Alerts can be created to notify you when the specified threshold has been reached. To receive an alert, first create a notification integration.
A static alert uses a static value as the threshold to trigger the alert. To create an alert:
Navigate to Posture Management in the FireTail platform.
Click the Alerting tab.
Click Create Alert and select Static as the alert type.
In the Name section fill out the following:
Alert Name - Enter a name for the alert.
Enabled - Toggle on/off to activate or deactivate the alert.
Filters - Define which requests should be monitored by the alert. Or select a preconfigured alert.
Custom filters
A Custom filter can contain a single condition or multiple conditions. There are various options you can select to filter by, such as response status codes, request path, tags and so on. Multiple filters can be added.
Select Custom.
Click Add Filter Group.
Select the required element from the Type dropdown.
Choose the appropriate Operator.
Enter a Value.
Click Submit.
Click Add to add any further conditions to the filter. Select Include or Exclude to determine if the requests displayed in the alerts dashboard must include or exclude the conditions defined in the filter.
Managed filters
FireTail offers a set of managed, preconfigured filters designed to detect various security threats. Select Managed and select the type of managed filter to apply to the alert. Select an API in the Filter traffic by API field, if required.
Note: To customize a managed filter, select it first, then switch to Custom mode.
6. Set trigger conditions for the alert:
Whenever the request is - This defines when the alert is triggered. Choose the appropriate value :
Greater - Select this to get an alert when the request is greater than the threshold value.
Greater/Equal - Select this to get an alert when the request is greater than or equal to the threshold value.
Equal - Select this to get an alert when the request is equal to the threshold value.
Lower/Equal - Select this to get an alert when the request is lower than or equal to the threshold value.
Lower - Select this to get an alert when the request is lower than the threshold value.
Than - Enter the threshold value.
Within the last - Choose a time window for monitoring (e.g., last 6 hours). FireTail checks data at one-third intervals. For example, if you select 6 hours, checks are made every 2 hours, examining the previous 6 hours. This is displayed under the Runs every field.
7. In the Metrics section, you can define a specific metric to monitor for unusual activity.
In the Metric name dropdown select the type of metric you want to track (log count, response payload size, request header size and so on).
In the Metric stat dropdown, select a statistical operation (sum, average, min, max, and so on ).
8. In the Control Settings section you can adjust parameters to manage alert frequency and timing, this helps prevent over-notification. Adjust the following:
After every trigger don't run this check for - After an alert is triggered, enter a 'cooldown' period during which subsequent alerts are suppressed.
Delay evaluating the first check by - This value delays the first evaluation after an alert is created, serving as a grace period.
9. Notification Integration - Select the method in which you will receive your alert notification. Select a previously created integration from the dropdown, or click Create to create a new integration.
Note: when you create a notification integration, you can define the text and information that will be displayed when an alert is sent.
10. Review the alert diagram in the Preview section.
11. Click Submit. The alert is now created and listed under the Alerts tab. You will receive alerts via the selected notification integration when triggered.
