threshold alerts with the level we want and not just the level from event viewer
We can setup custom alerts for Event ID in thresholds. The problem is that when setting up the alert, the level has to match what is in the windows log. For example if we setup an alert for the Event ID 4672 for a user being granted admin rights. In the event viewer the level is "informational" so we have to setup the alert in the threshold as informational to match. It would be great if we could assign the Atera alert to Warning instead of informational. That would let us have that red flag warning that they may be compromised, instead of the alert getting missed in the "informational" alerts.
Joe Smith
shared this idea
-
PS
commented
I don't know if this helps you, but this is what we use: On the threshold of "event by source" you can set "Alert Severity (you choose this)"informational,warning, or critical, warning and critical send me emails, but informational sit in the console. The "Alert severity" is what triggers and defines if you get the email alert, not the "Windows Event Severity." Windows event severity does have to equal the incidence's severity in the eventlog but so do, event id and source for the threshold to be triggered.
-
Joe Smith
commented
Currently we have several alerts setup for thing like user lockouts, security group changes, new accounts added, etc. Unfortunately those alerts scroll away quickly and are often missed because they are considered "informational".
We need the ability to change the alerting severity in Atera, instead of just matching the status that shows in Windows Event Viewer. While Windows may consider someone getting added to the admin group in active directory informational, to me that may be critical and a sign of a hacker in the system.
Being able to setup alerts from windows events that don't have to match the same status as windows gives them would be a big help for tracking some of the security settings like that.