Creating an investigation-based alert with Finder (classic)

Nexthink Finder is a Windows-only desktop application whose functionality is now available within the Nexthink web interface. Nexthink can now be used directly from a browser and most functions no longer require an additional desktop application.

You can define investigation-based alerts on any type of object. As the name implies, investigation-based alerts express their triggering condition in the form of an investigation. The system will periodically execute investigations associated to alerts depending on the frequency specified for each alert.

You can create an investigation-based alert by either:

  • Defining the alert from scratch

  • Using an existing investigation as a starting point

The dialog box to create alerts in Finder is very similar to the dialog box for designing investigations, though there are a few differences:

  • Investigations associated with an alert must be based on objects. You cannot associate an investigation based on activities or events with an alert.

  • The time frame of the investigation depends on the frequency of the alert. You cannot specify a different time frame in the dialog box for designing the investigation.

  • An additional section at the end of the dialog box for alerts allows you to specify the criticality, the frequency, and the action to take when the alert is triggered.

Creating an investigation-based alert from scratch

To create an investigation-based alert from scratch:

  1. Log in to Finder.

  2. Go to the Settings section in the accordion.

  3. Inside the Settings panel, click the drop-down list Section and either:

    • Select Global alerts to create an alert visible to every user. This option is only available if your account has the right privileges to create global alerts. Currently, users can only see global alerts in the timeline of the Device view. The investigation of the alert must therefore be based on devices for the alert to be visible in Finder.

    • Select My alerts to create an alert that is visible to you only in Finder. This option is available to every user. If the alert is based on devices, it is displayed in the timeline of the Device view.

  4. Right-click the area of the section and select Create new alert or type Ctrl+N. The dialog box for designing a new alert will appear.

  5. Enter a name for the alert by replacing the default Untitled alert x at the top of the dialog box.

  6. Optional: Type a brief description of the alert below the name.

  7. Edit the investigation section of the alert as you would in any other investigation, with the restriction that you must retrieve an object rather than an activity or an event and that there is no need to define the time frame. After specifying the attributes to display, you reach the specific ALERT section.

  8. Set the level of the alert in the drop down list Criticality:

    • Select Normal for non-critical alerts. Normal alerts based on devices are displayed in yellow in the timeline of the Device view.

    • Select High for critical alerts. Critical alerts based on devices are displayed in red in the timeline of the Device view.

  9. Specify the frequency with which the system will check the conditions to trigger the alert:

    • Select Immediate for the system to check the conditions that trigger the alert almost continuously (every 30 seconds). Due to the nature of immediate alerts, you cannot select many display attributes that are usually available for investigation. Finder warns you when you select a display attribute that is incompatible with immediate alerts by showing a red cross to the right of the Immediate keyword. Hover the cursor over the red cross to see the list of incompatible attributes that you selected. To avoid flooding, one hour must elapse between two consecutive immediate alerts for the same object.

    • Select Hourly to evaluate the conditions 15 minutes after the end of every hour and get the results for the whole hour that has just passed.

    • Select Daily to evaluate the conditions 15 minutes after midnight every day and return the results for the past day.

    • Select Weekly to evaluate the conditions 15 minutes after midnight every Monday and send the results of the investigation for the last week.

  10. Choose the action to take when the alert is triggered. Note that the results of an investigation-based alert are limited to a maximum of 250 objects with 15 attributes per object. Results exceeding these values are reduced to avoid sending too much data.

  11. Click Save & Preview to save the new alert and run the associated investigation.

Creating an alert from an existing investigation

To create an investigation-based alert from an existing investigation:

  1. Log in to Finder.

  2. Find the desired investigation in the accordion.

  3. Right-click the name of the investigation and select Add to My alerts... (or Add to Global alerts... if you have the correct privileges). The dialog box to design the alert will appear with the data of the investigation prefilled, so you only need to fill in the ALERT section.

  4. Optional: Change the name of the alert at the top of the dialog box. By default, the alert borrows its name from the investigation.

  5. Optional: Change the description of the alert that you find below the name. By default, the description of the alert is inherited from the investigation as well.

  6. Set the criticality, frequency and actions of the alert as described above.

  7. Optional: Modify the investigation settings to meet your needs. The original investigation will not be modified.

  8. Click Save & Preview to save the alert and execute the associated investigation.

Limit on the number of alerts

Using the methods described above, you can create and enable up to 50 global alerts. For their part, users can create (or receive from their roles) and enable up to 10 additional local alerts per account on each Engine.

The total number of enabled alerts in an Engine, including the global and the local or role-based alerts of all users, is limited to 150.

Timing considerations for immediate alerts on Application Library fields

Because fetching data from the Application Library is not instantaneous, immediate alerts that rely on the value of Application Library fields may fail to fulfill their purpose.

For instance, an immediate alert that is configured to detect the appearance of new binaries with a high threat level in the system will fail to detect the first execution of such binaries. In effect, soon after the execution of a new binary and its creation in the Engine, the conditions of the immediate alert are evaluated. At that point, however, the Engine has not updated the threat level of the binary yet. It is only after about 5 minutes that the Engine connects to the Application Library and sets the value for the threat level.

The best approach, in this case, is to create an additional hourly alert with the same conditions as the immediate alert. In this way, the first execution of a binary with a high threat level may escape the immediate alert but will be detected by the hourly alert at the end of the current hour interval once the Engine has set the correct threat level of the binary.

Last updated