Administration GuideAction AlertsHow to Create an Action Alert › Select an Alert Query

Previous Topic: Open Schedule Action Alert Wizard

Next Topic: Set Alert Job Scheduling Parameters

Select an Alert Query

Select tags or queries as the basis for a new action alert job. The query, plus any filters you add, defines the circumstances under which an alert is generated. For example, to create an alert to monitor traffic from a host or port, use the All Events query, add filters to define the source hosts to monitor, and an event threshold.

Note: The Action Alerts query category contains queries designed for various common alert needs.

To select an alert query

  1. Open the schedule action alert wizard.
  2. Type a job name.
  3. Select the time zone you want to schedule the report in from the time zone drop-down menu.
  4. Select the Queries or Tags option button to select reports by tag or individually.

    Note: Scheduling alerts by tag lets you add alerts without altering the job itself. If you select the "Identity Management" Tag, any alert with that tag is added to the job at the scheduled run time. You can add a new alert to the job by giving a query the Identity Management tag. This feature also applies to custom tags.

    (Optional) Clear the Enable check box to enable to action alert later rather than as soon as you finish it. The check box is selected by default.

    Note: The ability to create a disabled alert job is designed for use with recurring alerts. If you clear the Enabled check box for a job, and create that job with a single occurrence ("Now" or "Once") it is removed from the Scheduled Alert list.

  5. (Optional) Select a tag or tags to narrow the tags and individual reports displayed. This feature matches the behavior of the Report List.
  6. Select the tags or individual queries you want, and use the shuttle control to add them to the Selected Queries area. You can select both event and incident queries in a single alert job.
  7. Advance to the scheduling step you want to complete next, or click Save and Close.

    If you click Save and Close the alert job is scheduled, otherwise the step you select appears.

More information:

Create an Advanced Event Filter

How to Set Result Conditions