CyTech AQUILA - Cyber Incident Management (CIM): Alert Rules
The Alert Rules section provides centralized management of alert rules assigned to various log sources. This module enables administrators and analysts to review, configure, and monitor rules that generate alerts for security and operational events.
Header Summary
- Total Alert Rules: Displays the total number of alert rules configured in the system.
- Active Alert Rules: Shows the number of rules currently active and monitoring events.
- Critical Rules: Highlights the subset of rules categorized as critical, requiring immediate attention.
Search and Filter
- The Search bar allows users to quickly locate specific alert rules by entering keywords.
- The Filter option enables users to refine results based on categories or parameters, ensuring efficient navigation in environments with a large number of rules.
Integrations (Under Development)
- The Integrations menu provides options for connecting alert rules with integrated platforms or data sources, ensuring seamless rule application across multiple systems.
Add Alert Rule
- The Add Alert Rule button allows users to create new alert rules. These can be customized to monitor specific log sources, event patterns, or security indicators.
Alert Rule Listings
- Each listed entry represents a log source with its associated rules.
- Details include:
- Name of the log source (e.g., APM, AWS, Active Directory, Azure).
- Version of the rule set applied.
- Rule count indicating the total number of rules assigned to that log source.
- A link to View Alert Rules, which opens the detailed configuration and management interface for that specific source.
Users can also click the Rule to see more details about the alert rules.
The users can also Edit Alert Rule by pressing the button. In this section they can adjust the time interval and its risk score or change its severity.
Manage Alert Rules
The Manage Alert Rules interface provides administrators with a centralized view and management panel for alert rules assigned to a data source. This page allows users to search, filter, review, enable/disable, and monitor the execution of a specific alert rule.
Search and Filter
- Search Bar: Provides keyword-based searching to quickly locate specific rules.
- Filter Button: Enables refined filtering of rules based on defined criteria such as severity, status, or log type.
Global Toggle Controls
- Display All Disable: When enabled, this toggle ensures all disabled rules are displayed.
- Display All Enable: When enabled, this toggle ensures all enabled rules are displayed.
- These global options simplify rule visibility management in environments with large numbers of configured alerts.
Rule Table
The central section of the page displays a table containing all AWS alert rules with associated metadata and controls. Each row corresponds to a specific rule, with the following columns:
- Rule
- The rule name is hyperlinked, directing the user to the detailed configuration page for that specific rule
- The rule name is hyperlinked, directing the user to the detailed configuration page for that specific rule
-
Risk Score
- Numerical value representing the calculated risk impact of the rule if triggered.
- Numerical value representing the calculated risk impact of the rule if triggered.
- Last Run
- Displays the most recent execution time of the rule.
- Displays the most recent execution time of the rule.
- Severity
- Severity levels include:
- Low (Green)
- Medium (Yellow)
- High (Red)
- Severity levels include:
- Last Response
- Shows the outcome of the most recent rule execution.
- Status values include:
- Succeeded (green indicator)
- Potential Failed
- Failed
- Last Updated
- Provides the timestamp when the rule was last modified.
- Provides the timestamp when the rule was last modified.
- Enabled/Disabled Toggle
- Each rule has an individual toggle to enable or disable its monitoring function.
- Active (enabled) rules are marked in blue, while disabled rules would appear in gray.
This section ensures visibility into how alerts are defined and enforced across environments. By consolidating rule management, it allows administrators to maintain consistency, identify gaps, and prioritize responses effectively.
Please refer to the document from the previous sub-module: CyTech AQUILA - Cyber Incident Management (CIM): Reports
Please refer to the document for the next sub-module: CyTech AQUILA - Cyber Incident Management (CIM): Settings
If you need further assistance, kindly contact our support at support@cytechint.com for prompt assistance and guidance.