Ongoing Alerts Tuning

Ongoing Alerts Tuning

Ongoing Alerts Tuning provides a simple way to fine-tune alert rules. You can quickly make adjustments when you come across an alert that has been triggered inaccurately. False positive alerts may clutter your Alerts list with information you don't need, causing you to miss important alerts. By clicking on the Tuning icon next to an alert, you can easily make the adjustments you want and make sure the Alert rule is more accurate in the future and delete or change status of alerts already-triggered.

Tuning Alert Rules

  1. In the ITM On-Prem Web Console, click Management Console, then Alerts.

    The Alerts page opens in List view (the default mode), displaying a list of triggered alerts. (For details about the Alerts page, see Managing Alerts.)

  2. Click the Tuning icon .

    The Ongoing Alerts Tuning Options display.

Ongoing Alerts Tuning Options

  • Exclude <user> from this Alert rule: The alert will no longer be triggered for the user. In the example, if alon.r connects an unlisted USB device, an alert will not trigger. An alert will trigger for other users.

  • Deactivate this Alert rule for all users: The alert will be inactive for all users. The rule still displays in the Alerts list but is ignored by the rules engine. You can reactivate an inactive rule.

  • Delete all <x> instances of the Alert already triggered for <user>: Delete all instances of this alert that have already been triggered for the user specified. This resets the contribution of this alert to the risk score of this user. After this action is completed, the actual number of instances that were deleted is displayed. (The number of instances includes any additional instances that may have occurred since the information was displayed and the action was completed).

  • Delete all <x> instances of this Alert already triggered for all users: Delete all instances of this alert that have already been triggered on all users. This resets the contribution of this alert to the risk score for all users. After this action is completed, the actual number of instances deleted is displayed. (The number of instances includes any additional instances that may have occurred since the information was displayed and the action was completed.)

  • Exclude <Active Directory Groups> that <user> is a member of from this Alert rule: The alert will no longer be triggered for the user and any other users in the Activity Directory Group you select. By clicking Active Directory Groups, the list of Active Directory Groups that the user is member of is displayed and you can select the relevant groups.

  • Delete this Alert rule entirely: The Alert rule will be deleted permanently.

  • Change the existing status to a new status for all <x> instances of this alert already triggered for <user>: Change the status of all instances of this alert that have already been triggered for the user to one of the following: New, Reviewing, Issue, Non-Issue. For more information about Alert Status, see Changing the Status of Alerts.

  • Change the existing status to a new status for all <x> instances of this alert already triggered for all users: Change the status for all users to one of the following: New, Reviewing, Issue, Non-Issue for all users. See Changing the Status of Alerts.

You can link to the Alert Rules by clicking Open this Alert Rule for editing. The Tuning icon is grayed out and not available for View -Only Admin users. (See ITM On-Prem Web Console Users.) (See ITM On-Prem Web Console Users.)