Alerts

Stay informed about security risks and policy violations

PreviousCanvases NextWorkflows (coming soon)

Last updated 1 month ago

Was this helpful?

Alerts

Stay informed about security risks and policy violations

Alerts help you track security risks, misconfigurations, and policy violations by notifying you when query records meet specific conditions. They allow you to proactively monitor security events and respond quickly when risks arise.

Alerts are one of the building blocks that make up an app, alongside queries, canvases, and workflows.

Creating alert rules

Alerts allow you to track security risks by monitoring query records and triggering notifications when conditions are met.

To create an alert rule, from the Alerts tab of your app, go to Alert Rules > click New rule.

Define the following in the Sola wizard:

Rule query - Select the query you want to monitor. Use an existing published query.
Query record fingerprint - Specify which columns uniquely identify your records for deduplication. By default, all columns are included.
Grouping - Configure how query records are grouped into alerts with findings.
Alert scope - Choose whether to apply the rule to all existing query records or only new ones, after the rule is enabled. Note: Simulation will run on existing records.
Alert name - Use the rule name or a custom alert name. Insert dynamic placeholders for dynamic alert names. Note: Use $ to add a dynamic placeholder (e.g., ${id}, ${created_at})
Alert description - Add a description that will appear with the triggered alert. Insert dynamic placeholders for dynamic alert descriptions. Note: Use $ to add a dynamic placeholder (e.g., ${id}, ${created_at})
Steps to remediate - Add guidance on how to fix or address this issue.
Alert severity - Select the alert severity level.
Activate rule - Enable to start enforcing this rule on the selected query.

Available dynamic placeholders depend on the Grouping setting

If no grouping is applied, all query columns can be used as dynamic placeholders.
If grouping is based on specific columns, only those columns will be available as dynamic placeholders.

This applies to both Alert Name and Alert Description.

Managing alert rules

Alerts are managed in two views:

Triggered alerts

The Triggered Alerts view is where you can:

View all triggered alerts and their severity.
Investigate findings and update the alert status as you resolve them.
Assign alerts to team members for resolution.

Alert rules

The Alert Rules view is where you can:

Create and edit alert rules to track security findings.
Enable or disable rules as needed.
Delete rules that are no longer relevant.

Your permissions depend on your app role

Editing an alert rule: Once an alert rule is created, you can only edit the name, description, severity, and remediation steps. The core logic (e.g., query, fingerprint, or grouping) cannot be modified. To change the logic, create a new rule.

Alert lifecycle evidence

When an alert is triggered, it includes supporting evidence that helps you understand why the alert was triggered. Evidence is categorized into three states, which impact the alert lifecycle:

Active evidence - Evidence found in the last alert calculation.
Excluded evidence - Evidence found that was manually excluded from the active evidence list. Excluded evidence can be re-activated if needed.
Old evidence - Evidence that existed in a previous calculation but is no longer detected.

To review evidence for a triggered alert, click on an alert from the triggered alerts view.

Managing evidence enables you to control when an alert remains active, is resolved or suppressed.

Reviewing alerts

After an alert is triggered, you can review its details, investigate findings, and take action.

Opening an alert shows the matching query records and why it was triggered.

You can assign alerts to team members and update their status as you work through them.

Alert statuses

Status

Description

Open

A new alert has been triggered and requires investigation.

In Progress

The alert is being reviewed or worked on.

Suppressed

The alert is acknowledged but does not require action.

Resolved

The issue has been addressed and no longer needs attention.

Auto-Resolved

The issue has been automatically resolved by the system, since there is no active evidence.

Deprecated

The alert has been deprecated, since the query used in the alert rule, representing the rule logic, has changed.

PreviousCanvases NextWorkflows (coming soon)

Last updated 1 month ago

Was this helpful?

Alerts are one of the building blocks that make up an app, alongside queries, canvases, and workflows.

Creating alert rules

Alerts allow you to track security risks by monitoring query records and triggering notifications when conditions are met.

To create an alert rule, from the Alerts tab of your app, go to Alert Rules > click New rule.

Define the following in the Sola wizard:

Rule query - Select the query you want to monitor. Use an existing published query.
Query record fingerprint - Specify which columns uniquely identify your records for deduplication. By default, all columns are included.
Grouping - Configure how query records are grouped into alerts with findings.
Alert scope - Choose whether to apply the rule to all existing query records or only new ones, after the rule is enabled. Note: Simulation will run on existing records.
Alert name - Use the rule name or a custom alert name. Insert dynamic placeholders for dynamic alert names. Note: Use $ to add a dynamic placeholder (e.g., ${id}, ${created_at})
Alert description - Add a description that will appear with the triggered alert. Insert dynamic placeholders for dynamic alert descriptions. Note: Use $ to add a dynamic placeholder (e.g., ${id}, ${created_at})
Steps to remediate - Add guidance on how to fix or address this issue.
Alert severity - Select the alert severity level.
Activate rule - Enable to start enforcing this rule on the selected query.

Available dynamic placeholders depend on the Grouping setting

If no grouping is applied, all query columns can be used as dynamic placeholders.
If grouping is based on specific columns, only those columns will be available as dynamic placeholders.

This applies to both Alert Name and Alert Description.

Once configured, alerts will automatically track matching query records and display them in the view.

Managing alert rules

Alerts are managed in two views:

Triggered alerts

The Triggered Alerts view is where you can:

View all triggered alerts and their severity.
Investigate findings and update the alert status as you resolve them.
Assign alerts to team members for resolution.

Alert rules

The Alert Rules view is where you can:

Create and edit alert rules to track security findings.
Enable or disable rules as needed.
Delete rules that are no longer relevant.

Your permissions depend on your app role

App permissions, such as create and edit, are based on your app role. To see available permission levels and check your role, go to Settings > .

Alert lifecycle evidence

When an alert is triggered, it includes supporting evidence that helps you understand why the alert was triggered. Evidence is categorized into three states, which impact the alert lifecycle:

Active evidence - Evidence found in the last alert calculation.
Excluded evidence - Evidence found that was manually excluded from the active evidence list. Excluded evidence can be re-activated if needed.
Old evidence - Evidence that existed in a previous calculation but is no longer detected.

To review evidence for a triggered alert, click on an alert from the triggered alerts view.

Managing evidence enables you to control when an alert remains active, is resolved or suppressed.

Reviewing alerts

After an alert is triggered, you can review its details, investigate findings, and take action.

Opening an alert shows the matching query records and why it was triggered.

You can assign alerts to team members and update their status as you work through them.

Alert statuses

Status

Description

Open

A new alert has been triggered and requires investigation.

In Progress

The alert is being reviewed or worked on.

Suppressed

The alert is acknowledged but does not require action.

Resolved

The issue has been addressed and no longer needs attention.

Auto-Resolved

The issue has been automatically resolved by the system, since there is no active evidence.

Deprecated

The alert has been deprecated, since the query used in the alert rule, representing the rule logic, has changed.