After configuring an alert rule and saving it, you can edit certain rule fields. The editable fields for a rule depend on the rule type.

1. Go to Alerts > Rules.

2. Click the Edit icon listed next to the details for a particular rule.

   The Edit window opens.

3. In the Edit window:
   • a. Configure Rule

     On the Configure Rule tab, you can edit:

     • Name: Enter a name to identify the rule.
     • Status: Select from Enabled or Disabled. Select Enabled to enable the rule.
     • Severity: Select High, Medium, or Low options for severity, depending on the impact of this event on users.

     • Type: This was previously selected as either Application, Device, Incident, or Network. You cannot edit this field.

       Application and Network include ZDX Score and ZDX Score Drops detection as a criteria for Dynamic Alerting. This feature and its procedures are available based on your subscription level. To learn more, see Ranges & Limitations.

       If you selected Incident as your type, you can specify which Incident Types to configure an alert rule for. Your next step goes to the Action tab instead of the Filters tab. To learn more, see Monitoring the Incidents Dashboard.

       See image.

       

       Close

     • Labels (Optional): Select the applicable labels for the alert rule. You can also search the label name to select. To learn more, see About Labels.

     See image.

     

     Close

     Close
   • b. Filters

     The limitation for selected items in the Add Filter menu is 250 items.

     On the Filters tab:

     1. If you chose Application as your Rule Type during configuration, you can edit:
        • Web Probe: The probe that has been configured.

        • Add Filter: Select filters from Geolocations, Locations, Location Groups, Departments, User Groups, Users, and Devices. You can also make additional selections from the drop-down menu or add multiple filters to further sort the information. You can select to include or exclude items from a filter, but you cannot choose to have both include and exclude for the same filter. For example, you can select Geolocations as a filter and specify to include North America. You cannot select Geolocations as a filter again to exclude other Geolocations.

     2. If you chose Device as your Rule Type during configuration, you can edit the Add Filter parameter. Select filters from Geolocations, Locations, Location Groups, Departments, User Groups, Users, and Devices. You can also make additional selections from the drop-down menu or add multiple filters to further sort the information. You can select to include or exclude items from a filter, but you cannot choose to have both include and exclude for the same filter. For example, you can select Geolocations as a filter and specify to include North America. You cannot select Geolocations as a filter again to exclude other Geolocations.
     3. If you chose Network as your Rule Type during configuration, you can edit:
        • Cloud Path Probe: The probe that has been configured.

        • Add Filter: Select filters from Geolocations, Locations, Location Groups, Departments, User Groups, Users, and Devices. You can also make additional selections from the drop-down menu or add multiple filters to further sort the information. You can select to include or exclude items from a filter, but you cannot choose to have both include and exclude for the same filter. For example, you can select Geolocations as a filter and specify to include North America. You cannot select Geolocations as a filter again to exclude other Geolocations.

     You cannot select deleted or unknown users for the include and exclude criteria.

     Close
   • c. Criteria

     On the Criteria tab:

     1. If you chose Application as your Rule Type during configuration, you can edit:

        • Page Fetch Time
        • DNS Time
        • Server Response Time
        • Web Request Availability
        • ZDX Score Drops
        • ZDX Score

        You can select all of these choices by clicking Add.

        Choosing ALL means that the alert is triggered if all of these thresholds are reached and choosing ANY means that the alert is triggered if any of these thresholds are reached.

        Make further edits for each filter in the > or < symbols and the time (in ms) or percentage (%) options to set up the criteria for your rule.

        For ZDX Score, choose between 1 and 100 for your alert rule. For ZDX Score Drops, you can choose the threshold sensitivity (e.g., high, medium, low), which is based on a baseline score.

        Click the Show Preview button to show the modified expression of your selected criteria, or click the Hide Preview button to hide them.

     2. If you chose Device as your Rule Type during configuration, you can edit:

        • Bandwidth in mbps
        • Battery Level
        • CPU Idle
        • CPU Kernel Usage
        • CPU Usage
        • CPU User Usage
        • Disk Reads in bps
        • Disk Usage
        • Disk Writes in bps
        • Memory Usage
        • Memory Used
        • Received Bits in mbps
        • Sent Bits in mbps
        • Wi-Fi Signal

        You can select all of these choices by clicking Add.

        Choosing ALL means that the alert is triggered if all of these thresholds are reached, and choosing ANY means that the alert is triggered if any of these thresholds are reached.

        Make further edits for each filter in the > or < symbols and the time (in ms) or percentage (%) options to set up the criteria for your rule.

        Click the Show Preview button to show the modified expression of your selected criteria, or click the Hide Preview button to hide them.

     3. If you chose Network as your Rule Type during configuration, you can edit:

        • Latency
        • MTR Packet Count
        • Number of Hops
        • Packet Loss
        • ZDX Score Drops
        • ZDX Score

        You can select all of these choices by clicking Add.

        Choosing ALL means that the alert is triggered if all of these thresholds are reached and choosing ANY means that the alert is triggered if any of these thresholds are reached.

        Make additional edits for each filter in the > or < symbols and the time (in ms) or percentage (%) options to set up the criteria for your rule.

        Click the Show Preview button to show the modified expression of your selected criteria, or click the Hide Preview button to hide them.

        Choosing ALL means that the alert is triggered if all of these thresholds are reached, and choosing ANY means that the alert is triggered if any of these thresholds are reached.

     Close
   • d. Action

     If you select Incident as your Alert Rule type, you can only configure the Action options.

     See image.

     

     Close

     On the Action tab:

     1. For the Throttling options:
        • Alert Only if Repeated: Enter the number of times a triggering event should occur before an alert is sent. Zscaler recommends entering 3 or more.
        • Number of Active Devices: Enter the number of active devices.

        • Minimum Devices Impacted: Choose by Number or Percentage. The alert triggers only if this minimum number is reached. Alerts can trigger even if only one device is present in a specific group and the device meets the alert criteria.

          For example, in the following criteria:

          • Alert Only if Repeated 3 Times in a Row
          • Number of Active Devices: 5
          • Minimum Devices Impacted: 20%
          • Page Fetch Time (PFT): >1000ms

          • In Group: Cities (city = Cairo)

            If only one device is present in Cairo, the PFT of a device exceeds 1000ms, and this situation repeats 3 times in a row, an alert is not triggered. The alert won't trigger because there must be at least 5 active devices in Cairo.

          • In Group: Select the groups these throttling options apply to: Departments, Cities, Organization, Regions, or Locations.

            These options apply to the Number or Percentage of impacted devices, and the devices are also grouped based on these options. An alert is sent when all the criteria you have set up for triggering an alert are met. To learn more, see Triggering an Alert.

     2. For the Action options:

        • If Muted is enabled, then no alerts are sent and you can view the status of alerts on the Alerts page in the ZDX Admin Portal.
        • If Muted is disabled, select the Alert Delivery Method from the drop-down menu:
          • Email: Enter the email address you want the alerts to be sent to. Click Preview Email to preview the email that will be sent. To learn more about the information sent, see Understanding the Alert Email.
          • Webhooks: Webhooks can also be set up to provide alerts. In the drop-down menu, select from previously configured webhooks or configure a new webhook. To learn more, view Configuring Webhooks.

          • Workflow Automation: If you are subscribed to Workflow Automation, you can select Workflow Automation to send alerts to. To learn more, see What Is Workflow Automation?

            You cannot select Webhook and Workflow Automation together, therefore your options for Alert Delivery Methods are:

            • You can select Email and Workflow Automation together, but not with Webhook.
            • You can select Email and Webhook together, but not with Workflow Automation.
            • You can select Email, Webhook, or Workflow Automation individually.

            You can access the Workflow Automation Admin Portal to configure workflows.

        See image.

        

        Close

     Close
   • e. Review

     On the Review tab, review your rule configuration and click Submit.

     Close
4. Click Save and activate the changes.

The alerts triggered have a display delay of 30 minutes.