Cisco Secure Access Alerts for User Behavior Analytics, Overview

Alerts for User Behavior Analytics

Cisco Secure Access Alert Rules manage the configuration and administration of alerts for specific types of conditions on the organization's resources. You can configure an alert rule with an alert category and conditions, and a list of email recipients and a Webhook target.

Overview

The Secure Access User Behavior Analytics (UEBA) alert rule monitors the interactions of end users in the organization with internet and private applications.

Secure Access monitors these activities from end users:

  • Bulk file uploads
  • Bulk file downloads
  • Bulk file deletions
  • Online activity that occurs from different and distant geographic regions within an unreasonable timeframe

Secure Access sends notifications formatted in JSON using the Secure Access Alert schema for User Behavior Analytics. For more information, see Event Format: User Behavior Analytics Alerts.

Get Started

To get started, add an Alert Rule in Secure Access and choose the methods for sending the notifications: email and Webhook. You can add your Alert Rules using the Secure Access user interface (UI) or Cisco Secure Access Alerting API. For more information, see Alerting API.

Set Up Alerts

  1. Deploy an HTTP listener in your on-premises or cloud environment. The target system must support Basic authentication with a username and password and accept HTTP POST messages.
  2. Add a Webhook in Secure Access as a Third-party integration. Configure the Webhook with the URL and Basic authentication credentials of the HTTP listener. For more information, see Third-Party Integrations API.
  3. Validate that your target system receives the alerts.

Sample JSON Alert Message: User Behavior Analytics

{
    "dataContentType": "application/json",
    "id": "2154cc58-8341-524c-9ba3-cc00d8f5b204",
    "integrationids": "webhook.v1:14af766b-3fe7-4b9e-be74-29c4801ec2df",
    "orgid": "1234567",
    "source": "secureaccess.alerts",
    "specVersion": "1.0",
    "time": "2026-01-30T09:57:18Z",
    "type": "secureaccess.alerts.behavioranalytics.v1",
    "data": {
      "alerts": [
        {
          "alertId": "AL-352-8262543-1769767038288-0e72bede241230f4",
          "alertType": "Bulk upload operations",
          "category": "Behavior analytics",
          "conditionsApplied": {
            "conditions": [
              "User uploads more than the maximum number of allowed files."
            ]
          },
          "redirectUrl": "https://dashboard.int.sse.cisco.com/org/1234567/proactive-alert-management/rules/156",
          "ruleId": 352,
          "ruleName": "Webhook Schema 2",
          "severity": "medium",
          "status": "active",
          "time": "2026-01-30T09:57:18.288101972Z",
          "user": "user one"
        }
      ]
    }
}

JSON Alert Schema: User Behavior Analytics Alert

You can download the Cisco Secure Access User Behavior Analytics Alert schema at Cisco Secure Access User Behavior Alerts Schema.