The Alerts and action tab can be viewed in 2 ways, the first is when navigating a sensor via the wizard and the other by selecting the sensor properties and then clicking on the alert tab. The defaults for a new sensor do not create any alerts or actions.
The upper section defines which severities for the sensor trigger an alert. You can some or all of them. In some cases, alerts are only required for error conditions not when it goes back to normal. When in doubt, select them all. These can also be used to control sensor logging, when exception based logging is active, only the checked severities will be logged.
The next most important section is at the bottom, and that is the scheme. The default scheme is None meaning no alert is sent. You will need to update this to one of these schemes to generate alerts.
- Once - an alert is generated once for this sensor
- Change - an alert is generated for every change in severity of the sensor
- Repeat - the event is repeatedly sent if the sensor stays in the current state (repeat limit and rearm interval determine how many times and how frequently)
The trigger delay controls how soon the alert is generated. The default 60000 means that after the sensor goes into an alerting severity that 1 minute will elapse before the event is sent. This allows for conditions where the event is transient and clears right away. We commonly see cases using other intervals, such as a value of 0 to trigger immediately and 900000 to delay 15 minutes.
The event that is triggered will use the event mask to define the details of the alert and the default is controlled by sensor.default.event.mask environment variable. You can hover over this value to see what is defined for it.
Alerts and actions can be triggered as part of the sensor and/or by the policy manager running the sensor.