Liongard

Roar Users Guide & Documentation

Welcome! You'll find comprehensive guides and documentation to help MSPs start working with Liongard's Roar as quickly as possible, as well as support if you get stuck. Let's go #MakeITRoar!

Get Started    

How to Write a Custom Actionable Alert

Overview

Liongard's custom Actionable Alerts give you the ability to get automated alerts on the data that is critical to your team when and where it is valuable.

Liongard's custom Actionable Alerts allow you to answer questions like:

  • Do we have tenants in Office 365 with unused licenses?
  • When does our client's firewall software need an update?
  • Did a Duo user put herself/himself in bypass mode?

You can create your own custom Actionable Alerts in two ways:

Clone an Existing Actionable Alert

Example Walkthrough

Video isn't playing? Click here.

Step 1: Select Existing Actionable Alert Rule to Clone

  1. Navigate to Admin > Actionable Alerts
  1. Search for the Rule you would like to clone using Liongard's table filtering capabilities.

  2. Notate the Rule Name for the rule you are cloning. You will need to know the Rule Name for the final step in this process.

Step 2: Clone the Existing Alert

Select the Clone icon next to the Rule to open the Rule Builder

Step 3: Edit the Rule Builder

General Section

  • Edit the Title to name the new rule

Rule Conditions Section

Here you will create rules based on thresholds. Using the "+" sign, you can create multiple rules within one condition.

You can also clone conditions to adjust the priority of each conditional statement.

Edit Fields:

  • System: The System/Inspector is preselected. If you would like to test against a different System/Inspector, select the desired System/Inspector from the dropdown menu.
  • Conditional Statement: Adjust the Conditional Statement to meet your team's needs.
    • In the If statement, select:
      • ALL: Trigger an alert if ALL statements outlined below are met.
      • ANY: Trigger an alert if ANY statements outlined below are met.
      • Priority: Select the priority desired for the alert based on the conditions below.
  • Metric: In most cases, you will not adjust the Metric prepopulated. If you would like to change the Metric, use the dropdown menu or the search icon to do so.
  • Operator: Adjust the operator to fit your rule{s) needs.

Operator

Value

Greater than

<

Less than

=

Equals

>=

Greater than or equal to

< =

Less than or equal

!=

Does not equal

changed

Will trigger an Alert if the Metric selected changes from one inspection to another.

Additionally, any time the selected Metric changes the Roarbot will trigger an Alert Comment showing the change to the Metric.

If selected, this operator automatically triggers a Change Detection. For more information, review our Change Detections documentation.

empty

Will trigger an Alert if this Metric is empty. A Threshold is not required.

is not empty

Will trigger an Alert if this Metric is not empty. A Threshold is not required.

contains

Will trigger an Alert if this Metric contains what is listed in the Threshold field. The Threshold field is case sensitive.

does not contain

Will trigger an Alert if this Metric does not contain what is listed in the Threshold field. The Threshold field is case sensitive.

  • Threshold: Edit as needed. This field is case sensitive. Ensure you are using exact spelling and capitalization.

  • Continue to edit additional Conditional Statements. You can choose to remove additional Conditional Statements and/or edit them to fit your team's needs.

Alert Content Section

  • Body: The Body of the alert will prepopulate when you clone an existing rule. Edit the Body to best suit your team's needs
    • Add a Metric: Using the table icon, add an additional Metric(s) if you would like for it to be included in the Body of the alert. This Metric(s) is not dynamic and will not change if there are updates to alert.
  • Alert Comments (Optional): An Alert Comment is meant to give you additional, dynamic context on a triggered alert. Alert Comments can provide an audit trail. If you would like to utilize this Alert Comment, add the desired text, and select the Metric(s) you would like to display here.
    • Add a Metric: The Alert Comment will be added to the Alert each time the Metric selected, in the Alert Comment section, changes.
    • If using the "changed" operation condition, do NOT add the Metric used for the “changed” operation condition to the Alert Comments of these rules. With the "changed" operation condition, a Roarbot comment will automatically be added each time the Alert triggers, outlining the changes to the Metric output.

Testing Section

  • Testing: Based on the System/Inspector selected above, select the Inspection Date(s) you would like to test your rule against.
  • Inspection Results: Once you have selected Inspection Dates, the results of your rule will display here.

Step 4: Save the Rule

Once you have edited all fields, select "Save."

Rules must be added to Templates, which are applied to Environments, to trigger Alerts.

  • Finish: Select Finish if you do not wish to add this Rule to a Template at this time.
  • Continue: To add this Rule to a Template, select Continue.

Step 5: Add Rule to Template

If you selected Continue, follow the steps below.

  1. Using the checkboxes on the lefthand side of the table, to select the Template(s) you would like to add your new rule to.
  2. Once selected, click Apply.
  1. Once you have applied the rule to a Template(s), you will see the screen below. If the Template is applied to Environment(s), once the rule is triggered, you will receive an Alert.

Step 6: Disable Old Rules

Because you cloned an existing rule, you will want to disable this rule in any active Templates, so you do not receive alerts based on old thresholds and priorities.

  1. On the Rules tab, search the Rule Name you recorded in Step 1. This is the Rule Name for the rule you cloned.
  2. Write down the Template name{s) listed in the Template column. You will need to know each Template that the rule is enabled in.
  1. Navigate to the Templates tab. Select the three dots in the Action column next to a Template where the Rule is active. Select Edit the Template.
  2. In the Rules Section, search the Rule Name.
  • Toggle off the Enabled toggle
  • Select Save
  1. Repeat this process for each additional Template that the rule is enabled in.
  2. To ensure the rule is disabled in all Templates, navigate to the Rules tab, search the rule in the Rule Name column, ensure that the Templates column is blank.

Write a Custom Actionable Alert

Example Walkthrough

Video isn't playing? Click here

👍

Desired Metric(s)

Prior to creating your new Rule in the Rule Builder, you will need to predetermine the Metric(s) you would like to base the Rule on.

For more information on Metrics, please review our Metrics documentation

Step 1: Open Rule Builder

  • Navigate to Admin > Actionable Alerts Select the "Create Rule" button in the top righthand corner

Step 2: Edit the Rule Builder

General Section

  1. Select the Inspector you would like to build a rule for
  2. Edit the Title to name the new Rule

Rule Conditions Section

Here you will create rules based on thresholds. Using the "+" sign, you can create multiple rules within one condition.

You can also clone conditions to adjust the priority of each conditional statement.

  • System: Select the System/Inspector you would like to test your rule against.
  • Conditional Statement: Edit the Conditional Statement to meet your team's needs.
    • In the If statement, select:
      • ALL: Trigger an alert if ALL statements outlined below are met.
      • ANY: Trigger an alert if ANY statements outlined below are met.
      • Priority: Select the priority desired for the alert based on the conditions below.
  • Metric: Select the Metric you would like to base your Rule on. Use the Search icon to view more details about available Metrics.
  • Operator: Change the operator to fit your Rule's needs.

Operator

Value

Greater than

<

Less than

=

Equals

> =

Greater than or equal to

< =

Less than or equal

!=

Does not equal

changed

Will trigger an Alert if the Metric selected changes from one inspection to another.

Additionally, any time the selected Metric changes the Roarbot will trigger an Alert Comment showing the change to the Metric.

If selected, this operator automatically triggers a Change Detection. For more information, review our Change Detections documentation.

empty

Will trigger an Alert if this Metric is empty. A Threshold is not required.

is not empty

Will trigger an Alert if this Metric is not empty. A Threshold is not required.

contains

Will trigger an Alert if this Metric contains what is listed in the Threshold field. The Threshold field is case sensitive.

does not contain

Will trigger an Alert if this Metric does not contain what is listed in the Threshold field. The Threshold field is case sensitive.

  • Threshold: Edit as needed. This field is case sensitive. Ensure you are using exact spelling and capitalization.

You can clone the conditional statement to create additional conditions for the rule. Edit these conditions as needed.

Alert Content Section

  • Body of the Alert: Edit the Body to best suit your team's needs.

    • Liongard's Alerts include information, such as Finding, Concern, Attack Vector, and/or Action
    • Add a Metric (Optional): Using the table icon, add an additional Metric(s) if you would like for it to be included in the Body of the Alert. This Metric(s) is not dynamic and will not change if there are updates to alert.
  • Alert Comments (Optional): An Alert Comment is meant to give you additional, dynamic context on a triggered alert. Alert Comments can provide an audit trail. If you would like to utilize this Alert Comment, add the desired text, and select the Metric(s) you would like to display here.

    • Add a Metric: The Alert Comment will be added to the Alert each time the Metric selected, in the Alert Comment section, changes.
    • If using the "changed" operation condition, do NOT add the Metric used for the “changed” operation condition to the Alert Comments of these rules. With the "changed" operation condition, a Roarbot comment will automatically be added each time the Alert triggers, outlining the changes to the Metric output.

Testing Section

  • Testing: Based on the System/Inspector selected above, select the Inspection Date(s) you would like to test your Rule against.

  • Inspection Results: Once you have selected Inspection Dates, the results of your Rules will display here.

Step 3: Save the Rule

Once you have edited all fields, select "Save." Rules must be added to Templates, which are applied to Environments, to trigger Alerts.

  • Finish: Select Finish if you do not wish to add this Rule to a Template at this time.
  • Continue: To add this Rule to a Template, select Continue.

Step 4: Add Rule to Template

If you selected Continue, follow the steps below.

  1. Using the checkboxes on the lefthand side of the table, select the Template(s) you would like to add your new rule to.
  2. Once selected, click Apply.
  1. Once you have applied the rule to a Template(s), you will see the screen below. If the Template is applied to Environment(s), once the rule is triggered, you will receive an Alert.

👍

Priority Field Grayed Out

Please note that a Priority can only be selected once per Actionable Alert Rule. If the priority option you want to select is grayed out, review all Conditional Statements in the Rule Builder, and adjust the priority to avoid duplicate priorities.

Updated about a month ago


How to Write a Custom Actionable Alert


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.