Skip to main content

Drift Alerts

Configure notifications for drift detection events

alertsnotificationsemailwebhookdrift

Drift Alerts

Configure how Securtea notifies you when drift is detected. Set up email, in-app, and webhook alerts based on severity and resource types.

Alert Overview

When drift is detected, Securtea can notify you through:

ChannelDescription
In-AppDashboard notifications and badge counts
EmailMessages to individuals or groups
WebhookHTTP POST to external systems

Alert Configuration

Accessing Alert Settings

  1. Navigate to Drift Detection > Settings
  2. Click Alert Configuration
  3. Configure channels and rules

Global Settings

Configure defaults that apply to all alerts:

SettingDescription
Default SeverityMinimum severity to alert on
Quiet HoursSuppress non-critical alerts during off-hours
Digest ModeBatch alerts into periodic summaries

In-App Alerts

How They Work

In-app alerts appear as:

  • Badge count on navigation icon
  • Notification panel entries
  • Dashboard widget updates

Configuration

In-app alerts are always enabled. Customize display:

  1. Go to User Settings > Notifications
  2. Configure display preferences
  3. Set which severities show badges

Notification Panel

Click the bell icon to see:

  • Recent drift events
  • Event details and links
  • Mark as read options

Email Alerts

Setting Up Email Alerts

  1. Go to Drift Detection > Settings > Alerts
  2. Click Add Email Alert
  3. Configure the alert

Configuration Options

FieldDescription
RecipientsEmail addresses or distribution lists
Severity ThresholdMinimum severity to send
Resource TypesSpecific resources or all
FrequencyImmediate or digest

Email Content

Alert emails include:

  • Drift event summary
  • Affected resource details
  • Current vs. baseline values
  • Link to event in Securtea
  • Quick action buttons

Example Email

Subject: [CRITICAL] Drift Detected - Conditional Access Policy Modified

A critical configuration change was detected:

Resource: Conditional Access Policy "Require MFA for Admins"
Change Type: Modified
Severity: Critical

Changed Properties:
- state: "enabled" → "disabled"

View in Securtea: [Link]

Digest Mode

Batch multiple events into periodic emails:

FrequencyWhen Sent
HourlyTop of each hour
Daily8:00 AM (configurable)
WeeklyMonday 8:00 AM

Digests summarize:

  • Total events by severity
  • Top resource types affected
  • Links to individual events

Webhook Alerts

Setting Up Webhooks

  1. Go to Drift Detection > Settings > Alerts
  2. Click Add Webhook
  3. Configure the webhook

Configuration Options

FieldDescription
URLHTTPS endpoint to receive events
SecretHMAC secret for signature verification
Severity ThresholdMinimum severity to send
Resource TypesFilter to specific resources

Webhook Payload

Webhooks send JSON payload:

{
  "event": "drift.detected",
  "timestamp": "2024-01-15T09:30:00Z",
  "severity": "critical",
  "resource": {
    "type": "conditionalAccessPolicy",
    "id": "policy-123",
    "displayName": "Require MFA for Admins"
  },
  "changes": [
    {
      "property": "state",
      "baseline": "enabled",
      "current": "disabled"
    }
  ],
  "eventId": "drift-evt-456",
  "organizationId": "org-789"
}

Signature Verification

Verify webhook authenticity:

X-Securtea-Signature: sha256=...

Compute HMAC-SHA256 of request body with your secret and compare.

Integration Examples

Slack Incoming Webhook

  1. Create Slack incoming webhook
  2. Add as Securtea webhook destination
  3. Use Slack's payload formatting

Microsoft Teams

  1. Create Teams incoming webhook
  2. Configure Securtea to send to Teams URL
  3. Teams displays formatted card

ServiceNow

  1. Create ServiceNow inbound action
  2. Map Securtea payload to incident fields
  3. Auto-create incidents for critical drift

PagerDuty

  1. Create PagerDuty service
  2. Use Events API v2 integration
  3. Configure severity mapping

Alert Rules

Creating Rules

Build sophisticated alert logic:

  1. Go to Alerts > Add Rule
  2. Define conditions
  3. Set actions

Rule Conditions

Combine conditions with AND/OR logic:

IF severity = "critical"
AND resourceType = "conditionalAccessPolicy"
AND change.property = "state"
THEN email security-team@company.com

Condition Options

ConditionValues
SeverityCritical, High, Medium, Low
Resource TypeAny supported resource
PropertySpecific configuration property
TimeBusiness hours, off-hours
Change TypeAdded, Modified, Deleted

Rule Actions

ActionDescription
Send EmailTo specified recipients
Send WebhookTo configured endpoint
Create TicketVia webhook to ITSM
SuppressDon't alert for this pattern

Testing Alerts

Test Notifications

Verify alert configuration:

  1. Go to alert settings
  2. Click Send Test
  3. Verify receipt in all channels

Simulation Mode

Test against historical data:

  1. Enable simulation for a rule
  2. Run against past events
  3. See which would have triggered
  4. Adjust before production

Managing Alerts

Alert History

View sent alerts:

  • Date and time sent
  • Recipients/endpoints
  • Delivery status
  • Related event

Alert Metrics

Monitor alert effectiveness:

  • Alerts sent by severity
  • Delivery success rate
  • Average response time

Best Practices

Avoid Alert Fatigue

  • Set appropriate severity thresholds
  • Use digest mode for low-severity
  • Review and tune regularly

Ensure Coverage

  • Critical: Immediate email + webhook
  • High: Prompt email
  • Medium: Daily digest
  • Low: In-app only

Test Regularly

  • Verify email delivery
  • Test webhook endpoints
  • Confirm on-call receipt

Document Escalation

  • Define who responds to what
  • Set expectations for response time
  • Create runbooks for common drift

Troubleshooting

Emails Not Received

  • Check spam/junk folders
  • Verify email addresses
  • Check domain allow lists
  • Review delivery logs

Webhooks Failing

  • Verify URL is accessible
  • Check SSL certificate validity
  • Review webhook logs for errors
  • Test endpoint independently

Too Many Alerts

  • Raise severity thresholds
  • Enable digest mode
  • Add suppression rules
  • Review baseline accuracy

What's Next?

Global Search

Search for pages, settings, and documentation