Editing Alerts

Security Requirements and Controls

Existing alerts can be edited or modified.

To edit an existing alert:

  1. Go to the Automation tab to see the full list of alerts saved in the repository.

  2. Click on the name of the alert to edit.

  3. Change the properties in the Properties panel on the right — for example, you can add a description of the alert or change the time window. For the full list of the alert properties that can be modified in an existing alert, see Alert Properties.

  4. To edit the current alert query, click Edit in search page under Query:

    Edit Query

    Figure 191. Edit Query


  5. You are redirected back to the Search environment in Editing alert mode, where you can select fields and refine your query.

    Editing Query from the Search Page

    Figure 192. Editing Query from the Search Page


    Note

    Pay attention to the type of alert you're editing the query for: if it's an aggregate alert type it requires an aggregate query, and won't work if you change it to a filter query.

  6. Click Save to save the new query, or Discard changes to cancel any edits you have made.

  7. When you've done editing the alert, click Save alert on the bottom right of the panel: saving the edited alert will create and, if necessary, restart the alert query.

Note

You cannot switch between alert types once the alert is created. To recreate an alert as a different type, you will need to copy the query to a new alert.