Home

Configuring Alerts

%3CLINGO-SUB%20id%3D%22lingo-sub-186988%22%20slang%3D%22en-US%22%3EConfiguring%20Alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-186988%22%20slang%3D%22en-US%22%3E%3CP%3EI%20need%20help%20with%20configuring%20Alerts.%20To%20get%20started%2C%20I%20setup%20an%20alert%20for%20a%20simple%20query%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWDAVThreat%20%7C%20where%20ThreatStatus%20%3D%3D%20%22Remediated%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ETrying%20to%20be%20alerted%20to%20a%20Windows%20Defender%20threat%20(ultimately%20I%20will%20go%20for%20!%3D%20remediated%20but%20this%20is%20a%20test).%20What%20I%20get%20is%20an%20email%20that%20includes%20all%20of%20the%20threats%20remediated.%20If%20possible%20I%20would%20like%20to%20get%20an%20email%20for%20each%20new%20threat%20and%20only%20one%20time.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EHow%20do%20I%20accomplish%20my%20goal%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAlso%20note%20long-term%20we%20will%20be%20configuring%20an%20ITSM%20connection%20to%20ServiceNow.%20How%20do%20the%20alerts%20translate%20to%20the%20ITSM%3F%20Will%20they%20be%20formatted%20similarly%3F%20Is%20there%20a%20way%20to%20control%20what%20row%20data%20is%20included%20in%20the%20alert%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-186988%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAlerts%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EQuery%20Language%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-188144%22%20slang%3D%22en-US%22%3ERe%3A%20Configuring%20Alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-188144%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%20is%20the%20documentation%20for%20Log%20based%20alerts%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fmonitoring-and-diagnostics%2Fmonitor-alerts-unified-log%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fmonitoring-and-diagnostics%2Fmonitor-alerts-unified-log%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EHere%20is%20how%20you%20define%20actions%20for%20this%20alerts%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fmonitoring-and-diagnostics%2Fmonitoring-action-groups%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fmonitoring-and-diagnostics%2Fmonitoring-action-groups%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EAnd%20here%20is%20how%20to%20define%20ITSM%20integrations%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Flog-analytics%2Flog-analytics-itsmc-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Flog-analytics%2Flog-analytics-itsmc-overview%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEnjoy%2C%3C%2FP%3E%0A%3CP%3EMeir%20%3A%26gt%3B%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-187782%22%20slang%3D%22en-US%22%3ERe%3A%20Configuring%20Alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-187782%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20would%20suggest%20reading%20my%20blog%20post%20on%20this%20topic%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fcloudadministrator.wordpress.com%2F2018%2F03%2F16%2Fusing-custom-log-search-alerts-based-on-metric-measurement-for-event-based-logs%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcloudadministrator.wordpress.com%2F2018%2F03%2F16%2Fusing-custom-log-search-alerts-based-on-metric-measurement-for-event-based-logs%2F%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EThe%20scenario%20I%20am%20proposing%20can%20be%20used%20in%20your%20case%20I%20think%20as%20it%20is%20universal.%3C%2FP%3E%0A%3CP%3EI%20do%20not%20have%20information%20on%20the%20ITSM%20connection%20but%20I%20believe%20there%20are%20no%20controls%20on%20automatically%20populating%20certain%20data%20from%20the%20alert%20to%20go%20into%20specific%20fields%20of%20the%20incident%2Fevent.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Orion Withrow
Occasional Contributor

I need help with configuring Alerts. To get started, I setup an alert for a simple query:

 

WDAVThreat | where ThreatStatus == "Remediated"

 

Trying to be alerted to a Windows Defender threat (ultimately I will go for != remediated but this is a test). What I get is an email that includes all of the threats remediated. If possible I would like to get an email for each new threat and only one time. 

 

How do I accomplish my goal?

 

Also note long-term we will be configuring an ITSM connection to ServiceNow. How do the alerts translate to the ITSM? Will they be formatted similarly? Is there a way to control what row data is included in the alert?

2 Replies

Hi 

I would suggest reading my blog post on this topic:

https://cloudadministrator.wordpress.com/2018/03/16/using-custom-log-search-alerts-based-on-metric-m...

The scenario I am proposing can be used in your case I think as it is universal.

I do not have information on the ITSM connection but I believe there are no controls on automatically populating certain data from the alert to go into specific fields of the incident/event.