The Alerts module lets administrators define, schedule, and manage security alerts in Skopos Guard. Use it to configure detection rules, user and technician notifications, business hours, escalations, and activity history. Access the module from Parameterizations → Alerts (/params/alerts).
📋 Alerts List
The list screen shows all alerts split into two tabs: Default alerts (built-in system alerts) and Custom alerts (alerts created by your organization).
| Control / Column | Description |
|---|---|
| New | Opens the alert creation form (/params/alerts/new). |
| Refresh | Reloads the alerts list. |
| Delete | Available on the Custom alerts tab. Deletes selected alerts (checkboxes). Built-in default alerts cannot be deleted. |
| Category | Alert grouping label shown in the table. |
| Alert | Alert name. Click to open the detail page. |
| Description | Short summary; hover for the full text. |
| User | Icon indicating whether user notification is configured (call, SMS, or email). |
| Technician | Icon indicating whether technician notification is configured. |
| Active | Whether the alert is currently enabled. |
Tip: Built-in alerts (for example Impossible Travel) appear under Default alerts. They cannot be deleted; deactivate them from the alert detail page if needed.
➕ Creating a New Alert
When you click New, only the Overview tab is available until the alert is saved. Complete the basic fields and click Save Alert to unlock the remaining configuration tabs.
| Field | Description |
|---|---|
| Name | Display name of the alert. |
| Description | Detailed explanation of what the alert detects or why it exists. |
| Category | One or more categories. Type to add new values or separate multiple entries with commas. |
| Create ConnectWise ticket | When enabled, matching SIEM events create a ConnectWise ticket on the service board configured under Integrations → ConnectWise → SIEM — ConnectWise tickets. |
| SkoposGuard system alert | Master-company option only. Marks the alert as a native/system alert from Skopos Guard. |
🔍 Alert Detail — Toolbar
After saving, the detail page (/params/alerts/view/{id}) provides these actions:
| Button | Description |
|---|---|
| List all | Returns to the alerts list. |
| New | Creates another alert. |
| Duplicate | Copies the current alert configuration. |
| Refresh | Reloads alert data from the server. |
| Deactivate / Activate Alert | Toggles whether the alert runs. |
| Delete | Removes custom alerts. Hidden for system/default alerts. |
📑 Overview
Same fields as the new-alert form. Use Save Alert to persist name, description, category, and ConnectWise options.
🛡️ Detection Rules
Define when the alert fires. Choose a Rule type and configure conditions.
| Rule type | Description |
|---|---|
| ConnectWise | Rule builder with AND/OR conditions for ConnectWise-related events. |
| SIEM | Rules against SIEM / Unified Audit Log data using one of the builders below. |
SIEM rule builders:
| Builder | Description |
|---|---|
| Default Alerts | Pre-defined types: Impossible Travel, New Inbox Rule, Microsoft Traffic Flatline. |
| Form Builder | Filter by organization (tenant), record type, operation, user, and result. |
| Query Builder | Visual condition builder with generated KQL preview. |
| KQL Direct | Write KQL queries directly for advanced scenarios. |
Saved rules appear in the List of rules table where you can edit, reorder, enable, or disable them.
👤 User Notifications
Configure how end users are notified when the alert fires.
| Field / Section | Description |
|---|---|
| Enable user notification | Master switch for user-facing notifications. |
| Client / User / Notification type | Add recipients by client, user, and channel (Call, SMS, Email). Use the plus (+) button to add rows. |
| Technician notification on rejection | When the user does not recognize the activity, notify assigned technicians by call, SMS, or email. |
| Voice Call / SMS / E-mail tabs | Configure message content, voice prompts, and delivery settings per channel. |
🔧 Technician Notifications
Configure notifications sent to technicians when the alert is triggered or when follow-up is required.
| Section | Description |
|---|---|
| Close ticket | Options for automatically closing related tickets when the technician confirms the alert. |
| Technician | Select technicians and notification channels. |
| Voice Call / SMS / E-mail | Per-channel templates, including customizable email content with preview. |
🕐 Schedule
Control when the alert is allowed to run.
| Section | Description |
|---|---|
| Business Hours Configuration | Enable business-hours restrictions and timezone settings. |
| Weekly Schedule | Set start/end times per day of the week. Toggle each day on or off. |
| Holidays Management | Add, edit, or remove holiday dates when the alert should not run. |
📊 Activity
Review historical execution and delivery logs for the alert.
| Tab | Description |
|---|---|
| Notification history | Unified audit log entries related to notifications (flat and JSON views). |
| Alert History | Record of alert firings and outcomes. |
| Call Logs | Voice call attempts and results. |
| SMS Logs | Text message delivery history. |
| Email log | Email notification delivery history. |
⬆️ Escalations
Define escalation behavior when a user or technician rejects the alert.
| Field | Description |
|---|---|
| ConnectWise Priority | Priority applied to the ConnectWise ticket when the user/technician responds that they do not recognize the activity (Priority 1–4 or Do nothing). |
Click Save Escalations to apply changes.
🎫 Ticket Summary
Customize notes added to ConnectWise time entries when the alert is confirmed or rejected.
| Tab | Description |
|---|---|
| Confirmation message | Note template when the user/technician confirms the alert. Supports placeholders such as [ClientUserEmail] and [TechnicianUserName]. |
| Rejection message | Note template when the alert is rejected or not recognized. |
⚙️ Exceptions
Available for specific default alert types. Define exclusions so certain conditions do not trigger notifications.
| Tab | Description |
|---|---|
| Alert rules | Exception rules that suppress firing under defined conditions. |
| Azure applications | Exclude specific Azure AD applications from the alert scope. |
Tip: Save the Overview tab first before configuring rules, notifications, or schedule. Each major tab has its own Save action — remember to save after making changes.