Alerts

What Are Alerts?

Alerts are messages or notifications generated when Nullafi Shield detects something of interest to the administrator. These alerts are designed to inform administrators about security events that may require attention or action.

The Alerts page in Policy lists the confiured alerts, along with basic information about them such as who the notifications will go to and when they were last triggered, and provides a way to create new alerts.

Alerts Table

On the main Alerts page, all alerts are listed in a sortable table.

Creating a New Alert

To create a new Alert:

  1. Click Add New Alert in the upper-right corner of the Rules page.
  2. A rule editor panel will appear from the right.
  3. Configure the rule using the following options.
  4. Click Save to apply the rule.

Alert Configuration Fields

  • Name
    Required. A unique label for the alert.

  • Description
    Optional. Additional context or purpose of the alert.

  • Interval
    Required. Type in a number and select minutes, hours, or days from the drop down box. Shield will scan according to the Alert's rules on this schedule. For time sensative alerts, choose a short duration like every 10 minutes.

    If you select CRON, then the interval box expects a schedule in CRON format. For example: 0 3 * * 7 → Every Sunday at 3:00 AM. (see https://crontab.guru for additional samples).

  • Alert me when:
    Required. Select one or more conditions to trigger the alert. The most common condition type is Rules -- By selecting Rules as the Type, and then one or more Rule names, the alert will be sent every time the Rule (or Rules) are enforced. See below for more details.

    Advanced Alerting

    Multiple Alert Conditions

    In most cases, Rules will already contain the logic for items of interest, and it is easiest to just trigger an alert from the Rule. Sometimes, however, you may wish to alert on more granular conditions than just a Rule being triggered.

    Logical AND Behavior

    Multiple entries in the Alert me when: section are combined using a logical AND.

    • If you specify Content Type is "text/csv" and Detected Data Type is "Email Address", the Alert will only fire if both conditions are met (There was a CSV file downloaded with email addresses inside).

  • Send alert to:
    Required. Select one or more destinations for the Alert.

    • Click the Add button
    • Choose a Type from the drop down list
      • For Email, type in one or more email address. The default address from Configuration is already listed but can be deleted.
      • For Slack, type the name of one or more Slack Channels to receive the alert.
      • For Teams, there is no additional configuration needed. The destination is configured within Microsoft Teams when you create the webhook integration.
      • For Webhooks, there is no additional configuration needed.
    • Click Save to add the destination.

Editing an Existing Alert

To edit an alert:

  • Hover over the alert name in the list.
  • Click the three-dot menu.
  • Choose Edit.

  • Make any changes in the editor panel and click Save.

    To edit an individual Alert me when or Send alert to item:

    • Open the Alert for editing (see above)
    • Hover over the individual item in the list.
    • Click the three-dot menu.
    • Choose Edit or Delete.
    • Make any changes in the editor panel and click Save.

Deleting an Alert

To delete an alert:

  • Hover over the alert name.
  • Open the three-dot menu.
  • Select Delete.

Enabling or Disabling an Alert

To temporarily disable or re-enable an alert:

  • Hover over the alert name.
  • Open the three-dot menu.
  • Click Turn Off to disable or Turn On to re-enable.

Disabled alerts have a status of Inactive, while enabled rules show Active in the Alert Table.