diff --git a/alerts/alerts.md b/alerts/alerts.md index 3f072d0f..da2b491c 100644 --- a/alerts/alerts.md +++ b/alerts/alerts.md @@ -21,6 +21,18 @@ Alerts are defined in the Alerts page, found under the Automation sub-menu. Clic Note that we have populated the Name, Description, Target Tag, and Max Events fields, but nothing else yet -- we need to go define our dispatchers and consumers before we can add them to the alert. +Also notice that there are some optional toggles. The first one will allow us to enable the Alert once it is properly configured. The second one allows us to enable Search Retention. + + +### Selecting a Tag + +Every event generated by your dispatchers will be ingested into the Target Tag in JSON format. In general, we recommend the following: + +* Pick a unique tag for each alert you define, and make sure your user has [permission to ingest to that tag](/cbac/cbac). +* Use a prefix, such as `_alerts_`, for all your target tags. This makes it easier to define a separate well to store alerts in, if desired. + +In this example, we have chosen the tag `_alerts_admin_logins`. + ### Max Events The "Max Events" configuration option is an important safeguard against accidentally sending yourself thousands of emails. Basically, when a dispatcher fires, Gravwell will only process *up to* Max Events results from the search. Suppose you have a scheduled search dispatcher which normally generates one or two results, which are emailed out via a flow consumer. If a new data source is added and the scheduled search suddenly returns thousands of results each time, you could be getting thousands of emails -- unless you've been cautious and set Max Events to a low value! @@ -31,14 +43,9 @@ Gravwell sets a very low default for Max Events, because it is extremely easy to Setting Max Events to 0 is equivalent to setting it to 8192, the max value ``` -### Selecting a Tag - -Every event generated by your dispatchers will be ingested into the Target Tag in JSON format. In general, we recommend the following: +### Search Retention -* Pick a unique tag for each alert you define, and make sure your user has [permission to ingest to that tag](/cbac/cbac). -* Use a prefix, such as `_alerts_`, for all your target tags. This makes it easier to define a separate well to store alerts in, if desired. - -In this example, we have chosen the tag `_alerts_admin_logins`. +The search retention option will allow any search that dispatches the Alert to be saved as a Persistent Search for a specified period of time. The retention time is configurable with a default of 7 days. After that time, the Persistent Search will be automatically deleted. ## Adding Dispatchers diff --git a/alerts/newalert.png b/alerts/newalert.png index 1cc518ec..417a983d 100644 Binary files a/alerts/newalert.png and b/alerts/newalert.png differ