The Alerts section of BetterCloud allows you to enable and customize a library of alerts for your domain, to keep you apprised of security concerns and monitor important settings. Alerts can also be used to trigger workflows, allowing you to dynamically manage security risks, redundancies, and routine admin tasks across your organization. This article will walk through how to set up, customize, manage and audit alerts.
Exploring and Managing Alerts
The Alerts section of BetterCloud can be accessed via the left side navigation bar. Select "Manage" to be directed to the Alerts Manager.
The Alerts Manager holds a library of system alerts and alert templates from your integrations. When you create custom alerts for your domain, they will also be displayed here.
The Alerts Manager displays alert information in several default columns:
- Type - Denotes whether an alert is a default "System", “Template”, or "Custom" alert
- Name - Lists the alert's full name
- Integration - Displays the icon of the integration that the alert is associated with
- Description - Displays the description of the alert
- Severity - Lists the severity designated to the alert as "Minor", "Major" or "Critical"
- Status - Displays the active or inactive status of an Alert
The column on the far right is an unlabeled column for alert management actions that are nested beneath a dropdown carrot icon:
- Status - Lists whether an alert is enabled, disabled, or an inactive template by "Active", “Inactive”, or "----" respectively
- Dropdown carrot - contains options to edit, duplicate, or delete the alert (only custom alerts can be deleted)
Columns in the Alerts Manager can be managed and customized further by clicking on each column header.
Most columns can be filtered down to a particular content type or searched by text. All columns except for "Name" and the dropdown actions carrot can be hidden. And from each column, you have the option to restore others that have already been hidden.
Here's what two different column examples look like: "Name" displays options for searching by content, and "Integration" displays options for filtering by content type.
System and Template Alerts
The two categories of default alerts available in BetterCloud fall under the types “System” and “Template”. Though these are similar in that both can be enabled with or without conditions, there are slight differences in the default configurations for these types of alerts. While System alerts are enabled by default and are automatically available in the Workflow Builder as soon as the relevant Integration is installed, Template alerts must first be configured and enabled before they will trigger and appear as WHEN events in the Workflow Builder.
Setting Up System and Template Alerts
When you click on an alert's name from the Alert Manager, or select "Edit" from the dropdown carrot associated with that alert, a right side flyout tab will appear.
This tab offers the ability to change the alert's severity setting, number of instances necessary to trigger the alert, and notification preferences:
Alert Details contains the alert's associated Integration, name, description, and current alert type. In system alerts, these fields are read-only. In custom alerts, name and description can be edited.
Alert Trigger Conditions
Alert trigger conditions govern the data point that the alert is monitoring when enabled. In system alerts the Integration, object and event type are predetermined and read-only.
However, if applicable, you can also click the "Add Condition" button to duplicate the system alert and create a custom alert from it, which will allow you to add up to two additional conditions. For instructions on creating custom alerts, please see Customizing Alerts below.
Trigger this alert...
This section allows you to scope your conditions by setting the threshold that must be exceeded before the alert will trigger, causing it to appear in the Triggered Alerts section.You can either trigger the alert every time an event occurs, or after an event occurs a certain number of times.
If a triggered alert exceeds more than 50,000 results and is not being used as a triggering event in a Workflow, the Alert will be automatically disabled. Please refer to the Customizing Alerts section below for more information on optimizing your Alerts' configuration or contact Support.
When an enabled alert exceeds its threshold and is triggered, it will appear in the Triggered Alerts section of BetterCloud. The Notifications section of the flyout allows you to set an alert's severity level, enable or disable the alert, and configure additional notification methods that will take place when this alert is triggered.
"Send an alert notification email" requires a recipient email address, subject and message.
"Send an alert SMS message" requires a phone number and message. For international phone numbers, please use the following format: + (country code) (phone number)
"Send an alert via Webhook" requires a valid webhook URL and payload. The payload is usually a JSON object, but the payload requirements will be specified in the documentation of whichever webhook you're using.
When you have taken all of the required setup steps, you can save your alert at the bottom of the tab. Enabled alerts, when they exceed their set threshold, will then appear in the Triggered Alerts section for review. All alerts, whether enabled or disabled, will continue to appear in the Alerts Manager.
By adding trigger conditions to a default system alert, you can create custom alerts in BetterCloud. Any existing system alert, whether enabled or not, can be used as a template to build a custom alert.
To begin, navigate to the Alerts Manager and click the name of the system alert you wish to start with. In the "Alert Trigger Conditions" section of the alert's flyout tab, click "Add Condition". You'll be prompted with a popup box in which to enter the name of your new custom alert. From this popup, click "Cancel" to exit back out to the system alert's tab, or "Continue" when you've entered a name for your new custom alert.
When you continue, the alert's name in the flyout tab will now be set to your custom alert's name. You can now also change the alert's description, so that your custom alert can be more easily distinguished from the template it was copied from.
Next, you can add up to two custom conditions to the alert in addition to the primary condition that the alert came equipped with. All conditions will operate in combined "AND" behavior (i.e. when a user is created in Google, AND that user has been placed in org unit "XYZ".)
To customize your conditions, you'll need to select a relevant "Data Point" from that field's dropdown menu, an "Operator" that will determine how the condition scopes, and then enter the data point's value in the following "Value" field. Depending on the data point, some fields will populate a dropdown or typeahead that you must select a value from, while others will allow free text entry. If need be, you can remove an added condition by clicking the "x" box to the right of the condition.
Finally, select threshold and notification settings to complete your alert, just as you would when setting up a system alert. Save the alert at the bottom of the flyout.
In the Alert Manager, this alert will now be listed as "Custom" in the "Type" column, and will also appear in the Workflow Builder as a WHEN event. Enabled alerts, when they exceed their set threshold, will appear in the Triggered Alerts section for review.
Auditing Triggered Alerts
When enabled alerts exceed their designated threshold, they will appear in the Triggered Alerts section. This section can be reached by clicking "Triggered", under "Alerts" in the left side navigation bar.
Triggered Alerts will display alert information in several default columns:
- Status - Lists each alert's visibility status as either "New" or "Read"
- Triggered - lists the date that the alert was most recently triggered
- Severity - Displays the severity listing of "Minor", "Major" or "Critical", that the alert was given when set up
- Name - Lists the alert's name
- Integration - Displays the integration that the alert is associated with
- Count - Lists the total number of events matching the alert’s conditions
- Threshold - Lists the threshold that the alert currently has configured
Columns in Triggered Alerts can be filtered or sorted by clicking on each column header. For example, if you wanted to filter by a particular Integration:
You can review the results of a triggered alert by clicking on its name from the grid, which will open a flyout. The grid shows a history of the entities that triggered the alert (users, groups, or files, depending on the alert), as well as the date and time when they did so.
You can also use this grid to select entities by their checkboxes individually or in bulk, and make changes to remediate the alert using the "Actions" dropdown that will appear at the top of the tab.
Alerts as Workflow Events
Alerts in BetterCloud can be used to trigger and automate workflow actions across integrations. When a configured alert is used as the WHEN event in a published workflow, triggers that cause the alert's threshold to be exceeded will also trigger the workflow to run and take its set actions. This combination allows you to dynamically manage security concerns, redundancies, and routine admin tasks across your organization.
For more information, please see here: Using an Alert as a Workflow Event.
Certain types of events are related to actions taken in a given Integration rather than the current state of a user, group, or file that has been synced into BetterCloud. Alerts based on these types of activity are referred to as “Activity-based Alerts”, and cover important security concerns like failed user logins and file downloads. All of these alerts require at least one condition in order to be enabled. Because of the increased quantity of data these event streams represent and the additional system load required to process them, Activity-based Alerts are only available on our Pro and Enterprise subscription levels.
Activity-based Alerts now support windowing, which allows you to set a time period during which triggering events will occur. For example, if you want to be notified if there are more than five unsuccessful logins from a particular account over the course of an hour, you can use windowing to be alerted only on events exceeding that threshold within that span of time. For more information, check out our documentation on Windowing in Alerts.
Important / Requirements
- Alerts associated with a given Integration will only be available after the Integration has been enabled in BetterCloud. For more information on adding an integration, please see here.
- Some system alerts cannot be customized. In these cases, an "Add Condition" option will not appear in the alert's flyout tab.
- When creating a custom alert, up to two custom conditions can be added in addition to the primary condition that the alert came equipped with.
- All custom alert conditions will operate in combined "AND" behavior (i.e. when a user is created in Google, AND that user has been placed in org unit "XYZ".)
- Only custom and duplicate alerts can be deleted.