Arctic Wolf Unified Portal

Data Explorer allows you to save queries so that you can run them again later. With specific Data Explorer licenses, you can also configure custom alert settings for a saved query. When custom alert settings are configured for a saved query, a custom alert is generated each time the query runs as scheduled.

Add a custom alert rule

Note: Custom alerts are considered non-emergency events for self-service reporting purposes only. When you configure a custom alert rule, the results of each query run are sent only to members of the recipient group you select. These events are not submitted to the Arctic Wolf® Security Operations Center for review or alerting.

Before you begin

Configuring custom alert settings requires a valid license.
For more information, see Data Explorer license options.
A maximum of 10 custom alert rules can be enabled at the same time. If you have reached this limit, consider disabling a custom alert rule. For more information, see Enable or disable a custom alert rule.

Steps

Run an analyzed log search.
Click Save New Query.
In the Name field, enter a name for the query.
If you choose to configure custom alert settings for this query, the custom alert will have the same name.
Optional: In the Description (Optional) field, enter a short description of the query.
Select a privacy setting:
- Not Restricted — Makes the query visible to everyone in your organization.
- Restricted — Restricts access to only primary and secondary contacts in your organization.
The option that you select only determines if other users can view the saved query in Data Explorer. The custom alert rule that you configure will be visible to everyone. Also, when this query runs, the custom alerts that are generated will be visible to everyone.
Configure custom alert settings:
1. Click the Enable Custom Alert toggle to the on position.
2. In the Select Notification field, configure who receives the custom alert:
  - To create a recipient group — Click Create Recipient Group, enter a name for the group, and then add recipients to the To field. If desired, add recipients to the CC field. Then, click Create.
  - To select an existing recipient group — In the Select Notification field, select a group.
  After selecting a recipient group, a list of group members displays.
3. In the Notification Frequency field, select how often you want to generate a custom alert.
Click Save.
A new rule is added to the Custom Alert Rules tab of the Alert Configuration Rules page.