Configure alert rules

You can configure alert rules to help identify unusual user activities, such as:

  • Logins to SEA from locations outside a user’s typical countries.
  • Logins to SEA from countries that are not allowed by your organization’s policies.
  • Logins to SEA occurring outside of standard working hours for a user.

When these activities are detected, an alert is triggered and appears in the Alerts tab for your review. In this tab, you can view details, sort alerts by severity, or perform necessary actions.

The Alerts configuration page provides the following details:

Column Description
Alert Type The name of the alert policy. Each is a clickable link to view or edit details. Examples:
- Changed Login Location
- Login From Prohibited Location
- Login Outside of Working Hours
Alert Category The category of the alert. In this case, all are under User Activity.
Alert Rules The number of active rules associated with each alert type.
Last Updated Shows when the alert configuration was last modified.
Action Allows you to control the alert’s state:
- Pause (red): Temporarily disables an active alert.
- Resume (blue): Reactivates a paused alert.

Note: You can configure multiple alert rules within each category to trigger alerts for different scenarios.

Configure alert rules for login from prohibited locations

To configure this rule, set a rule definition using either an Allowlist or Blocklist. The Allowlist should include locations to permit, while the Blocklist should list locations to flag.

  • With an Allowlist, an alert triggers only if a user accesses SEA from a location outside the Allowlist.
  • With a Blocklist, an alert triggers if a user accesses SEA from a location within the Blocklist.

  1. On the Alerts page, click Login From Prohibited Location.
    The Login From Prohibited Location page displaying the default configuration appears. By default, the severity of the rules is medium.

  2. To modify the default rule definition and severity:
    a. Click Edit.
    b. In the Edit Configuration panel, set the default severity level of the alert to Critical, High, Medium, or Low, depending on how urgently the alert should be addressed. c. Select the rule definition, either Blocklist or Allowlist. d. Click Save.

  3. To configure an alert rule:
    a. Click Add on the Login From Prohibited Location page.
    b. In the Configure Alert section, select the scope of users the alert applies to:

    • All users – Default option. Applies the alert to all users.
    • Selected user roles – Apply the alert to users assigned to specific user roles. For example, SEA users.
    • Selected access control groups – Apply the alert to users in specific access control groups.

  4. To add locations to the rule definition, select a country from the Add Location drop-down list, and click Add.

    The selected country is added to the configured rule definition. You can add as many countries as you want. If your configured rule definition is Allowlist, then an alert will be triggered when users access SEA from locations other than the ones you added. If your configured rule definition is Blocklist, then an alert will be triggered when users access SEA from the locations you just added.

  5. Click Next.

  6. To set email notifications, specify who should receive email alerts in the Set Notification section:

    • Selected Users – Choose this option to send notifications to specific users. For example, SEA users.
    • Selected User Roles – Choose this option to notify users assigned to specific roles.
    • Do not send email notification – Select this option if you do not want email notifications to be sent when the alert is triggered.

  7. Click Next to continue.

  8. To enter a rule name and review the details:
    a. On the Review page, enter a rule name in the Alert Rule Name field.
    b. Verify all the configured alert details.
    c. Click Back to navigate to the previous pages and make changes.

  9. Click Create to save the alert rule and enable it.

Result

The new alert rule is added to the Login From Prohibited Location configuration.

When a user logs in to SEA from a country that is configured in the Allowlist, no alert is generated. When a user logs in from a country that is in the Blocklist, an alert is generated.

Note: Blocklist does not really block users from accessing SEA.

Configure alert rules for changed login locations

An alert is triggered when a user accesses SEA from an unusual location.

  1. On the Alerts page, click Changed Login Location.
    The Changed Login Location page appears, allowing you to configure the alert settings. This page lists the changed login location alert rules you have previously configured. By default, the severity of the rules is medium.

  2. To modify the default severity:
    a. Click Edit.
    b. In the Edit Configuration panel, set the default severity level of the alert to Critical, High, Medium, or Low, depending on how urgently the alert should be addressed.
    c. Click Save.

  3. To configure an alert rule:
    a. Click Add on the Changed Login Location page.
    b. In the Configure Alert section, select the scope of users the alert applies to:

    • All users – Default option. Applies the alert to all users.
    • Selected user roles – Apply the alert to users assigned to specific user roles.
    • Selected access control groups – Apply the alert to users in specific access control groups.

  4. Click Next.

  5. To set email notifications, specify who should receive email alerts in the Set Notification section:

    • Selected Users – Choose this option to send notifications to specific users.
    • Selected User Roles – Choose this option to notify users assigned to specific roles.
    • Do not send email notification – Select this option if you do not want email notifications to be sent when the alert is triggered.

  6. Click Next to continue.

  7. To enter a rule name and review the details:
    a. On the Review page, enter a rule name in the Alert Rule Name field.
    b. Verify all the configured alert details.
    c. Click Back to navigate to the previous pages and make changes.

  8. Click Create to save the alert rule and enable it.

Result

The new alert rule is listed on the Changed Login Location page.

When users log in to SEA from a country that is different from their previous login location, an alert is generated.

Configure alert rules for login outside of working hours

An alert is triggered when a user logs in to SEA outside the time and the days set by you.

  1. On the Alerts page, click Login Outside of Working Hours.
    The Login Outside of Working Hours page displaying the default configuration appears. By default, the severity of the rules is medium.

  2. To modify the default severity:
    a. Click Edit.
    b. In the Edit Configuration panel, set the default severity level of the alert to Critical, High, Medium, or Low, depending on how urgently the alert should be addressed. d. Click Save.

  3. To configure an alert rule:
    a. Click Add on the Login Outside of Working Hours page.
    b. In the Configure Alert section, select the scope of users the alert applies to:

    • All users – Default option. Applies the alert to all users.
    • Selected user roles – Apply the alert to users assigned to specific user roles. For example, device operator, SEA users.
    • Selected access control groups – Apply the alert to users in specific access control groups. c. In the Configure Rules section, set the time and days when you want to allow users to access SEA.
    • Choose the days from the Allowed days of the week drop-down list.
    • Choose the start and end times in the Allowed working hours field.
    • Select a timezone from the Timezone drop-down list.

  4. Click Next.

  5. To set email notifications, specify who should receive email alerts in the Set Notification section:

    • Selected Users – Choose this option to send notifications to specific users.
    • Selected User Roles – Choose this option to notify users assigned to specific roles.
    • Do not send email notification – Select this option if you do not want email notifications to be sent when the alert is triggered.

  6. Click Next to continue.

  7. To enter a rule name and review the details:
    a. On the Review page, enter a rule name in the Alert Rule Name field.
    b. Verify all the configured alert details.
    c. Click Back to navigate to the previous pages and make changes.

  8. Click Create to save the alert rule and enable it.

Result

The new alert rule is listed on the Login Outside of Working Hours page.

When a user logs in to SEA outside the time and days configured by you, an alert is generated.

Pause alerts

You can temporarily pause triggering of alerts if the situation is warranted.

  1. Navigate to the Alerts dashboard.
  2. Click Pause against the alert type you want to pause.

Result

All alert rules configured in the alert type will be disabled, and no alerts will be triggered for those rules.

Resume alerts

To reactivate triggering of alerts:

  1. Locate the alert that is paused.
  2. Click Resume in the Action column.