Create and Manage Custom Alerts

With InsightIDR, you have the option of creating custom alerts when built-in alerts do not suit your needs.

There are three kinds of custom alerts:

You can also specify more granular information in the Custom Alert Details, and manage your custom alerts. Log Search Custom Alerts

Inactivity Detection Alerts

Also known as "Up Down Monitoring," inactivity alerts can be used to notify you when an entire log, log group, or particular pattern becomes inactive for a given time period.

Inactivity alerting is useful for system assets that must be running constantly (such as a critical server). The ability to set the time window of inactivity gives you control over your data, your environment, and your assets, and allows for damage control and prevention of data loss.

Inactivity alerting behavior

Inactivity alerting will monitor each log individually. For example, if the alert is monitoring a specific event across two logs and the event occurs in the first log but not the second log in the given timeframe, the alert will be triggered for the second log. Once inactivity is detected and one alert is triggered, you will only get a single alert if that pattern or log remains inactive. Activity will need to resume to restart the monitoring.

On the Log Search page, you can create alerts in two different ways:

You can always switch to a different alert type during configuration.

Auto-Populate an Inactivity Detection Alert

To auto-populate an alert:

  1. From the InsightIDR left menu, select the Log Search page.
  2. Select the log or log sets you want in the alert, or use a search query to look for a specific set of logs.
  3. Click Add Alert and choose an alert type based on the selected logs. The “Create Alert” panel appears, with applicable steps already pre-populated.
  4. Name your alert and optionally add a description. Click Next.
  5. Set a default priority, this will apply to all investigations generated by this alert.
  6. In the “Trigger” section, choose a saved query or create a new query using LEQL operators, keywords or regex. To match an exact string using LEQL operators and keywords, place double quotes around your search criteria.
  7. Click Skip to Alert Notification if you don’t want to create a trigger.
  8. In the “Alert Notification” section, define how you will receive notifications. Read more about Notification Settings. Inactivity Detection Alert
  9. Define a notification throttle to control how long the log or log sets are inactive before receiving an alert, and to control the quantity of alert notifications you will receive. Read more about Alert Throttling.
  10. Click Create Alert.

Manually Configure an Inactivity Detection Alert

To configure an inactivity alert:

  1. From the InsightIDR left menu, select the Log Search page.
  2. Click Add Alert and select Inactivity Detection Alert. The “Create Alert” panel appears, with applicable steps already pre-populated.
  3. Name your alert and optionally add a description. Click Next.
  4. Select one or more logs or the log sets you want to use in the alert. Click Next.
  5. Set a default priority, this will apply to all investigations generated by this alert.
  6. In the “Trigger” section, choose a saved query or create a new query using LEQL operators, keywords or regex. To match an exact string using LEQL operators and keywords, place double quotes around your search criteria.
    • If you do not add a trigger or pattern, the alert will automatically use the logs to detect inactivity.
  7. In “Trigger Settings,” customize the amount of time a log or pattern must be inactive before it triggers an alert. By default, an inactivity period of five days will trigger an alert. Click Next.
  8. In the “Alert Notification” section, define how you will receive notifications. Read more about Notification Settings. Inactivity Detection Alert
  9. Define a notification throttle to control how long the log or log sets are inactive before receiving an alert, and for the quantity of alert notifications you will receive. Read more about Alert Throttling.
  10. Click Create Alert.

Pattern Detection Alert

In order for an alert to trigger, a log must match the exact pattern you enter as a search term.

Alerting on patterns can be useful in situations such as monitoring server errors, critical exceptions, and general performance, and allows you to only monitor events that are important to you.

On the Log Search page, you can create Pattern Detection alerts in two different ways:

Auto-Populate a Pattern Detection Alert

To auto-populate an alert:

  1. From the InsightIDR left menu, select the Log Search page.
  2. Select the log or log sets you want in the alert, or use a search query to look for a specific set of logs.
  3. Click Add Alert and choose an alert type based on the selected logs. The “Create Alert” panel appears, with applicable steps already pre-populated.
  4. Name your alert and optionally add a description. Click Next to set a default priority.
  5. Set a default priority, this will apply to all investigations generated by this alert.
  6. In the “Trigger” section, choose a saved query or create a new query using LEQL operators, keywords or regex. To match an exact string using LEQL operators and keywords, place double quotes around your search criteria.
  7. In the “Alert Notification” section, choose whether you want to apply labels to the pattern or receive alerts from email or other integrations. If you choose the latter, you can define the log information you'd like included. See Notification Settings for more information. Pattern Detection Labels
  8. Define a notification throttle to control how long the log or log sets are inactive before receiving an alert, and to control the number of alert notifications you will receive. Read more about Alert Throttling.
  9. Click Create Alert.

Manually Create a Pattern Detection Alert

To configure a pattern detection alert:

  1. From the InsightIDR left menu, select the Log Search page.
  2. Click Add Alert and select Pattern Detection Alert. The Create Alert panel appears: if you have selected logs, log sets, or defined a query, these fields are pre-populated.
  3. Name your alert and optionally add a description. Click Next.
  4. Select one or more logs or the log sets you want to use in the alert. Click Next.
  5. Set a default priority, this will apply to all investigations generated by this alert.
  6. In the “Trigger” section, choose a saved query or create a new query using LEQL operators, keywords or regex. To match an exact string using LEQL operators and keywords, place double quotes around your search criteria.
  7. In the “Alert Notification” section, choose whether you want to apply labels to the pattern or receive alerts from email or other integrations. If you choose the latter, you can define the log information you'd like included. See Notification Settings for more information.
  8. Under the “Notification” tab choose which notification trigger setting you want. You will not receive alerts outside of this specific alert. Pattern Detection Alert Notification
  9. Define a notification throttle to control how long the log or log sets are inactive before receiving an alert, and for the number of alert notifications you will receive. Read more about Alert Throttling.
  10. Click Create Alert.

Change Detection Alert

Change detection alerts will notify you when a condition changes, such as HTTP 500 errors in your web access logs. They are based off of calculations that you apply to log(s) or logset(s).

Change detections will help you stay on top of critical conditions when something is broken and must be immediately addressed, or occurring errors that must be escalated. This alert will minimize your time to investigate and resolve any errors.

On the Log Search page, you can create alerts in two different ways:

Auto-Populate a Change Detection Alert

To auto-populate an alert:

  1. From the InsightIDR left menu, select the Log Search page.
  2. Select the log or log sets you want in the alert, or use a search query to look for a specific set of logs.
  3. Click Add Alert and choose an alert type based on the selected logs. The “Create Alert” panel appears, with applicable steps already pre-populated.
  4. Name your alert and optionally add a description. Click Next.
  5. Set a default priority, this will apply to all investigations generated by this alert.
  6. In the “Trigger” section, choose a saved query or create a new query using LEQL operators, keywords or regex. To match an exact string using LEQL operators and keywords, place double quotes around your search criteria.
  7. Choose a calculation. New queries require that you specify a calculation to use, adding a key to apply the calculation is optional. Any changes of the key based off of the calculation will trigger an alert.
  8. In the “Alert Notification” section, define how you will receive notifications. Read more about Notification Settings. Change Detection Alert
  9. Define a notification throttle to control how many alerts you receive in a specific window of time.
  10. Click Create Alert.

Manually Configure a Change Detection Alert

To configure a change detection alert:

  1. From the InsightIDR left menu, select the Log Search page.
  2. Select the Add Alert button, and click Change Detection Alert.
  3. Name your alert and optionally add a description. Click Next.
  4. In the Logs section, select one or more logs or the log sets you want to use in the alert.
  5. Set a default priority, this will apply to all investigations generated by this alert.
  6. In the “Trigger” section, choose a saved query or create a new query using LEQL operators, keywords or regex. To match an exact string using LEQL operators and keywords, place double quotes around your search criteria.
  7. Choose a calculation. New queries require that you specify a calculation to use, adding a key to apply the calculation is optional. Any changes of the key based off of the calculation will trigger an alert. Change Detection Alert Trigger
  8. Optionally customize the notification settings to define how severe the change is before triggering an alert.
  9. In the “Alert Notification” section, define how you will receive notifications. Read more about Notification Settings.
  10. Define a notification throttle to control how many alerts you receive in a specific window of time.
  11. Click Create Alert.

Manage Custom Alerts

To edit existing custom alerts:

  1. From the InsightIDR left menu, select Detection Rules > Custom alerts.
  2. On the right of an alert, click the Pencil icon to edit the alert.
  3. If applicable, select the check box to enable the alert.

To delete existing custom alerts:

  1. From the InsightIDR left menu, select Detection Rules > Custom alerts.
  2. Select the alert.
  3. Click the Trashcan icon to delete the alert.

To bulk action existing custom alerts:

  1. From the InsightIDR left menu, select Detection Rules > Custom alerts.
  2. Select the all checkbox, at the top of the alert table.
  3. Select a Radio button to choose a bulk action to all of the custom alerts, and then click Apply.