Forum Discussion

OrionWithrow's avatar
OrionWithrow
Brass Contributor
Apr 25, 2018

Configuring Alerts

I need help with configuring Alerts. To get started, I setup an alert for a simple query:

 

WDAVThreat | where ThreatStatus == "Remediated"

 

Trying to be alerted to a Windows Defender threat (ultimately I will go for != remediated but this is a test). What I get is an email that includes all of the threats remediated. If possible I would like to get an email for each new threat and only one time. 

 

How do I accomplish my goal?

 

Also note long-term we will be configuring an ITSM connection to ServiceNow. How do the alerts translate to the ITSM? Will they be formatted similarly? Is there a way to control what row data is included in the alert?

Resources