π¨Using Alerts
Last updated
Last updated
n.Scope Network Detection and Response comes with a full-fledged Alerting system, continuously monitoring network traffic to generate accurate and valuable alerts on suspicious behaviors and security policy violations. This guide will walk you through how to configure the alert rules templates to fit your organization's needs.
Alert Templates are the main building block of our Alerting system. They represent the detection capabilities of n.Scope and can be instantiated multiple times with different settings. Thanks to this multiple instantiation system, it is possible to fine tunes the detection capability to react differently
You can find alert rules in: Settings -> Alert Rules -> Add Rules.
To create an Alert Rule, it is required to instantiate an Alert Template. Navigate to the Template page in settings and click on the "Create Rule" button that you wish to instantiate. A box with the required settings of the template will pop-in. All Alert Rules always have the following customizable settings :
Rule Name: it is a user-side display name for the rule. Name it in a way that is easy to recognize for yourself and your team.
Scope of rule: these are the Probes that will look for trafic matching the pattern. Leave it empty to match all probes.
Severity: From Critical, High, Medium and Low, this is an administrative distinction set user-side to put a severity flag on alerts coming from this alert rule.
Based on the template used, a number of other parameters may be required. Check the specific page of Alert Templates for details about the configuration of individual templates.
To get notified of new incoming Alerts, it is required to configure a notification system in the settings. Check the supported integrations here.
Once detected, Alerts follow a life cycle that consists of 4 different steps.
On Going : when the alert is live and still being observed by probes
Ended: once no more new network traffic is detected
Resolved : when they have been treated by a user
Ignored : when they have been dismissed as false positives.
Ignored Alerts are considered false-positive. They won't open again on the same network parameters.
Resolved Alerts are considered as duly investigated and will open again if the same network conditions arise again.
It is possible to re-open both Ignored and Resolved Alert. Ended alerts cannot be reopened manually.