You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/defender-for-iot/organizations/how-to-accelerate-alert-incident-response.md
+14-22Lines changed: 14 additions & 22 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -105,36 +105,28 @@ Specify in the custom alert rule what action Defender for IT should take when th
105
105
:::image type="content" source="media/how-to-accelerate-alert-incident-response/create-custom-alert-rule.png" alt-text="Screenshot of the Create custom alert rule pane for creating custom alert rules." lightbox="media/how-to-accelerate-alert-incident-response/create-custom-alert-rule.png":::
106
106
107
107
1. In the **Create custom alert rule** pane that shows on the right, define the following fields:
108
+
109
+
|Name |Description |
110
+
|---------|---------|
111
+
|**Alert name**| Enter a meaningful name for the alert. |
112
+
|**Alert protocol**| Select the protocol you want to detect. <br> In specific cases, select one of the following protocols: <br> <br> - For a database data or structure manipulation event, select **TNS** or **TDS**. <br> - For a file event, select **HTTP**, **DELTAV**, **SMB**, or **FTP**, depending on the file type. <br> - For a package download event, select **HTTP**. <br> - For an open ports (dropped) event, select **TCP** or **UDP**, depending on the port type. <br> <br> To create rules that track specific changes in one of your OT protocols, such as S7 or CIP, use any parameters found on that protocol, such as `tag` or `sub-function`. |
113
+
|**Message**| Define a message to display when the alert is triggered. Alert messages support alphanumeric characters and any traffic variables detected. <br> <br> For example, you might want to include the detected source and destination addresses. Use curly brackets (**{}**) to add variables to the alert message. |
114
+
|**Direction**| Enter a source and/or destination IP address where you want to detect traffic. |
115
+
|**Conditions**| Define one or more conditions that must be met to trigger the alert. Select the **+** sign to create a condition set with multiple conditions that use the **AND** operator. If you select a MAC address or IP address as a variable, you must convert the value from a dotted-decimal address to decimal format. <br><br> Note that the **+** sign is enabled only after selecting an **Alert protocol** from above. <br> You must add at least one condition in order to create a custom alert rule. |
116
+
|**Detected**| Define a date and/or time range for the traffic you want to detect. |
117
+
|**Action**| Define an action you want Defender for IoT to take automatically when the alert is triggered. |
108
118
109
-
-**Alert name**. Enter a meaningful name for the alert.
119
+
1. Select **Save** when you're done to save the rule.
110
120
111
-
-**Alert protocol**. Select the protocol you want to detect.
112
-
In specific cases, select one of the following protocols:
113
-
114
-
- For a database data or structure manipulation event, select **TNS** or **TDS**.
115
-
- For a file event, select **HTTP**, **DELTAV**, **SMB**, or **FTP**, depending on the file type.
116
-
- For a package download event, select **HTTP**.
117
-
- For an open ports (dropped) event, select **TCP** or **UDP**, depending on the port type.
118
-
119
-
To create rules that track specific changes in one of your OT protocols, such as S7 or CIP, use any parameters found on that protocol, such as `tag` or `sub-function`.
120
-
121
-
-**Message**. Define a message to display when the alert is triggered. Alert messages support alphanumeric characters and any traffic variables detected. For example, you might want to include the detected source and destination addresses. Use curly brackets (**{}**) to add variables to the alert message.
122
-
123
-
-**Direction**. Enter a source and/or destination IP address where you want to detect traffic.
124
-
125
-
-**Conditions**. Define one or more conditions that must be met to trigger the alert. Select the **+** sign to create a condition set with multiple conditions that use the **AND** operator. If you select a MAC address or IP address as a variable, you must convert the value from a dotted-decimal address to decimal format. Note that the **+** sign is enabled only after selecting an **Alert protocol** from above. You must add at least one condition in order to create a custom alert rule.
126
-
127
-
-**Detected**. Define a date and/or time range for the traffic you want to detect.
128
-
129
-
-**Action**. Define an action you want Defender for IoT to take automatically when the alert is triggered.
121
+
### Edit a custom alert rule
130
122
131
123
To edit a custom alert rule, select the rule and then select the options (**...**) menu > **Edit**. Modify the alert rule as needed and save your changes.
132
124
133
125
Edits made to custom alert rules, such as changing a severity level or protocol, are tracked in the **Event timeline** page on the sensor console. For more information, see [Track sensor activity](how-to-track-sensor-activity.md).
134
126
135
-
**To enable or disable custom alert rules**
127
+
### Disable, enable, or delete custom alert rules
136
128
137
-
You can disable custom alert rules to prevent them from running without deleting them altogether.
129
+
Disable custom alert rules to prevent them from running without deleting them altogether.
138
130
139
131
In the **Custom alert rules** page, select one or more rules, and then select **Enable**, **Disable**, or **Delete** in the toolbar as needed.
0 commit comments