Custom Alert Details

When you configure a custom alert, there are several different settings to consider in order to receive the optimum and most efficient alerts.

Set Trigger Notification Settings

For Pattern Match Alerts, an alert triggers every time the event occurs on a rolling basis by default. If you choose Custom Match Settings, you can specify how many times an event must occur within a given time frame before it can trigger an alert.

For example, if the pattern match threshold is 100 times in the throttle window of 60 minutes, 100 alerts must occur within the next hour before you receive the first alert. The alert is triggered when our alert counter reaches this limit. However, note that it does not trigger again if the pattern is continually matched above the threshold: the counter must drop again below the limit, and then again over the threshold to be re-triggered.

For Change Detection alerts, new queries require that you specify a calculation to use, and a key to apply the calculation. Any changes of the key based off of the calculation will trigger an alert.

Define Notification Methods

For Change Detection and Inactivity Detection alerts, define one or more communication methods. You can choose PagerDuty, Slack, Webhook, and email. Select existing recipients or create new ones and provide the appropriate details for the communication method.

If you are using email, select existing recipients from the dropdown or create new ones. Use commas to separate email addresses if you are sending to multiple recipients.

Define what log information you’d like included in your notifications. By default, the matching log line and context will be included. To change this, open the edit alert modal, click Alert Notifications > Notification(email/integrations) and select the communication method tab you'd like to edit:

  • Email: Click the Recipients drop-down and select Add & select recipient. Click the Log Context drop-down to view options.
  • PagerDuty: Click the Service key for Pagerduty account drop-down and select Add & select key. Click the Log Context drop-down to view options.
  • Slack: Click the Slack webhook URL drop-down and select Add & select webhook. Click the Log Context drop-down to view options.
  • Webhook: Click the Webhook URL and select Add & select webhook. Click the Log Context drop-down to view options.
  • InsightConnect Workflow: Click the InsightConnect Workflow drop-down and select Add & select InsightConnect workflow. Tick the 'Send Log Line' box if you wish for Log Line information to be included in your notifications.

Alternatively, you can also select Detection Rules > Labels & Notifications > Notification Target to define the log information you'd like to be included.

For Pattern Detection alerts, use labels to identify the logs in your notifications. Labels will be applied to all log lines with the matching trigger as defined in the custom alert. You can view all log lines that have historically matched the custom alert. This can be a time-saving alternative if you often repeatedly use the same queries to identify logs of interest. You can create a new label or use an existing one by searching for labels, filtering by severity, or sorting them alphabetically.

In the image below, the 'Warning' label is being used, which returns the following logs as files have been modified.

Logline Labels

Create an Investigation

Once an alert fires based on your query, you have the option for InsightIDR to automatically open an Investigation.

When creating an alert, toggle on the Create an Investigation button to enable this action. Then define your notification throttle.

Create New Email Recipients

When you using email to send alerts to your team, you can create a new email recipient.

To add new email recipients:

  1. From the "Recipients" dropdown, click on Add & select recipient.
  2. Name the recipient, and then enter one or more email addresses separated by commas.
  3. Optionally check the box to include other entries logged when the alert was generated.
  4. Click the Add & select recipient button.

The new email will populate the Recipients field.

Configure Third Party Integrations

If you are using one of our partner integrations, you can send alerts to the appropriate teams to remediate issues as they arise. You can configure alerts for the following integrations:

You can also create new email recipients.


In order to connect Slack and InsightIDR, you must be a Slack administrator.

To configure this integration:

  1. Log in to Slack.
  2. Expand your Profile and go to Administration.
  3. From the Administration menu, select Manage apps.

A list of your current Slack app integrations appears. 4. Search for "Logentries" in the App Directory and select the matching result. Logentries is the previous name for InsightIDR. 5. Click Install. 6. Choose the channel you want to integrate with the Logentries app. 7. Click the Add Logentries Integration button.

  1. Scroll down the page until you find the webhook URL.
  2. Copy the Webhook URL.
  3. In InsightIDR, create an alert. Under "Alert Notifications," choose Notifications (email/integrations) > Slack.
  4. Paste the Webhook URL you copied from the Slack App directory in the "Slack Webhook URL" field.
  5. Configure the rest of your alert.
  6. Press Create Alert.


Any user can complete this PagerDuty Integration.

To configure this integration:

  1. Log in to your PagerDuty account.
  2. Select the Configuration tab and select the Services option.
  3. Click the + New Service button.
  4. Enter a name for the service.
  5. From the "Integration Type" dropdown, find "Logentries."
  1. Name the integration.
  2. Select an Escalation Policy.
  3. Optionally check the Response Play box.
  4. Choose how responders should be notified.
  5. Click the Add Service button. This will generate a service key for InsightIDR.
  6. From the "Services" page, copy that key for Logentries and go back to InsightIDR.
  7. You will see an Integration Key. Copy that key and return to InsightIDR.
  8. In InsightIDR, create an alert. From "Alert Notifications," choose Notifications (email/integrations) > PagerDuty.
  9. Paste the service key you copied from PagerDuty into the "Service Key" field.
  1. Configure the rest of your alert.
  2. Click Create Alert.


A Webhook URL allows you to send a POST request to an API as events happen, instead of requiring that you poll for updates. Learn how to use and create a Webhook here:

You can use a webhook URL to notify your team of InsightIDR alerts.

To use a webhook with InsightIDR alerts:

  1. In InsightIDR, create an alert.
  2. Under "Alert Notifications," choose Notifications (email/integrations) > Webhook.
  3. Name your Webhook.
  4. Paste your Webhook URL.
  5. Configure the rest of your alert.
  6. Press Create Alert.