icon-zia.svg
Secure Internet and SaaS Access (ZIA)

About Alerts

Watch a video about Alerts

You can configure the Zscaler service to email specific individuals when certain events occur, so your organization can take action in a timely manner. To learn more, see About Alert Subscriptions. You can create up to 128 alerts. For a complete list of ranges and limits per feature, see Ranges & Limitations.

The Alerts page provides the following benefits and enables you to:

  • Configure notification triggers for high priority issues.
  • Monitor high priority issues and detections in one place.

You can create an alert for different types of events, such as when the service detects incoming or outgoing malware or when there is a policy violation. When you receive an alert, you can investigate it by going to Analytics and viewing logs of the event.

Events are grouped into classes. For a list of events that can trigger alerts, organized by class, see the table within each class type below.

Alert Classes

Depending on your organization's subscriptions, you can configure the service to send alerts for the following classes.

If configuring alerts in your SIEM via NSS, refer to the Security Alerts table below for Logged Fields and Values. Additionally, see NSS Feed Output Format: Web Logs and NSS Feed Output Format: Firewall Logs for a more comprehensive list.

  • EventLogged FieldValue
    Advanced SecurityURL CategoryAdvanced Security
    Adware/SpywareURL CategorySpyware Callback
    Adware/Spyware SitesURL CategoryAdware/Spyware Sites
    Botnet CallbackURL CategoryBotnet Callback
    Browser ExploitURL CategoryBrowser Exploit
    Cross-site ScriptingURL CategoryCross-site Scripting
    Crypto MiningURL CategoryCrypto Mining & Blockchain
    Incoming/Outgoing MalwareThreat Category/Malware CategoryMalware, Exploit, MalwareTool, ArchiveBomb, MalwareSecurityRisk, Other Malware
    Incoming/Outgoing SpywareThreat Category/Malware CategorySpyware, Dialer, BackDoor, Adware Proxy, PWStealer, Downloader, Other Spyware
    Incoming/Outgoing Unscannable FilesPolicy ReasonNot allowed to upload/download unscannable file formats
    Incoming/Outgoing VirusesThreat Category/Malware CategoryVirus, Unwanted Applications, BootVirus, Macro, Worm, Trojan, MisDisinfection, Other Viruses, Ransomware, Remote Access Tool, Unrecognized Virus
    Malicious ContentURL CategoryMalicious Content
    Peer-to-peerURL CategoryPeer-to-peer
    PhishingURL CategoryPhishing
    Privacy RiskURL CategoryPrivacy Risk
    Sandbox AdwareThreat Category/Malware CategorySandbox Adware
    Sandbox AnonymizerThreat Category/Malware CategorySandbox Anonymizer
    Sandbox MalwareThreat Category/Malware CategorySandbox Malware
    Sandbox Offensive Security ToolsThreat Category/Malware CategorySandbox Offensive Security Tools
    Sandbox RansomwareThreat Category/Malware CategorySandbox Ransomware
    Suspicious ContentURL CategorySuspicious Content
    Suspicious DestinationURL CategorySuspicious Destination
    Unauthorized CommunicationURL CategoryUnauthorized Communication
    Web SpamURL CategoryWeb Spam
    Close
  • Event
    Chat File Transfer
    Social Network Post
    Streaming Upload
    Streaming View/Listen
    URL Filtering Blocked Sites
    Webmail File Attachment
    Close
  • Event
    ADP Schedule Update Failure
    Auth Bridge Down
    LDAP Connection Down
    LDAP Failure
    LDAP Success
    Traffic Decrease
    Traffic Increase
    Policy Violation
    Close
  • Event
    Custom Engine Violation
    GLBA Violation
    HIPAA Violation
    IDM Schedule Update Failure
    PCI Violation
    Close
  • Event
    Patient 0 (Requires Advanced Sandbox)
    Close

About the Define Alerts Page

On the Define Alerts page (Administration > Alerts), you can do the following:

  1. Add an alert.
  2. View a list of all configured alerts. For alerts, you can see the following:
    • Alert Name: Displays the trigger event that generated the alert.
    • Alert Class: Displays the class of the event that triggered the alert.
    • Triggered By: Displays the number of event occurrences for a given time period.
    • Applies To: Displays whether the event is applied to the Organization, a Location, Department or User.
    • Severity: Displays the severity level of the event (i.e., Critical, Major, Minor, Info, or Debug).
    • Status: Displays whether the alert is enabled or disabled.
  3. Edit an alert.
  4. Modify the table and its columns.
  5. Search for an alert.
  6. Click the Global Configuration tab to resend alerts.
  7. Click the Publish Alerts tab to specify alert subscriptions for email recipients.
The Alerts page
Related Articles
About AlertsAdding AlertsAbout Alert SubscriptionsAdding Alert SubscriptionsResending AlertsDisabling Alerts