Digital Experience Monitoring (ZDX)
Configuring an Alert Rule
Watch a video about configuring alerts in ZDX.
You can configure alert rules to modify an expression to create criteria based on the real-time user experience.
To configure a rule for an alert:
- Go to Alerts > Rules.
Click Add New Alert Rule.
The Add New Alert Rule window appears.
- In the Add New Alert Rule window:
- a. Configure Rule
- Name: Enter a name to identify the rule.
- Status: Select from Enabled or Disabled. Select Enabled to enable the rule.
- Severity: Select High, Medium, or Low options for severity, depending on the impact of this event on users.
Type: Choose from Application, Device, Incident, or Network.
Application and Network include ZDX Score and ZDX Score Drops detection as a criteria for Dynamic Alerting. This feature and its procedures are available based on your subscription level. To learn more, see Ranges & Limitations.
If you select Incident as your type, you can specify which Incident Types to configure an alert rule for. Your next step goes to the Action tab instead of the Filters tab. To learn more, see Monitoring the Incidents Dashboard.
- Labels (Optional): Select the applicable labels for the alert rule. You can also search for the label name to select. To learn more, see About Labels.
- b. Filters
The limitation for selected items in the Add Filter menu is 250 items.
On the Filters tab:
- If you chose Application as your Rule Type on the previous tab, then the following parameters appear:
- Application: Choose the application for this alert rule.
- Web Probe: Choose the probe configured for this application.
Add Filter: Select filters from Geolocations, Locations, Location Groups, Departments, User Groups, Users, and Devices. You can also make additional selections from the drop-down menu or add multiple filters to further sort the information. You can select to include or exclude items from a filter, but you cannot choose to have both include and exclude for the same filter. For example, you can select Geolocations as a filter and specify to include North America. You cannot select Geolocations as a filter again to exclude other Geolocations.
- If you chose Device as your Rule Type on the previous tab, then the Add Filter parameter appears. Select filters from Geolocations, Locations, Location Groups, Departments, User Groups, Users, and Devices. You can also make additional selections from the drop-down menu or add multiple filters to further sort the information. You can select to include or exclude items from a filter, but you cannot choose to have both include and exclude for the same filter. For example, you can select Geolocations as a filter and specify to include North America. You cannot select Geolocations as a filter again to exclude other Geolocations.
If you chose Network as your Rule Type on the previous tab, then the following parameters appear:
- Application: Choose a predefined application or custom application that is a network application type for this alert rule.
- Cloud Path Probe: Choose the probe configured for this application.
Add Filter: Select filters from Geolocations, Locations, Location Groups, Departments, User Groups, Users, and Devices. You can also make additional selections from the drop-down menu or add multiple filters to further sort the information. You can select to include or exclude items from a filter, but you cannot choose to have both include and exclude for the same filter. For example, you can select Geolocations as a filter and specify to include North America. You cannot select Geolocations as a filter again to exclude other Geolocations.
You cannot select deleted or unknown users for the include and exclude criteria.
Close - If you chose Application as your Rule Type on the previous tab, then the following parameters appear:
- c. Criteria
If you select Application as your Rule Type on the Configure Rule tab, then the following parameters appear:
- DNS Time
- Page Fetch Time
- Server Response Time
- Web Request Availability
- ZDX Score Drops
- ZDX Score
You can select all choices by clicking Add.
Make additional choices for each criteria using the < or > symbols and the time (in ms) or percent (%) options to set up the criteria for your alert rule. Choose All for the alert to trigger if all of these thresholds are reached, and choose Any for the alert to trigger if any of these thresholds are reached.
For ZDX Score, choose between 1 and 100 for your alert rule. For ZDX Score Drops, you can choose the threshold sensitivity (e.g., high, medium, low), which is based on a baseline score.
Click Show Preview to show the modified expression with your selected criteria, or click Hide Preview to hide them.
If you select Device as your Rule Type on the Configure Rule tab, then the following parameters appear:
- Bandwidth in mbps
- Battery Level
- CPU Idle
- CPU Kernel Usage
- CPU Usage
- CPU User Usage
- Disk Reads in bps
- Disk Usage
- Disk Writes in bps
- Memory Usage
- Memory Used
- Received Bits in mbps
- Sent Bits in mbps
- Wi-Fi Signal
You can select all of these choices by clicking Add.
Make additional choices for each criteria using the < or > symbols and the time (in ms) or percent (%) options to set up the criteria for your alert rule. Choose All for the alert to trigger if all of these thresholds are reached, and choose Any for the alert to trigger if any of these thresholds are reached.
Click Show Preview to show the modified expression of your selected criteria, or click Hide Preview to hide them.
If you select Network as your Rule Type on the Configure Rule tab, then the following parameters appear:
- Latency
- Packet Count
- Number of Hops
- Packet Loss
- ZDX Score
- ZDX Score Drops
You can select all of these choices by clicking Add.
Make additional choices for each criteria using the < or > symbols and the time (in ms) or percent (%) options to set up the criteria for your alert rule. Choose All for the alert to trigger if all of these thresholds are reached, and choose Any for the alert to trigger if any of these thresholds are reached.
For ZDX Score, choose between 1 and 100 for your alert rule. For ZDX Score Drops, you can choose the threshold sensitivity (e.g., high, medium, low), which is based on a baseline score.
Click Show Preview to show the modified expression of your selected criteria, or click Hide Preview to hide them.
- d. Action
If you select Incident as your Alert Rule type, you can only configure the Action options.
On the Action tab:
- For the Throttling options:
- Alert Only if Repeated: Enter the number of times a triggering event occurs before an alert is sent. Zscaler recommends entering 3 or more.
- Number of Active Devices: Enter the number of active devices.
- Minimum Devices Impacted: Choose by Number or Percentage. The alert triggers only if this minimum number is reached. Alerts trigger even if only one device is present in a specific group and the device meets the alert criteria.
In Group: Select the groups these throttling options apply to: Departments, Cities, Organization, Regions, or Locations.
These options apply to the Number or Percentage of impacted devices, and the devices are also grouped based on these options.
For example, in the following criteria:
- Number of Active Devices: 5 Minimum Devices Impacted: 20%
- Page Fetch Time (PFT): >1000ms
- In Group: Cities (city = Cairo)
- Alert Only if Repeated 3 Times in a Row
If only one device is present in Cairo, the PFT of a device exceeds 1000ms, and this situation repeats 3 times in a row, an alert is not triggered. The alert won't trigger because there must be at least 5 active devices in Cairo.
An alert is sent when all the criteria you have set up for triggering an alert are met.
- For the Action options:
- If Muted is enabled, no alerts are sent and you can view the status of alerts on the Alerts page in the ZDX Admin Portal.
- If Muted is disabled, select the Alert Delivery Method from the drop-down menu:
- Email: Enter the email address you want the alerts to be sent to. Click Email Preview to preview the email that will be sent. To learn more about the information sent, see Understanding the Alert Email.
- Webhook: Set up a webhook to provide alerts. In the drop-down menu, select from previously configured webhooks or configure a new webhook. To learn more, view Configuring Webhooks.
Workflow Automation: If you are subscribed to Workflow Automation, you can select Workflow Automation to send alerts to. To learn more, see What Is Workflow Automation?
You cannot select Webhook and Workflow Automation together, therefore your options for Alert Delivery Methods are:
- You can select Email and Workflow Automation together, but not with Webhook.
- You can select Email and Webhook together, but not with Workflow Automation.
- You can select Email, Webhook, or Workflow Automation individually.
You can access the Workflow Automation Admin Portal to configure workflows.
- For the Throttling options:
- e. Review
- a. Configure Rule
- Click Save and activate the changes.
The alerts triggered have a display delay of 30 minutes.
You can create a dynamic alert rule whenever the Network or Application rule type is applied. You can then modify the expression and add dynamic alerting with ZDX Score or ZDX Score Drops in the Criteria step. To learn more about Dynamic Alerting, see Evaluating Individual Alert Details.
