Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Settings
  3. Alert Profile

Category filter

XDR Alert Profiles: Prioritizing Critical Threats in Hexnode XDR

In an era of increasingly sophisticated and widespread cyber threats, organizations need a security solution that not only detects risks but also helps prioritize them across their entire network. XDR, or Extended Detection and Response, is an advanced approach designed to strengthen security by detecting and responding to a wide range of threats such as vulnerabilities, malware, phishing, or other malicious activities across an organization’s entire environment.

XDR helps reduce blind spots in an organization’s security and ensure threats are addressed before they can disrupt critical operations. But detecting threats is only half the battle; what matters is knowing which security alerts are worth the attention.

Why do alerts matter?

Alerts are notifications generated by monitoring systems whenever an unusual, suspicious, or potentially harmful activity or event happens on an endpoint. They serve as early warning signals, allowing administrators to investigate events before they escalate into real threats.

Once a threat enters an endpoint, it may go through several phases: building up resources, executing malicious code, collecting data, and finally causing damage or disruption. In between this process, the proactive way to detect and counter these malicious threats is by sending out alerts to administrators whenever necessary.

While essential for security, the sheer volume of alerts can be overwhelming. An organization may receive hundreds or thousands of alerts daily, many of which may be low priority or false positives. When notifications are unfiltered, alert fatigue sets in, reducing the team’s ability to respond effectively to genuine threats.

How Hexnode XDR helps

Cyber threats move fast, but with Hexnode XDR, you move faster. By integrating visibility, analytics, and response in a single platform, it provides IT admins with a clear view across all endpoints and helps prioritize the alerts that matter.

The role of alert profiles

In a managed environment, alert profiles are key for proactive threat detection and efficient response. Creating and managing alert profiles in Hexnode XDR allows IT admins to filter and prioritize incoming alerts, ensuring they stay updated on critical events across all endpoints.

Hexnode XDR’s Alert Profiles feature makes it easier to define when alerts should be triggered and how they should be delivered. Alert profiles can be tailored based on specific event types, preferred delivery channels (such as Email or Webhook), and scheduling preferences. This ensures timely notifications when unusual or potentially harmful activities are detected on the device.

Steps to build an alert profile

To build an alert profile, start by navigating to Settings > Alert Profiles in the Hexnode XDR console. An alert profile follows this workflow:
Events → Source → Channel → Schedule → Review

Step 1: Choose Events

The first step is to select the specific events that should trigger a notification. You can choose from different event types such as Incidents, Process, Network, and so on… depending on your monitoring requirements.

To choose events,

  1. On your Hexnode XDR console, navigate to Settings > Alert Profiles.
  2. Click on Add New Event.
  3. Select the required event type from the following options below:
    1. Incidents Created: Choose this event to receive notifications whenever a new threat is detected in the console.
    2. Process Creation: Choose this event to get notified when a process is started on a device. You can specify the process name, or process ID in the filter section.
    3. Process Access: Select this event to receive notifications when one process accesses another process. You can specify the process name, or process ID in the filters.
    4. Create Remote Thread: Select this event to get notified when one process creates a thread in another process on the device.
    5. Network Connection: Select this event to receive notifications when a process initiates a network connection.
    6. Process Termination: This enables administrators to identify which process was terminated, and the device on which it occurred. You can specify the process name, or process ID in the filters.
    7. Registry Create Key: This helps administrators to identify which process created a registry key, and on which device. You can specify the process name, or process ID in the filters.
    8. Registry Delete Key: This helps administrators identify which process deleted a registry key, and on which device. You can specify the process name, or process ID in the filters.
    9. System Logon: This helps administrators identify user logins, including the account name, domain, and the device where the login occurred.
    10. Driver Load: This provides administrators with information about any unverified kernel driver being loaded on the device.
    11. Image Load: This helps administrators identify when a suspicious module is loaded on the device.
    12. Raw Access Read: This helps administrators identify when a process bypasses file system controls to directly read files from a device, along with the affected device information.
    13. File Creation: This helps admin identify when a file is created or overwritten, and on which device.
    14. File Delete: This helps administrators identify when a process deletes a file, and on which device.
    15. DNS Query: This helps administrators identify when a process executes a DNS query, and the device on which it occurred.

After selecting an event, a dialog box appears displaying details about the chosen event type, the associated message, and applicable filters.

  • Event: This field is auto populated based on the chosen event.
  • Message: A predefined alert message is automatically populated based on the selected event. This message can be customized as needed and will also serve as the description of the alert when the alerts are being sent. When an alert is triggered, placeholders within the message are automatically replaced with the relevant information, providing technicians with details about the event, affected device, and other key data.
  • Filter: Filters can be used to specify which events should trigger notifications, helping to narrow down the scope of the alert criteria. This ensures that alerts are delivered only for relevant events, reducing unnecessary notifications, and helping administrators focus on critical issues. While configuring filters, comparators (=, !=, contains) can be used to match only the events that meet the defined criteria. Filters can be combined using operators like AND, OR, and Group to create more advanced rules.

Step 2: Choose the Endpoints

After defining the alert criteria, the next step is to specify which endpoints or endpoint groups the alert should apply to.
You can select individual endpoints, endpoint groups, or both, depending on your monitoring requirements.

The available options include:

  1. Endpoints:
    1. Click Add Endpoints under the Endpoints subtab.
    2. From the displayed list, select the required endpoints. The list includes details such as Device Name, Platform, OS Name, OS Version, and Status (Online, Offline, or Inactive).
    3. Once you have made your selection, click Save to confirm.
  2. Endpoint Groups:
    1. Click Add Endpoint Groups under the Endpoint Groups subtab.
    2. From the displayed list, select the desired device groups. Each entry includes the Group Name along with the Date and Time of Group Creation.
    3. After selecting the required groups, click Save to apply your choices.

Once all sources have been selected, click Next to proceed to the next step.

Step 3: Select the preferred Channel

Once you have configured your sources, the next step is to choose how to receive alerts and updates from Hexnode XDR.
Select Email, Webhook, or both, but at least one channel must be selected to continue.

  1. Email:
    • Recipients: Select the required technician from the dropdown list using their name or specify email ID. This is a required field.
    • Subject: Enter an appropriate subject line for the email. This field is required.
    • Body: Provide a clear and concise description for the email notification. This is a required field. (Auto populated as the “default” message, but it can be customized)
  2. Webhook:
    • Choose the webhook from the dropdown list of available webhooks.
    • If you haven’t set one up yet, you can add a new webhook by navigating to:
      Settings > Notifications > Webhook.

Step 4: Schedule the alert profiles

To schedule your alert profile, follow these steps:

  1. Initiate:
    • Immediately: Select this option to trigger the alerts immediately, as and when the condition matches.
      Note:


      For some of the “Events”, the user might see the following message:

      The selected can generate hundreds of events per second per device. Without appropriate filters, this may result in excessive alerts and email notifications, potentially overwhelming the technician’s inbox. It is strongly recommended to apply filters (for example, process name, endpoint, severity, or time range) to narrow down the scope of alerts.

    • Repeat:
      • Interval: Choose how frequently you want the alert to be sent. Available options include daily, weekly, and monthly.
      • Select days: For Weekly, specify the days of the week when the alert should be sent. This field is required.
      • Select months: For Monthly, specify which months the alert will trigger. This field is required.
        • Select day: For Monthly, select the specific day of the month when the alert should be sent. This is a required field.
      • Scheduled At (IST): Set the time when the alert will be sent, in Indian Standard Time (IST). For example, to have the alert triggered at midnight each day, set the time to 00:00 hours IST. This is a required field.
      • For the “Select days” & “Select months” option, all the alerts will be batched together and will be sent as a single email.

Step 5: Review the created alert profile

  1. Click the edit icon next to New Alert Profile to rename the alert profile as needed.
  2. Review all the configured information, then click Finish to save the alert profile.

Managing alert profiles on the console

The newly created alert profile will appear on the Alert Profiles subtab under Settings tab, displaying the profile name, creation time, and status.

Use the following options to manage the alert profile:

  • Enable/Disable: Click the toggle button next to the status to enable or disable the alert profile.
  • Edit: Click the Edit button to modify the alert profile.
  • Delete: Click the Delete button to remove the alert profile.
  • Logs: Click Logs to view the notification logs. This allows technicians to track when notifications were generated and sent for the selected alert profile. The logs display the creation time, notification channel, and status (Success, Failed, Partial Success).

The generated alerts will also be displayed under Incidents > Alerts in Hexnode XDR console.

Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Settings