Blog

Custom Alerts: Focus On What You Care About

Obsidian is designed from the get-go to balance simplicity with sophistication. Obsidian offers an easy-to-use SaaS security solution that delivers value in minutes with single-pane visibility across applications and out-of-the-box alerts for a wide range of security threats and risks. At the same time, threat-focused teams can use the powerful built-in search interface to look for interesting behavior or signs of trouble in the activity data.We are excited to now offer a new custom alerts capability that allows you to create your own alerts in Obsidian that will trigger based on activity that matters to you. Custom alerts extend the flexibility of the Obsidian platform by allowing security teams to control exactly what gets flagged and when. Let’s look at how you use custom alerts and see a few examples.

Custom alert for privileged account login failures from outside the US.
Privileged account login failures from outside the US

How It Works

In an earlier post, we’d talked about how Obsidian allows you to run searches against the activity data aggregated and normalized from SaaS applications. Obsidian users use a simple, domain-specific language called Obscene Query Language (OQL) to construct queries across a broad set of criteria, including users, locations, IP addresses, devices, dates, and more. Do you want to see all Zoom activity over the past two weeks? There’s a query for that:

timestamp:[now-14d TO *] service:zoom

How about all activity in Salesforce outside the home office? We’ve got you covered:

-geo.city:"newport beach" service:salesforce

Do you need to check if there were any failed logins to privileged accounts from outside the US? Here you go:

event:obsidian.authenticate AND status:fail AND actor.account.is_privileged:TRUE AND -geo.country:“united states”

And now, with custom alerts, you can ask Obsidian to run this search continuously in the background and raise an alert with a specific severity level if it returns any results.

You can create a new search from scratch or start with one of the saved searches in Obsidian’s library of 100+ searches to identify signs of trouble or to simply better understand what is happening in your applications.

Conclusion

Saved searches put you in the driver’s seat of your SaaS security by giving you control over what you get alerts on. Need to know when someone changes a file, or logs in from Australia, changes a setting only relevant to you? Obsidian lets you instantly build alerts on what matters to you, quickly, easily and flexibly across your SaaS. You never have to search for the same thing twice. Give it a try. We know you’ll love it.