | -9. Select plus (**+**) to create a condition set. |
171 | | - |
172 | | -When the rule condition or condition set is met, the alert is sent. You will be notified if the condition logic is not valid. |
173 | | - |
174 | | -**Condition based on when activity took place** |
175 | | - |
176 | | -Create conditions based on when the activity was detected. In the Detected section, select a time period and day in which the detection must occur in order to send the alert. You can choose to send the alert if the activity is detected: |
177 | | -- any time throughout the day |
178 | | -- during working hours |
179 | | -- after working hours |
180 | | -- a specific time |
181 | | - |
182 | | -Use the Define working hours option to instruct Defender for IoT working hours for your organization. |
183 | | - |
184 | | -#### Define rule actions |
185 | | - |
186 | | -The following actions can be defined for the rule: |
187 | | - |
188 | | -- Indicate if the rule triggers an **Alarm** or **Event**. |
189 | | -- Assign a severity level to the alert (Critical, Major, Minor, Warning). |
190 | | -- Indicate if the alert will include a PCAP file. |
191 | | - |
192 | | -The rule is added to the **Customized Alerts Rules** page. |
193 | | - |
194 | | -:::image type="content" source="media/how-to-work-with-alerts-sensor/custom-alerts-page.png" alt-text="Screenshot of the main Custom alerts page." lightbox="media/how-to-work-with-alerts-sensor/custom-alerts-page.png"::: |
195 | | - |
196 | | -### Managing customer alert rules |
197 | | - |
198 | | -Manage the rules you create from the Custom alert rules page, for example: |
199 | | - |
200 | | - |
201 | | -- Review the last time the rule was triggered, the number of times the alert was triggered for the rule in the last week, or the last time the rule was modified. |
202 | | -- Enable or disable rules. |
203 | | -- Delete rules. |
204 | | - |
205 | | -Select the checkbox next to multiple rules to perform a bulk enable/disable or delete. |
206 | | - |
207 | | -### Tracking changes to custom alert rules |
208 | | - |
209 | | -Changes made to custom alert rules are tracked in the event timeline. For example if a user changes a severity level, the protocol detected or any other rule parameter. |
210 | | - |
211 | | -**To view changes to the alert rule:** |
212 | | - |
213 | | -1. Navigate to the Event timeline page. |
| 134 | +You can disable custom alert rules to prevent them from running without deleting them altogether. |
214 | 135 |
|
| 136 | +In the **Custom alert rules** page, select one or more rules, and then select **Enable**, **Disable**, or **Delete** in the toolbar as needed. |
215 | 137 |
|
216 | 138 | ## Next steps |
217 | 139 |
|
|
0 commit comments