Skip to content

Alerts

How to create new alerts

CYBERQUEST's alerting feature is a completely customizable module for each connected user. The event triggering an alert can be user-defined to respond to specific event needs, ensuring great accuracy and reducing false alerting to a minimum.

Follow the steps to create a new alert:

Step 1. Authentication

To access Web Interface, open a web browser and type the application's address or DNS name. The default address initially assigned to Web Interface is https://CyberquestIPAddress (example).

The browser automatically redirects you to CYBERQUEST's authentication page:

Alt text

Step 2. Navigate to Alerts

From Settings menu, select Alerts > Realtime. Alerts customization page opens in Alerts module interface.

Alt text

Step 3. Create new alert definition

On the "Alerts" page, select the "Create new alert definition" button to create a new alert.

Step 4. Complete the form

Complete the form with the appropriate information and press "Save Alert & Exit" button:

Alert Name: The name of the new alert.

Alert Active: Select ALERT ACTIVE checkbox if the alert is active or uncheck to deactivate it.

Time Frame TTL(sec.) : This setting instructs the alert for how long to be active once triggered.

Alert Security Score: Defines the baseline security score (0-100) for the alert. When triggered, the score dynamically increases based on matching events and rule conditions, but cannot fall below this baseline or exceed 100. For example, a baseline of 70 with a rule that adds +5 per matching event would result in scores between 70-100. This score directly determines the alert's severity level (see Security Level section).

Alert Security Level: Maps directly to the security score range (0-30: Low, 31-70: Medium, 71-100: High) with corresponding color coding (Green, Yellow, Red). This determines the visual representation in dashboards and notifications.

Sent as Alert: Send as Alert checkbox has a similar effect to ALERT ACTIVE checkbox. When unchecked, the alert is active but will not produce any visible effect. This setting ensures backend correlation of anomaly analysis over multiple events, triggers and alerts.

Has Action: If a script execution can be associated with the alert, check also Has Action checkbox. Script rule is the last rule in rule conditions list and prevails all other rules. Press "Action Parameters" button to open Script Editor window where you can create a custom script to apply as rule.

Send via Email: Send via Email checkbox allows the alert being sent to defined recipients.

Notification Template: Choose a notification template to apply to your alert. You can choose from built-in or custom notification templates. Default is Default notification.

Under Rules section, you can granularly define rules controlling the alert behaviour. You can define from single event rules to any correlation between events, order in which events occur, correlation to missing an event from a logical succession of events and so on.

Previous: Navigate through the condition of an alert.

Next: Navigate through the condition of an alert.

Add Rule: Add a new rule by pressing "Add Rule" button. The new rule is defined in Rule Settings pane to the right.

Rule Settings pane assists in defining the rule logic. Rule logic consists of field, report, and correlation conditions separated by logical operators AND, OR, and NOT. For example, to detect multiple failed logins: (EventID = 4625 AND Status = "Failure") OR (EventID = 4649 AND Substatus = "0xC000006D") within a 5-minute window.

Each rule has:

Description: A Description where you enter a text describing the rule.

Add field condition: In Select Field drop-down, select a representative event field. From the next drop-down select the appropriate value operator. In the third field enter desired value.

Add report condition: The rule condition presents you with a drop-down list from which you can select a report from all existing reports.

Delete: You can delete a rule condition.

When adding a rule condition, a logical operator is automatically added for correlation to the previous condition. The default operator is AND. Click on AND switch to change the logical value to OR. Click again to change back to AND.

If logical chain requires, a "NOT" operator is also added in the form of a checkbox. By default, the operator is not selected. Click NOT to select the operator.

Post-Trigger Alert Workflow

When an alert is triggered: 1. The security score is calculated based on the baseline and active rules 2. Notifications are sent via selected channels (email, Slack, etc.) if configured 3. Associated scripts execute immediately if "Has Action" is enabled 4. The alert appears in the Realtime Alerts dashboard with color-coded severity 5. Correlation continues for the duration of the TTL window to detect related events

Best Practices for Alert Creation

  • Start with Specific Conditions: Begin with narrow event filters (e.g., specific Event IDs) to minimize false positives before adding correlation rules
  • Use Time-Bound Correlations: Always specify time windows (e.g., "5 failed logins within 2 minutes") to avoid irrelevant matches
  • Balance Sensitivity and Noise: Set appropriate TTL values - shorter for critical events (e.g., 300 seconds), longer for investigative alerts (e.g., 86400 seconds)
  • Regular Rule Audits: Review alert rules quarterly to update thresholds based on evolving threat patterns
  • Test Before Deployment: Use the "Preview" feature to validate rule logic against historical data before activating alerts

To check additional information about ALERTS, please follow the link: Alerts Module.