Alerts are generated when Deep Security requires your attention, such as an administrator-issued command failing, or a hard disk running out of space. Deep Security includes a pre-defined set of alerts (for a list, see Predefined alerts). Additionally, when you create protection module rules, you can configure them to generate alerts if they are triggered.
There are several ways to see which alerts have been triggered:
- They're displayed in the "Alert Status" dashboard widget in Deep Security Manager.
- They're displayed on the Alerts page in Deep Security Manager (see View alerts in Deep Security Manager).
- You can get an email notification when an alert is triggered (see Set up email notification for alerts.)
- You can generate alert reports (see Generate reports about alerts and other activity).
The Alerts page in Deep Security Manager displays all alerts that have been triggered, but not yet responded to. You can display alerts in a summary view that groups similar alerts together, or in list view, which lists all alerts individually. To switch between the two views, use the menu next to "Alerts" in the page's title. You can also sort the alerts by time or by severity.
In summary view, expanding an Alert panel (by clicking Show Details) displays all the computers (or users) that have generated that particular alert. Clicking the computer will display the computer's Details window. If an alert applies to more than five computers, an ellipsis ("...") appears after the fifth computer. Clicking the ellipsis displays the full list. Once you have taken the appropriate action to deal with an alert, you can dismiss the alert by selecting the check box next to the target of the alert and clicking Dismiss. (In list view, right-click the alert to see the list of options in the context menu.)
Alerts that can't be dismissed (like "Relay Update Service Not Available") will be dismissed automatically when the condition no longer exists.
In cases where an alert condition occurs more than once on the same computer, the alert will show the timestamp of the first occurrence of the condition. If the alert is dismissed and the condition reoccurs, the timestamp of the first re-occurrence will be displayed.
Unlike security events and system events, alerts are not purged from the database after a period of time. Alerts remain until they are dismissed, either manually or automatically.
To configure the settings for individual alerts, go to the Alerts page in Deep Security Manager and click Configure Alerts. This displays a list of all alerts. A green check mark next to an alert indicates that it is enabled. An alert will be triggered if the corresponding situation occurs, and it will appear in the Deep Security Manager.
You can select an alert and click Properties to change other settings for the alert, such as the severity level and email notification settings.
Deep Security Manager can send emails to specific users when selected alerts are triggered.
To enable email notifications:
- Go to the Alerts page and click Configure Alerts to display the list of alerts.
- A green check mark next to an alert indicates that it is enabled. An alert will be triggered if the corresponding situation occurs, and appear in the Deep Security Manager GUI. If you also want to receive email about the alert, double-click on an alert to display its Properties window, then select at least one of the "Send Email" check boxes.
- Go to Administration > User Management > Users and double-click a user account to display its Properties window.
- On the Contact Information tab, enter an email address and select Receive Alert Emails.
All alert emails will be sent to this address or email distribution list, even if the recipients have not been set up in their user account properties to receive email notifications.
- Go to Administration > System Settings > Alerts.
- For Alert Email Address - The email address to which all alert emails should be sent, provide an email address or a distribution list email address.