Skip to content

Alert Destinations

Alert destinations is LogSentinel SIEM's abstraction for "what happens when an alert triggers". They include sending notifications via multiple channels and executing automated response commands and playbooks.

Alert destinations have to be specified first in order to be able to receive alerts. Alerts can be received via multiple channels. Each alert can have multiple destinations (e.g. send an email and executed an automated response command). The list of supported destinations is:

  • Email - add emails of people (or catch-all team emails) to be alerted
  • SMS - add phone numbers to receive SMS in case an alert is triggered. Note: for on-premise setups you'd need to configure a Twilio account
  • Telegram - you can use our Telegram bot to notify subscribed users. For setting up telegram, check this page
  • Automation destinstions - execute any command, recipe or playbook on a selected endpoint or collector. See more in the next section

The messages sent for the first 3 types can be customized, defaulting to a basic message that contains relevant alert information.

Automation destinations

In addition to getting notified, an alert can trigger a set of automated actions. These include:

  • Invoking IFTTT and Zapier for integration with many 3rd party services, including Slack, Jira, ServiceNow, etc.
  • Invoking a URL, which can be used to call the notification API of a centralized notification system, or to trigger or block certain processes in other applications
  • Running custom Python scripts on collectors
  • Invoking a set of commands on the affected endpoints (e.g. block IP, shutdown, kill process)
  • Invoking predefined sets of commands and scripts that form a playbook
  • Sending a syslog messages
  • Sending a SNMP trap

All automated responses, where applicable, are provided the alert context in a structured format. This includes:

  • the IP address(es) and hostnames of the affected resource(s)
  • the calculated risk level
  • the list of log messages that contributed to the alert

An automated response can be configured to either run automatically when an alert is triggered, or wait for triage to be performed manually.