Edit a custom alert rule

If custom alert settings were enabled for a saved query, you can edit those settings from the Alert Configuration Rules page of the Unified Portal. You can also modify the name of the query and its description.

Note:
  • A maximum of 10 custom alert rules can be enabled at the same time. If you have reached this limit, you will be unable to save your changes. To avoid this error, disable another custom alert rule before you begin.
  • If you want to change the saved query linked to a custom alert rule, for example, to change Data Explorer field values or query operators, see Edit a saved query instead.
  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Organization Profile > Alert Configuration Rules.
  3. Click the Custom Alert Rules tab.
  4. Find the custom alert rule that you want to edit.
  5. Optional: To narrow the list of rules, in the Search field, enter a search term.
  6. For the desired custom alert rule, click > View Custom Alert Rule.
  7. Optional: In the Saved Query Settings section:
    1. Change the query name or description.
      These settings also apply to the custom alert rule.
    2. Change the selected privacy setting.
      The option that you select only determines if other users can view the saved query in Data Explorer. The custom alert rule that you configure will be visible to everyone. Also, when this query runs, the custom alerts that are generated will be visible to everyone.
  8. In the Custom Alert Settings section:
    1. To enable or disable the custom alert rule, click the Enable Custom Alert toggle to the on or off position respectively.
      Note: To change notification settings, the rule must be enabled.
    2. If desired, change the recipient group or notification frequency.
  9. Click Save.