Forum Discussion
OrionWithrow
Apr 25, 2018Brass Contributor
Configuring Alerts
I need help with configuring Alerts. To get started, I setup an alert for a simple query:
WDAVThreat | where ThreatStatus == "Remediated"
Trying to be alerted to a Windows Defender threat (ultimately I will go for != remediated but this is a test). What I get is an email that includes all of the threats remediated. If possible I would like to get an email for each new threat and only one time.
How do I accomplish my goal?
Also note long-term we will be configuring an ITSM connection to ServiceNow. How do the alerts translate to the ITSM? Will they be formatted similarly? Is there a way to control what row data is included in the alert?
- Meir_Mendelovich
Microsoft
Hi,
Here is the documentation for Log based alerts: https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitor-alerts-unified-log
Here is how you define actions for this alerts: https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-action-groups
And here is how to define ITSM integrations: https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-itsmc-overview
Enjoy,
Meir :->
Hi
I would suggest reading my blog post on this topic:
The scenario I am proposing can be used in your case I think as it is universal.
I do not have information on the ITSM connection but I believe there are no controls on automatically populating certain data from the alert to go into specific fields of the incident/event.