Real Time Alerts and Threshold Reporting

Owned by Steve Challans
Last updated: Aug 30, 2022 by Leigh Purdie (Unlicensed)
4 min read

Realtime Alerts can be added as an output component, in objectives available from the reporting menu. The following example uses a baseline objective that monitors the addition of users to the Administrators group on windows.

Navigate to the Reports\Operating Systems\Administrative Activity\Windows menu

Clone the existing report “Accounts Added or Removed” by using the 3 dots on the right.  Then give it a new name eg: Accounts Added or Removed-Alert.

Now select the new report and click on the configure button within the top navigation panel. You can adjust the report to include the name of the accounts or groups that you want to monitor by adding appropriate match terms. In this case we can add a new match, then tell the objective to search for the text “Administrators” within the “strings” field. We can also drag the real time alert icon into the “Output Components” area. Also adjust the days to search to be 1 day as we only need to check current data for this. So the reporting filter will show the following now:

Once you have added the real time alert option, it will expose additional configuration options.

Since real-time alerts are resource intensive, a maximum of 10 alerts (by default) can be enabled simultaneously, so a deliberate ‘activation’ option needs to be ticked in order to continue.

Other configuration options, such as choosing the notification mechanism, and modifying the default alert message sent to the recipient, are also available.

In the reporting output area you can adjust the fields that will be included within the report.

Now select the “Set” button from the bottom right of the configuration panel, and the realtime alert will be activated. As of version 8.5.0 of Snare Central, there is an extra option to globally enable or disable real time alerts in the configuration wizard Performance and Hardware section, this check box will need to be enabled.

Our second example highlights the realtime threshold reporting capability.

For this we use a similar process but for Failed User logins. Make a cloned report from the base template we used earlier.

Drag in the Real Time Alert icon and the Threshold Reporting icons into the output components area.

Enable the real time alert, and give it a custom message as needed.

 Select the table field components that should be included in the report.

Now enter your threshold alerting configuration requirements. In this case we have configured the objective to report data when there is more than 5 events that match our “Match Settings” filters, over a 5 minute period.

To save select the “Set” button from the bottom right.

Now the alert will be triggered once the number of matched events exceed our threshold settings.

There is no need to regenerate the report as alerting runs automatically in the background. If you want to see what events have recently been triggered, or those events that would have historically been triggered, then you can run the report via the regenerate option.

An example of the report output would be as follows.