Alert rules define the conditions that trigger notifications in LT Auditor MP. When an incoming event matches a rule’s criteria, the system generates an alert and notifies the configured recipients. Setting up alert rules is one of the most important steps in getting value from the platform.
Recommended starting alerts:
| Alert | Description |
| Failed login threshold | Triggers when a user exceeds a set number of failed logins in a given time window |
| Privileged account changes | Triggers when admin or privileged group membership is modified |
| File deletion on sensitive directories | Triggers when files are deleted from defined high-value paths |
| New admin account created | Triggers when a new account is added to an administrative group |
| Suspicious sign-in (Entra ID) | Triggers on sign-ins from unfamiliar locations or outside business hours |
Creating a new alert rule:
- In the Web UI, navigate to Manage โ Add Filter
- Select the target Environment and Category the rule applies to
- Configure the filter details:
- Filter Name โ a clear, descriptive name for the alert (e.g., “Failed Logins โ Threshold Exceeded”)
- Description โ the purpose and criteria of the alert
- Priority โ the order in which this rule is evaluated relative to others
- Active Status โ enable or disable the rule
- Define the filter conditions โ the criteria an event must meet to trigger the alert:
- Click Add Condition
- Select a field from the log schema (e.g., Event Type, User, Severity)
- Choose an operator (e.g., Equals, Contains, Greater Than)
- Enter the comparison value
- Add multiple conditions using AND/OR logic as needed
- Under Operations, select which event types this rule applies to using the checkbox tree
- Under Actions, select Alert as the action and configure:
- Email Recipients โ who receives the notification
- Alert Frequency โ immediate, digest, or threshold-based
- Severity โ Critical, High, Medium, or Low
- Click Test Filter to verify the rule matches the intended events before activating
- Click Save and confirm the rule is set to Active
Managing existing alert rules:
- To edit a rule, select it from the filter list and click the Edit icon
- To temporarily disable a rule without deleting it, toggle the Active switch off
- To delete a rule, select it and click the Delete icon โ confirm when prompted
Deleting an alert rule permanently removes it and any associated configuration. Disable the rule instead if you may need it again in the future.
Best practices:
- Use descriptive names that clearly indicate what the alert is monitoring
- Set priorities carefully โ rules are evaluated in priority order
- Always test rules with sample data before activating in production
- Avoid creating too many overlapping rules, which can lead to alert fatigue
- Review and audit your active alert rules regularly to keep them relevant