How to Write a Custom Actionable Alert Rule

👍

Liongard Academy

Learn more about writing custom Actionable Alerts with Liongard Academy's "Liongard Customized" course.

Access today at Liongard Academy.

Overview

Liongard's custom Actionable Alerts give you the ability to get automated alerts on the data that is critical to your team when and where it is valuable.

Liongard's custom Actionable Alerts allow you to answer questions like:

  • Do we have tenants in Office 365 with unused licenses?
  • When does our client's firewall software need an update?
  • Did a Duo user put herself/himself in bypass mode?

You can create your own custom Actionable Alerts in two ways:

21662166

Clone an Existing Actionable Alert

Example Walkthrough

Video isn't playing? Click here.

Step 1: Select Existing Actionable Alert Rule to Clone

  1. Navigate to Admin > Actionable Alerts
13801380
  1. Search for the Rule you would like to clone using Liongard's table filtering capabilities.

  2. Notate the Rule Name for the rule you are cloning. You will need to know the Rule Name for the final step in this process.

13731373

Step 2: Clone the Existing Alert

Select the Clone icon next to the Rule to open the Rule Builder

13701370

Step 3: Edit the Rule Builder

General Section

  • Edit the Title to name the new rule
11421142 440440

Rule Conditions Section

Here you will create rules based on thresholds. Using the "+" sign, you can create multiple rules within one condition.

You can also clone conditions to adjust the priority of each conditional statement.

12201220

Edit Fields:

  • System: The System/Inspector is preselected. If you would like to test against a different System/Inspector, select the desired System/Inspector from the dropdown menu.
  • Conditional Statement: Adjust the Conditional Statement to meet your team's needs.
    • In the If statement, select:
      • ALL: Trigger an alert if ALL statements outlined below are met.
      • ANY: Trigger an alert if ANY statements outlined below are met.
      • Priority: Select the priority desired for the alert based on the conditions below.
  • Metric: In most cases, you will not adjust the Metric prepopulated. If you would like to change the Metric, use the dropdown menu or the search icon to do so.
  • Operator: Adjust the operator to fit your rule{s) needs.
OperatorValue
>Greater than
<Less than
=Equals
>=Greater than or equal to
< =Less than or equal
!=Does not equal
changedWill trigger an Alert if the Metric selected changes from one inspection to another.

Additionally, any time the selected Metric changes the Roarbot will trigger an Alert Comment showing the change to the Metric.

If selected, this operator automatically triggers a Change Detection. For more information, review our Change Detections documentation.
emptyWill trigger an Alert if this Metric is empty. A Threshold is not required.
is not emptyWill trigger an Alert if this Metric is not empty. A Threshold is not required.
containsWill trigger an Alert if this Metric contains what is listed in the Threshold field. The Threshold field is case sensitive.
does not containWill trigger an Alert if this Metric does not contain what is listed in the Threshold field. The Threshold field is case sensitive.
  • Threshold: Edit as needed. This field is case sensitive. Ensure you are using exact spelling and capitalization.

  • Continue to edit additional Conditional Statements. You can choose to remove additional Conditional Statements and/or edit them to fit your team's needs.

Alert Content Section

18141814
  • Body: The Body of the alert will prepopulate when you clone an existing rule. Edit the Body to best suit your team's needs
    • Add a Metric: Using the table icon, add an additional Metric(s) if you would like for it to be included in the Body of the alert. This Metric(s) is not dynamic and will not change if there are updates to alert.
760760
  • Alert Comments (Optional): An Alert Comment is meant to give you additional, dynamic context on a triggered alert. Alert Comments can provide an audit trail. If you would like to utilize this Alert Comment, add the desired text, and select the Metric(s) you would like to display here.
    • Add a Metric: The Alert Comment will be added to the Alert each time the Metric selected, in the Alert Comment section, changes.
    • If using the "changed" operation condition, do NOT add the Metric used for the “changed” operation condition to the Alert Comments of these rules. With the "changed" operation condition, a Roarbot comment will automatically be added each time the Alert triggers, outlining the changes to the Metric output.
11791179

Testing Section

11811181
  • Testing: Based on the System/Inspector selected above, select the Inspection Date(s) you would like to test your rule against.
  • Inspection Results: Once you have selected Inspection Dates, the results of your rule will display here.
11771177

Step 4: Save the Rule

Once you have edited all fields, select "Save."

Rules must be added to Templates, which are applied to Environments, to trigger Alerts.

  • Finish: Select Finish if you do not wish to add this Rule to a Template at this time.
  • Continue: To add this Rule to a Template, select Continue.
550550

Step 5: Add Rule to Template

If you selected Continue, follow the steps below.

  1. Using the checkboxes on the lefthand side of the table, to select the Template(s) you would like to add your new rule to.
  2. Once selected, click Apply.
19071907
  1. Once you have applied the rule to a Template(s), you will see the screen below. If the Template is applied to Environment(s), once the rule is triggered, you will receive an Alert.
574574

Step 6: Disable Old Rules

Because you cloned an existing rule, you will want to disable this rule in any active Templates, so you do not receive alerts based on old thresholds and priorities.

  1. On the Rules tab, search the Rule Name you recorded in Step 1. This is the Rule Name for the rule you cloned.
  2. Write down the Template name{s) listed in the Template column. You will need to know each Template that the rule is enabled in.
24682468
  1. Navigate to the Templates tab. Select the three dots in the Action column next to a Template where the Rule is active. Select Edit the Template.
  2. In the Rules Section, search the Rule Name.
  • Toggle off the Enabled toggle
  • Select Save
24602460
  1. Repeat this process for each additional Template that the rule is enabled in.
  2. To ensure the rule is disabled in all Templates, navigate to the Rules tab, search the rule in the Rule Name column, ensure that the Templates column is blank.

Write a Custom Actionable Alert

Example Walkthrough

Video isn't playing? Click here

👍

Desired Metric(s)

Prior to creating your new Rule in the Rule Builder, you will need to predetermine the Metric(s) you would like to base the Rule on.

For more information on Metrics, please review our Metrics documentation

Step 1: Open Rule Builder

  • Navigate to Admin > Actionable Alerts Select the "Create Rule" button in the top righthand corner
484484

Step 2: Edit the Rule Builder

General Section

14181418
  1. Select the Inspector you would like to build a rule for
  2. Edit the Title to name the new Rule

Rule Conditions Section

Here you will create rules based on thresholds. Using the "+" sign, you can create multiple rules within one condition.

You can also clone conditions to adjust the priority of each conditional statement.

20682068
  • System: Select the System/Inspector you would like to test your rule against.
  • Conditional Statement: Edit the Conditional Statement to meet your team's needs.
    • In the If statement, select:
      • ALL: Trigger an alert if ALL statements outlined below are met.
      • ANY: Trigger an alert if ANY statements outlined below are met.
      • Priority: Select the priority desired for the alert based on the conditions below.
  • Metric: Select the Metric you would like to base your Rule on. Use the Search icon to view more details about available Metrics.
  • Operator: Change the operator to fit your Rule's needs.
OperatorValue
>Greater than
<Less than
=Equals
> =Greater than or equal to
< =Less than or equal
!=Does not equal
changedWill trigger an Alert if the Metric selected changes from one inspection to another.

Additionally, any time the selected Metric changes the Roarbot will trigger an Alert Comment showing the change to the Metric.

If selected, this operator automatically triggers a Change Detection. For more information, review our Change Detections documentation.
emptyWill trigger an Alert if this Metric is empty. A Threshold is not required.
is not emptyWill trigger an Alert if this Metric is not empty. A Threshold is not required.
containsWill trigger an Alert if this Metric contains what is listed in the Threshold field. The Threshold field is case sensitive.
does not containWill trigger an Alert if this Metric does not contain what is listed in the Threshold field. The Threshold field is case sensitive.
  • Threshold: Edit as needed. This field is case sensitive. Ensure you are using exact spelling and capitalization.
514514

You can clone the conditional statement to create additional conditions for the rule. Edit these conditions as needed.

Alert Content Section

18441844
  • Body of the Alert: Edit the Body to best suit your team's needs.

    • Liongard's Alerts include information, such as Finding, Concern, Attack Vector, and/or Action
    • Add a Metric (Optional): Using the table icon, add an additional Metric(s) if you would like for it to be included in the Body of the Alert. This Metric(s) is not dynamic and will not change if there are updates to alert.
  • Alert Comments (Optional): An Alert Comment is meant to give you additional, dynamic context on a triggered alert. Alert Comments can provide an audit trail. If you would like to utilize this Alert Comment, add the desired text, and select the Metric(s) you would like to display here.

    • Add a Metric: The Alert Comment will be added to the Alert each time the Metric selected, in the Alert Comment section, changes.
    • If using the "changed" operation condition, do NOT add the Metric used for the “changed” operation condition to the Alert Comments of these rules. With the "changed" operation condition, a Roarbot comment will automatically be added each time the Alert triggers, outlining the changes to the Metric output.

Testing Section

11771177
  • Testing: Based on the System/Inspector selected above, select the Inspection Date(s) you would like to test your Rule against.

  • Inspection Results: Once you have selected Inspection Dates, the results of your Rules will display here.

Step 3: Save the Rule

Once you have edited all fields, select "Save." Rules must be added to Templates, which are applied to Environments, to trigger Alerts.

  • Finish: Select Finish if you do not wish to add this Rule to a Template at this time.
  • Continue: To add this Rule to a Template, select Continue.
550550

Step 4: Add Rule to Template

If you selected Continue, follow the steps below.

  1. Using the checkboxes on the lefthand side of the table, select the Template(s) you would like to add your new rule to.
  2. Once selected, click Apply.
19071907
  1. Once you have applied the rule to a Template(s), you will see the screen below. If the Template is applied to Environment(s), once the rule is triggered, you will receive an Alert.
10921092

👍

Priority Field Grayed Out

Please note that a Priority can only be selected once per Actionable Alert Rule. If the priority option you want to select is grayed out, review all Conditional Statements in the Rule Builder, and adjust the priority to avoid duplicate priorities.