Creating Alert rules

In the Policies > Rules area, you can configure and activate a rule to automatically send you an email notification when a particular event occurs, so you can promptly take the appropriate action. You can create a rule based on any of the events logged to the Events page in the History area.

For stolen devices, geolocation-related events are not logged while the theft investigation is open.

In the context of Alert rules, there are two types of events:

Event type Examples
Device level
  • A disk is removed from a device
  • A device's OS build number changes
  • A Reach script fails to run on a device

During the rule creation process, you apply device level rules to your devices by selecting device groups.
Account level
  • An Application Resilience policy is deactivated
  • A user account is created
  • A smart group is deleted

You can combine events of the same event type into a single rule so that you're alerted if multiple events occur within a specified number of days.

Email notifications may be delayed depending on the connection status of the device. If a device is offline when a device-level event occurs, the rule is not triggered until the device comes back online and checks in to the Absolute Monitoring Center.

To learn more about using rules to monitor events, visit the Learning Hub. To access the Learning Hub, click (Help and Support) on the quick access toolbar and then click Resources > The Learning Hub.

To create a rule:

  1. Log in to the Secure Endpoint Console as a user with Manage permissions for Rules.
  2. On the navigation bar, click Policies > Rules.
  3. Click Create rule and click Alert rule.
  4. Click the title and enter a name for the rule.
  5. [Optional] Click Add description and enter a description for this rule.

  6. Enter the applicable event criteria by doing the following:

    1. Click the Select an event field and select an event from the list. Events with an icon allow you to select more specific data related to the event.

      For example, you can select the following options under the Device user information updated event:

      • Domain
      • User name

    2. If a second field shows, click the field and select one of the following conditions:

      The list of available conditions depends on the selected event.

      • changed
      • is
      • is not
      • contains
      • does not contain
      • is empty
      • is not empty
      • begins with
      • ends with
      • between
      • not between
      • greater than
      • greater than or equal to
      • less than
      • less than or equal to

    3. If a third field shows, enter a value. Note that values entered in this field are not validated. Ensure that you enter a value that is valid for the selected event.

      Note that if you selected the is or contains condition in the previous step, you can enter multiple values in the field. Press Enter after each value. In this case, the event will be triggered when any of the values are included in the event record. See the example below.

      The third field does not show if you select any of the following conditions: changed, is empty, or is not empty.

      Rule event examples

      To trigger the rule when … Select event … Select condition … Enter value …
      The domain of a device user changes from the expected value Device user information updated > Domain is not <expected domain name>
      A device is frozen by an Offline Freeze rule or a Scheduled Freeze request Device frozen > Device freeze type is Offline, Scheduled
      A device fails to be unenrolled Device unenroll failed n/a n/a
      The version of the device's operating system changes Operating system updated > Version changed n/a

  7. To add a second event, click AND and specify the applicable criteria in the provided fields.

    The list of events is now filtered based on the type of event you selected in step 7. That is, if you selected a device level event, such as Volume removed, you can only add more device level events. Similarly, if you selected an account level event, such as Role created, you can only add more account level events. To reset the event list so all events are listed, click the icon next to the first event.

  8. Repeat the previous step for each event that you want to add. You can add up to 20 events.
  9. If you've added multiple events, a 7 days field now shows above the first event field. Click the field and select the maximum number of days within which the events must occur for the rule to be triggered. Options are 1 to 29 days. For example, if you want to be alerted only if all events occur within 2 days of each other, select 2 days.

  10. The Send email field is prepopulated with your email address. Do one of the following:

    • To send email notifications to other users:

      1. Click Edit and click the field to open a selection list of email addresses associated with your account.

      2. Begin entering each email address and then select it from the list. To send alerts to individuals that are not console users, enter their full email address, pressing Enter after each one. To remove an address, click its icon. When you're done, click Close.

    • To disable email notifications entirely, click Edit and remove all email addresses from the field. When you're done, click Close.

      When the rule is triggered, an event is logged to the Events page in the History area, but no emails are sent. You may prefer this option if Absolute is integrated with a SIEM application.

  11. If the Apply to section shows, you added one or more device level events. Note the following:

    • If you can manage all devices, All Active Devices shows in this section.
    • If you can manage the devices in select device groups only, your assigned device groups show.

    To make changes, click Edit and do the following:

    1. Click the field and select each device group you want to assign the rule to. To remove a device group, click its "x" icon.

      If you can manage the devices in select device groups only, a warning message shows. Learn more

    2. If you selected All Active Devices in the previous step, you can exclude one or more device groups. Select the Exclude device groups checkbox and click the field to select each device group you want to exclude. To remove a device group that you added, click its "x" icon.
    3. When you're done, click outside the field and click Close.
  12. To activate the rule now, click Save and activate. To activate it later, click Save.

The rule is created, and a Rule created event is logged to Event History.

If you activated an account-level rule, it is applied to your account. If you activated a device-level rule, it is applied to the devices in the specified device groups. Going forward, when events occur that meet the criteria set in this rule, an email notification is sent to all specified recipients and a Rule triggered event is logged to the Events page in the History area.