Configuring Alerts

Brass Contributor

I need help with configuring Alerts. To get started, I setup an alert for a simple query:

 

WDAVThreat | where ThreatStatus == "Remediated"

 

Trying to be alerted to a Windows Defender threat (ultimately I will go for != remediated but this is a test). What I get is an email that includes all of the threats remediated. If possible I would like to get an email for each new threat and only one time. 

 

How do I accomplish my goal?

 

Also note long-term we will be configuring an ITSM connection to ServiceNow. How do the alerts translate to the ITSM? Will they be formatted similarly? Is there a way to control what row data is included in the alert?

2 Replies

Hi 

I would suggest reading my blog post on this topic:

https://cloudadministrator.wordpress.com/2018/03/16/using-custom-log-search-alerts-based-on-metric-m...

The scenario I am proposing can be used in your case I think as it is universal.

I do not have information on the ITSM connection but I believe there are no controls on automatically populating certain data from the alert to go into specific fields of the incident/event.