Alerts

The alert system is a resource provided by Advanced EDR to quickly notify administrators of situations that might affect the correct operation of the security service.

Namely, an alert is sent to the administrator every time one of these events occurs:

The security software detects a malware specimen, PUP, or exploit.
The security software detects a network attack.
The security software detects indicators of attack.
The security software reclassifies an unknown item (malware or PUP).
Advanced EDR detects and blocks an unknown process during classification.
There is a license status change.
There are installation errors or a computer is unprotected.

Email alerts

Email alerts are messages generated and sent by Advanced EDR to the configured recipients (typically the network administrator) when certain events occur.

Accessing the alert settings

From the top menu, select Settings. From the side menu, select My alerts. The Email alerts page opens, where you can configure the email alert settings.

Alert settings

The alert settings page is divided into three sections:

Send alerts in the following cases: Select which events will trigger an alert. For more information, see Alert types.
Send the alerts to the following address: Enter the email addresses of the alert recipients.
Send the alerts in the following language: Choose the alert message language from those supported in the console:
- German
- Spanish
- French
- English
- Italian
- Japanese
- Hungarian
- Portuguese
- Swedish

Alert export

If the console user has Total Control permissions, they can export the My alerts settings for all account users that have specified alert recipient email addresses. See Alert settings.

To export the settings, click the icon in the upper-right corner of the Email alerts page.

Fields displayed in the exported file

Field	Description	Values
Customer	Customer account.	Character string
User	Advanced EDR console user who configured My alerts.	Character string
Login email	Email address with which the user logs in to the Advanced EDR console.	Character string
Blocked	Indicates whether the user can access the Advanced EDR console. See Removing or blocking user accounts.	Yes No
Active cases to send	Indicates whether the user has configured alerts to send in the My alerts settings. See Alert settings.	Yes No
Destination address	Alert recipient email addresses specified by the user.	Character string
Fields in the Alerts Destinations exported file

Access permissions and alerts

You define alerts for each web console user. The content of an alert email varies with the managed computers that are visible to the recipient.

Alert types

Type	Frequency	Condition	Information shown
Exploit detections	The solution sends a maximum of 10 alerts for each computer-exploit each day.	Sends an alert for each exploit attempt detected. Windows computers only.	Name, path, and hash of the program hit by the exploit attempt. Computer name. Group. Date and time (UTC). Action taken. Computer risk level. Assessment of the targeted program security level. Table with contextual telemetry associated with the attacking process at the time it is detected. Possible source of the exploit.
PUP detections	The solution sends a maximum of two alerts for each computer-PUP each day.	Sends an alert for each PUP detected in real time on a computer. Windows computers only.	First or second message. Name of the malicious program. Computer name. Group. Date and time (UTC). Path of the malicious program. Hash. Table with contextual telemetry associated with the attacking process at the time it is detected. List of computers where the malware was previously seen.
Network attack detections	Every hour.	Sends an alert for each type of network attack and each source IP address. Windows computers only.	Computer. Group. Network attack. Local IP address. Remote IP address. Local port. Remote port. Number of occurrences.
Blocked program in the process of classification	The solution sends an alert for each unknown program detected in real time on the file system.	Windows computers only.	Name of the unknown program. Computer name. Group. Date and time (UTC). Path of the unknown program. Hash. Table with contextual telemetry associated with the attacking process at the time it is detected. List of computers where the unknown program was previously seen.
Programs blocked or detected by advanced security policies	If the action is Block, the solution sends a single email message for each computer each day. If the action is not Block, the solution sends the first 50 messages generated for all computers each day.	Windows computers only.	Detection details: Name of the applied policy. Computer name Group Logged-in user File name. File MD5 hash. Program name and path. Date and time (UTC). Lifecycle of the detected item: Date and time (UTC). Action. Path/URL/Registry/Key File/MD5/Registry Value Trusted Occurrences on other computers: Computer name Date the item was first seen. Program name and path.
Programs blocked by the administrator	The solution sends an alert every time a program is blocked.	Windows computers only.	Program name Hash Program path Computer name Group to which the computer belongs User who launched the program Date when the program was blocked
Classification of a file allowed by the administrator	Administrator-allowed files are files which the administrator allowed to run although Advanced EDR blocked them. As soon as the solution completes the classification, it informs the administrator of the verdict so that the file can be allowed or blocked, based on the reclassification policy. For more information about reclassification policies, see Reclassification policy.
Indicators of attack (IOA)	The solution sends an alert when it detects an indicator of attack.	For each computer on the network that has an Indicators of Attack (IOA) settings profile assigned to it.	Affected computer IP address Group Customer Type of indicator of attack Risk Action
Computers with protection errors	The solution sends an alert every time an error is found.	Sends an alert when the solution finds an unprotected computer on the network. Sends an alert when the solution finds a computer with a protection or installation error.	Computer name. Group. Description. Operating system. IP address. Active Directory path. Domain. Date and time (UTC). Failure reason: Protection with errors or installation error.
Computers without a license	The solution sends an alert every time an error is found.	Sends an alert when the solution fails to assign a license to a computer when there is no free license.	Computer name. Description. Operating system IP address Group Active Directory path Domain. Date and time (UTC). Failure reason: Computer without a license.
Install errors	The solution sends an alert every time an error is found.	Sends an alert when an event occurs that causes computer status to change (1) from protected to unprotected. If the solution detects several events at the same time that could cause a computer status to change from protected to unprotected, it only generates one alert with a summary of all the events	Computer name. Protection status. Reason for the status change.
Unmanaged computers discovered	The solution sends an alert every time an error is found.	Sends an alert when a discovery computer finishes a discovery task. Sends an alert when a discovery task finds a never-seen-before computer on the network.	Name of the discovery computer. Number of discovered computers. Link to the list of unmanaged computers discovered.
Alert table

Status change alerts (1)

These computer statuses trigger an alert:

Protection with errors: The status of the advanced protection installed on a computer shows an error.
Installation error: An installation error occurs that requires user intervention, such as insufficient disk space. Transient errors that can be resolved autonomously after a number of retries do not generate alerts.
No license: A computer does not receive a license after registration because there are no free licenses

These computer statuses do not trigger an alert:

No license: The administrator manually removes a computer license, or Advanced EDR automatically removes a computer license because the number of purchased licenses has been reduced.
Installing: It does not make sense to generate an alert every time the protection is installed on a computer on the network.
Protection disabled: This status is the consequence of a voluntary change of settings.
Protection out-of-date: This status does not necessarily mean the computer is unprotected, despite its protection is out of date.
Pending restart: This status does not necessarily mean the computer is unprotected.
Knowledge out-of-date: This status does not necessarily mean the computer is unprotected.

Opting out of email alerts

If an email recipient wants to opt out of the notifications, but does not have access to the Advanced EDR console or appropriate permissions, the recipient can unsubscribe from the email message. To opt out of email alerts:

At the bottom of the email alert, click the link If you don’t want to receive any more messages of this kind, click here. In the window that opens, type the email address that you do not want to receive email alerts. The link is valid for 15 days after the alert is sent.
If the email address you enter currently receives email alerts, a confirmation email is sent to the address.
In the confirmation email, click the opt-out link to confirm that you want no longer want to receive emails at the specified email address. The link is valid for 24 hours after the alert is sent.