You can configure the Zscaler service to email specific individuals when certain events occur, so your organization can take action in a timely manner. You can create up to 128 alerts. You can create an alert for different types of events, such as when the service detects incoming or outgoing malware or when there is a policy violation. When you receive an alert,  you can  investigate it by going to Analytics and viewing  logs of the event.

Events are grouped into classes. To see a list of events that can trigger alerts organized by class, see the table below.

Depending on your organization's subscriptions, you can configure the service to send alerts for the following classes:

Alert Classes

Alerts
Class
Event
Security
  • Sandbox Adware
  • Sandbox Anonymizer
  • Sandbox Malware
  • Botnet
  • Incoming and Outgoing Malware
  • Incoming and Outgoing Spyware
  • Incoming and Outgoing - Unscannable Files
  • Incoming and Outgoing Viruses
  • Malicious Content
  • Phishing
Manage
  • URL Filtering Blocked Sites
  • Chat File Transfer
  • Social Network Post
  • Streaming Upload
  • Streaming View/Listen
  • Webmail File Attachment
System
  • Auth Bridge Down
  • LDAP Connection Down
  • LDAP Failure
  • LDAP Success
  • Policy Violation
Data Loss Prevention
  • Custom Engine Violation
  • GLBA violation
  • HIPAA Violation
  • PCI Violation

Configuring Alerts

Perform the following tasks to configure alerts:

You can also disable alerts.

Add Alerts

When you define an alert, you specify the following:

  • The event that triggers the alert, and the number of occurrences within a time period. The Zscaler service sends an alert when an event first reaches its threshold. For example, if the trigger event is “5 viruses in 5 minutes” and the device receives five viruses within a 5-minute interval, the service will send one alert. The service does not send additional alerts if the event continues for the next hour; that is, the user continues to receive 5 viruses every 5 minutes for the next hour.
  • Whether the alert is triggered by events in the organization or specific locations, departments or users.
  • The severity of the alert.

To add alerts:

  1. Go to Administration > Settings > Alerts.
  2. From the Define Alerts tab, click Add and define the alert.
    • Alert Name lists all of the "trigger events" for which the Zscaler service can generate an alert. Select the specific event for which you wish to be notified. Note that the Policy Violation event sends an alert if the total number of "events" from all other classes and categories reach the configured threshold.
    • After you choose an alert, the class of the event appears in Alert Class.
    • From Minimum Occurrences, choose the number of times that the event must occur before an alert is generated. You can choose from 1, 5, 10, 100, or 1,000 occurrences. This value is used together with the Within Time Interval value. An alert is triggered when the event occurs the Minimum Occurrences value in the Within Time Interval time period.
    • From Within Time Interval, choose the span of time within which an event's occurrence triggers an alert. You can choose from 5 minutes, 15 minutes, 30 minutes, 1 hour, or 1 day. The service generates an alert when the event occurs the Minimum Occurrences value in the Within Time Interval time period.
    • From the Applies To menu, specify whether the alert is triggered by events in the organization, a location, department or user. Then choose the specific location, department or user.
    • Assign a Severity level of Critical, Major, Minor, Infor, or Debug to the event.
      This is useful if you want to create multiple alerts for the same kind of event (such as detection of outbound viruses or data leakage), but establish different thresholds for each. For example, you can set the severity level of an event with 5 occurrences in 5 minutes to Minor and set the severity level of the same event with 500 occurrences in 5 minutes to Critical. Set the Severity of each alert to reflect its threshold’s deviation from the norm.
    • Optionally, enter Comments about the event. The comments cannot exceed 10, 240 characters.
  3. Click Save and activate the change.

 

Publish Alerts

To specify email recipients for the alerts:

  1. Go to Administration > Settings > Alerts.
  2. From the Publish Alerts tab, click Add.
  3. Enter a valid Email address, and optionally, a Description. The description cannot exceed 10,240 characters.
  4. For each class of alerts, select the severity level of the alerts that the recipient receives.
  5. Click Save and activate the change.

Resend Alerts

You can choose to send additional alerts every time the event's threshold is reached, as follows:

  1. Go to Administration > Settings > Alerts.
  2. From the Global Configuration tab, choose the interval at which the service sends an alert after the first alert is sent, if the event continues to occur. You can choose to send alerts every 30 minutes, 1 hour, 6 hours, 12 hours, or 24 hours.
    Selecting 30 minutes means that the service will send the next “5 viruses in 5 minutes” alert 30 minutes after the first alert; selecting “1 hour” means that the service will send  a second alert an hour after the first.

Disable Alerts

To disable alerts:

  1. Go to Administration > Settings > Alerts.
  2. Point to the alert you want to disable and click the Edit icon.
  3. From Status, select Disabled.
  4. Click Save and activate the change.