icon-zia.svg
Secure Internet and SaaS Access (ZIA)

Configuring an Alert Rule

Watch a video about Security & UEBA Alerts including configuration

You can configure alert rules to get high-level statistics of each event type and threat severity. You can view, manage, create, and adjust the alert rules based on your organization's traffic. To learn more, see About Security Alerts.

Adding an Alert Rule

To add an alert rule:

  1. Go to Alerts > Alert Rules.

  2. Click Add Alert Rule.

    The Add Alert Rule window appears.

  3. In the Add Alert Rule window:
    1. Under the Alert Definition section, configure the appropriate parameters:
      • Alert Name: Enter an alert name. The maximum length is 31 characters.
      • Alert Class: Select the alert class for the rule. By default, the alert class is set to Security.
      • Status: Select the status of the rule.
    2. Under the Alert Trigger Criteria section, configure the appropriate parameters:
        • Event Type: Select the event type for the rule. Select from a list of Advanced Threat Protection, Malware Protection, or Sandbox.
        • Within Time Interval: Choose the span of time within which an event's occurrence triggers an alert. You can choose from 10 minutes, 15 minutes, 30 minutes, 45 minutes, or 1 hour.
        • Add Filters: You can add filters to security alerts to make the rule more specific. You can apply the filters to Location, Users, Department, and System Impacted.
        Close
        • Event Type: Select the event type for the rule. Select Access, Data, or Privilege from the drop-down.
        • Alert Type: Select the alert type of the rule. The alert types depend on the selected Event Type. Each channel type has different alert types to choose from. The list of alert types includes:

          • Alert TypeDescription
            Upload of InvoiceIdentify users who have uploaded invoices in a short period of time.
            Upload of Tax documentsIdentify users who have uploaded tax documents in a short period of time.
            Upload of ResumesIdentify users who have uploaded resumes in a short period of time.
            Upload of Medical documentsIdentify users who have uploaded medical documents in a short period of time.
            Upload of Real Estate documentsIdentify users who have uploaded real estate documents in a short period of time.
            Upload of Legal documentsIdentify users who have uploaded legal documents in a short period of time.
            Upload of Court Form documentsIdentify users who have uploaded court form documents in a short period of time.
            Upload of Technical documentsIdentify users who have uploaded technical documents in a short period of time.
            Upload of Transportation and Motor documentsIdentify users who have uploaded documents related to transportation and motor in a short period of time.
            Upload of Immigration documentsIdentify users who have uploaded immigration documents in a short period of time.
            Upload of Insurance documentsIdentify users who have uploaded insurance documents in a short period of time.
            Upload of Corporate Finance documentsIdentify users who have uploaded corporate finance documents in a short period of time.
            Upload of Corporate Legal documentsIdentify users who have uploaded legal documents in a short period of time.
            Data exfiltration by password protected or encrypted docsIdentify users who have shared data after applying encryption or passwords to avoid content inspection.
            Upload to high risk countriesIdentify users who have uploaded data to locations in suspicious countries.
            Upload from high risk countriesIdentify users who have uploaded data from locations in suspicious countries.
            Bulk Activity AlertIdentify users who have performed a certain set of activities in a short period of time. Through this alert multiple activities for the SaaS Security API can be tracked for a user.
            Supported Activities: Upload, Share, Create, Edit, Delete, Comment, Download, Rename, Form Sharing, File Transfer, Chat, Post, Send email, Send Attachments, and Comment
            Bulk upload of sensitive dataIdentify users who have uploaded sensitive data in a short period of time.
            Bulk download of sensitive dataIdentify users who have downloaded sensitive data in a short period of time.
            Close

          • Alert TypeDescription
            Impossible TravelIdentify users accessing the organization’s applications from different locations in a short period of time.
            Multiple Failed LoginsIdentify users with multiple failed login attempts to the organization’s applications in a short period of time.
            Bulk Download of DataIdentify users with large amounts of download activities in a short period of time.
            Bulk Upload of DataIdentify users with large amounts of upload activities in a short period of time.
            Code Repo Shared ExternallyIdentify external users accessing the organization’s code repositories.
            Code Repo Made PublicIdentify if the organization’s code repositories are made public.
            Bulk Files DeleteIdentify users with large amounts of delete activities in a short period of time.
            Bulk Share of DataIdentify users with large amounts of share activities in a short period of time.
            Excessive Admin ActivitiesIdentify users performing high admin activities in a short period of time.
            Close
        • Channel: Choose between Inline and API to select the channel. By default, the channel gets set to API for alert rules that are applicable only to the API channel.
        • Within Time Interval: Choose the span of time within which an event's occurrence triggers an alert.
        • No of Failed Logins: Enter the number of failed login attempts for the alert rule to get triggered.
        • Tenants: Select the tenants for which you want to apply the alert rule.
        • No of Files Greater Than: Enter the number of files to set the trigger. The rule gets triggered if the number of files is greater than the set number, for bulk upload or download of data.
        • Doc Type: Select the document type to apply the alert rule.
        • DLP Engines: Select the DLP engine for the rule. You can select one or multiple engines.
        • Data Types: Select the type of data for the rule. By default, the data type is set to All Data Types.
        • No of Activities Greater Than: Enter the number of activities to set the trigger. The rule gets triggered if the the number of activities is greater than the set number, for bulk sharing of data.
        • Activity: Select the type of activity for the rule to apply.
        • Countries: Select the country for the rule to apply. You can select one, multiple, or all countries from the drop-down menu.
        Close
    3. For Security alerts, under the Evaluation Status section, to trigger the alert rule, enable Send Alert Update every ___ intervals and add the number of times you want to trigger the alert in the intervals field.
    4. For UEBA alerts, under Actions, select Alerts, Trigger Multi-Factor Authentication, or Place user in group to trigger the alert rule. Select a User Group and Time Interval under Action for Place user in group.

    5. Under the Recipients section, configure the appropriate parameters:

      • Webhooks: Select a webhook from the list.
      • Email Addresses: Add the email address, addresses, or email alias to trigger the alert email notification for the ZIA alert.

  4. Click Save and activate the change.

Editing an Alert Rule

To edit an existing alert rule:

  1. Go to Alerts > Alert Rules.

  2. In the alerts table, click the Edit icon to edit a selected preconfigured alert rule.

    The Edit Alert Rule window appears.

  3. In the Edit Alert Rule window:
    1. Under the Alert Definition section, configure the appropriate parameters:
      • Alert Name: Enter an alert name. The maximum length is 31 characters.
      • Alert Class: Select the alert class for the rule. By default, the alert class is set to Security.
      • Status: Select the status of the rule.
    2. Under the Alert Trigger Criteria section, configure the appropriate parameters:
        • Event Type: Select the event type for the rule. Select from a list of Advanced Threat Protection, Malware Protection, or Sandbox.
        • Within Time Interval: Choose the span of time within which an event's occurrence triggers an alert. You can choose from 10 minutes, 15 minutes, 30 minutes, 45 minutes, or 1 hour.
        • Add Filters: You can add filters to security alerts to make the rule more specific. You can apply the filters to Location, Users, Department, and System Impacted.
        Close
        • Event Type: Select the event type for the rule. Select Access, Data, or Privilege from the drop-down.
        • Alert Type: Select the alert types of the rule. The alert types depend on the selected Event Type.
        • Channel: Choose between Inline and API to select the channel. By default, the channel gets set to API for alert rules that are applicable only to the API channel.
        • Within Time Interval: Choose the span of time within which an event's occurrence triggers an alert.
        • No of Failed Logins: Enter the number of failed login attempts for the alert rule to get triggered.
        • Tenants: Select the tenants for which you want to apply the alert rule.
        • No of Files Greater Than: Enter the number of files to set the trigger. The rule gets triggered if the number of files is greater than the set number, for bulk upload or download of data.
        • Doc Type: Select the document type to apply the alert rule.
        • DLP Engines: Select the DLP engine for the rule. You can select one or multiple engines.
        • Data Types: Select the type of data for the rule. By default, the data type is set to All Data Types.
        • No of Activities Greater Than: Enter the number of activities to set the trigger. The rule gets triggered if the the number of activities is greater than the set number, for bulk sharing of data.
        • Activity: Select the type of activity for the rule to apply.
        • Countries: Select the country for the rule to apply. You can select one, multiple, or all countries from the drop-down menu.
        Close
    3. For Security alerts, under the Evaluation Status section, to trigger the alert rule, enable Send Alert Update every ___ intervals and add the number of times you want to trigger the alert in the intervals field.
    4. For UEBA alerts, under Actions, select Alerts, Trigger Multi-Factor Authentication, or Place user in group to trigger the alert rule. Select a User Group and Time Interval under Action for Place user in group.

    5. Under the Recipients section, configure the appropriate parameters:

      • Webhooks: Select a webhook from the list.
      • Email Addresses: Add the email address, addresses, or email alias to trigger the alert email notification for the ZIA alert.

  4. Click Save and activate the changes.

Alert Rule Exceptions

The UEBA alert also provides the option to exempt multiple users from an alert rule. By retaining specific users in the exceptions list, the alert does not evaluate them against the traffic for the selected applications.

To edit the list of user exceptions:

  1. Edit an existing alert from the Alert Rules table.

    The Edit Alert Rule window is displayed.

  2. Click Exceptions.

    The list of users exempted from evaluation appears.

  3. To delete a user from the list, click the Remove icon (x icon) next to their name.

  4. Click Save and activate the changes.
Related Articles
About Security & UEBA AlertsAbout Ongoing AlertsAbout Alert HistoryAbout Alert RulesConfiguring an Alert RuleAbout WebhooksAdding a Webhook