NOTIFICATION WORKFLOW Flashcards
How to configure custom alerts to notify individuals about policies
-Click “Preview Alert” next to template you’d like to configure
-Enter search parameters, then run search.
-Required fields cannot be set to “*”
-Fields with an asterisk in name support up to 50 comma –
separated values
-Fields should not contain “$”
-When satisfied, click “Configure Alert”
-Set Alert Email Recipients, Alert Email Subject, Severity, Alert Email Body, and select if you’d like a preview of alert results included in email. If need to send a custom alert, separate with commas
- Click “Schedule alert”
What is a custom alert?
-Custom alerts are configured email alerts using predefined templates, user is notified about specific activity in environment.
How to create a custom alert?
- Creating Custom Alert – 3 steps:
o Choose template you’d like to configure
o Preview search results
o Schedule the alert
What are the available templates for custom alerts?
Available templates:
-Sensor entering RFM
-RTR Session Initiation
-Mobile Host Detections
-Analyst Contained a host
-Analyst repeatedly fails login
-OS Security Settings (IT Security Ops – Discover)
Do custom alerts run at a set interval?
YES, Custom Alerts run at a set interval
What are the requirements needed to create a custom alerts?
-Falcon Admin (create/edit workflows, and view workflow audit/activity logs)
What happens when an alert finds results?
–Sends an email to specified recipients
What does previewing alerts do?
-Previewing results helps see what results are found before you schedule the alert – adjust parameters as needed until satisfied with activity being found
Can the interval ever be changed?
The interval can’t be changed, because it runs in real time. When multiple results are found, they are sent in a singular email
Why does an alert email its results instead of generating a new detection?
-Doesn’t generate a new detection so user can be notified about activity when not logged into Falcon console
