Portnox Cloud alerts

In this topic, you will learn what are alerts in Portnox™ Cloud, where to find them, and how to use them effectively.

To access and configure Portnox Cloud alerts, click on the Alerts option in the top menu.

A screen appears with a list of current alerts.

  • To search for a string in alert metadata, type the string in the search box in the top-left corner and click on the  🔍  icon or press the  ↩  key.

    You can only search for a string in alert metadata. You cannot search for the string in alert names or descriptions or any additional info.

    To search for the string in specific metadata, select the relevant option below the search box: All, Account, Device Name, Device IP, Device Mac, Device Port, NAS IP, NAS MAC.

    Result: The list of alerts on the right-hand side will be updated to contain only alerts that match the search string.

  • To filter the list of alerts, select the filter conditions from the menu on the left-hand side.

    If there are more conditions available, you will see the link Show more. Click on this link to open the list of filter options in a separate window.

    • For example, click on the OS menu option to filter the list so that it contains only alerts relating to a specific operating system. Then, select the operating system, and click on the Apply Filters button.

    • You can also click on the Show more link to open the OS window with more selection options.

      Then, select the operating system(s) and click on the Apply button to apply the filter.

    • The filter that you applied is visible above the list of alerts, below the top menu. Click on the x icon next to the filter condition name to remove a specific filter condition or click on the Reset All link to remove all filter conditions.

  • If an alert has an Action Required tag, there is a  ○  icon to the left of the alert. Click on the  ○  icon to select the alert to be resolved.
    1. The Resolve button appears above the list of alerts. Click on this button to resolve all selected alerts with the Action Required tag. You can also click on the Select all icon above the list of alerts to select all alerts that have the Action Required tag and then resolve them.

    2. The Resolving alerts window appears. Select the reason for resolving the alerts, enter a comment about the reason, and then click on the Resolve button.

    3. The tag Action Required is removed and the tag Resolved is added. You can select the alert again and click on the Reopen button above the list of alerts to go back to the previous state.

  • Click on the  ⚙  icon in the top-right corner to open a window with additional settings.
    1. In the HIDE EVENT SETTINGS tab, you can select the types of alerts to hide on the basis of the event type. Click on the checkboxes to hide specific event types.

      Important: If you hide a specific class of alerts, they will not appear in the list even with all the filters removed, and you will not be able to search in the metadata of the hidden alerts. If you feel that an alert is missing, check if you did not hide the alert class before.
    2. In the HIDE ACCOUNT SETTINGS tab, you can select the types of alerts to hide on the basis of the account. Click on the checkboxes to hide specific accounts.

      Important: If you hide a specific account, no alerts for that account will appear in the list even with all the filters removed, and you will not be able to search in the metadata of the hidden alerts. If you feel that information about a specific account is missing, check if you did not hide the account before.
    3. In the NOTIFICATION SETTINGS tab, you can select the types of alerts to send via email to the ADMINISTRATORS or to USERS (related to the specific user).

    4. Optional: If your Cloud is integrated with a SIEM solution (for example, Microsoft Sentinel, Rapid7 insightIDR) or Sumo Logic, an extra SIEM EVENT SETTINGS tab is available, where you can select the types of alerts to send to the SIEM solution(s).

      Note: To learn more about the content and format of alert messages sent to SIEM solutions, see the following topic: Format and content of alert information for SIEM.
  • To get more information about an alert or access additional functionality, click on the links under the alert summary.
    • Click on the Additional Info link to view more information about the alert. The type of information displayed depends on the type of alert.

      Some alert types include helpful links in the top-right corner, for example, in this case it’s a link to the applied policy (System Default Policy) and the device account (View Device).

    • Click on the Hide link and then activate relevant checkboxes to hide the alert type and/or account for the future.

      You can unhide the alert event type or account by using the configuration options described earlier.

    • Click on the Notification link and activate the relevant checkbox to start sending notifications about this type of alert to the administrator.

      You can stop sending notifications by using the configuration options described earlier.

  • Alerts for unrecognized devices connected to MAC authentication bypass (MAB) ports have an option to immediately add the MAC address or the OUI to a MAC-based account. Click on the Add MAC(s) or OUI(s) to new or existing account link to open the ADD MAC(S) OR OUI(S) TO NEW OR EXISTING ACCOUNT window.

    • To add the MAC address of the new device to a new MAC-based account, select the Add MAC(s) from alert to a new MAB-account option. Portnox Cloud will open a new window to configure the new MAC-based account. Follow the instructions in this topic: Create a MAC-based account.

    • To add the MAC address of the new device to an existing MAC-based account, select the Add MAC(s) from alert to an existing MAB-account option. Next, click on the Select MAB-account drop-down field and select the MAC-based account to which you want to add this MAC address, and then click on the Confirm button to add the MAC address.

    • To add the OUI address of the new device to a new MAC-based account, select the Add OUI(s) from alert to a new MAB-account option. Portnox Cloud will open a new window to configure the new MAC-based account. Follow the instructions in this topic: Create a MAC-based account.

    • To add the OUI address of the new device to an existing MAC-based account, select the Add OUI(s) from alert to an existing MAB-account option. Next, click on the Select MAB-account drop-down field and select the MAC-based account to which you want to add this MAC address, and then click on the Confirm button to add the MAC address.

  • Alerts informing about authentication success or failure have an additional option link available: Session details. When you click on this link, a new browser tab opens with more details about this session.

    Warning: This information is stored for 14 days only from the timestamp of the alert. After this time, the information will not be available.