Alerts

Print Friendly, PDF & Email

The admin or IR creates rules using certain indicators to track suspicious security events on host computers. These events may be related to system processes, files, IP address, registry keys or many other indicators. When you create a rule, you define the conditions that must be met for the selected indicators. After the rule is saved and applied, whenever the activities on any endpoint matches with the indicators given in any rule, an alert is generated and displayed on the Seqrite XDR console. An endpoint can have more than one alert. Similar alert can get generated on multiple endpoints. An admin or IR may create multiple rules and apply, thereby creating many alerts for a single host. A host may have a number of alerts generated which may be of high, low or medium severity. The system currently imposes a cap on alert generation. Within a 30-minute interval, each specified rule will have an Alert cap of 4000, the value is configurable. If the number of generated alerts exceeds this limit for a particular rule, that rule will be deactivated automatically. Custom Rules will trigger a notification to both super admin and admin users upon deactivation, while System Rules will prompt notifications to Quick Heal’s internal stakeholders upon deactivation.

Note
During a 30-minute interval, the Alert cap for each specified rule will be maintained at 4000.

The system can also generate Behavior Anomaly Alerts. By leveraging AI and Machine Learning, the system generates models of typical behavior for endpoints and issues alerts whenever anomalies (outlier processes on endpoints) are detected.

Furthermore, third-party systems such as firewalls and e-mail platforms may also generate alerts based on detection algorithms or behavior anomalies.

To activate a deactivated rule on the Rule Builder Page, follow these steps:

  1. On the Rule Builder page, from the View filter, select the Deactivated checkbox to display the list of deactivated rules.
  2. Locate the desired rule.
  3. Click the three dots at the extreme right side of the rule record.
  4. From the dropdown menu, select the Activate option.
  5. Confirm the rule activation when prompted.
  6. Upon successful activation, a toaster message will appear indicating the rule activation.
  7. Rule Activation Confirmation

    Rule Activation Success Toaster Message

Scheduling Alerts Report

Note
Only users with Super Admin, Admin, or SOC Manager privileges have the ability to schedule alerts reports.

To schedule reports for alerts, follow the instructions provided in the details here.

Was this page helpful?