Unomaly responds to triggers and conditions in systems and situations based on the Actions that you define. When one of your systems goes offline or when the production environment produces significant anomalies, you want Unomaly to take action. This action can be to send an email to a specific user, to post to a team chat room, or to flag the event for later review.

Other examples of actions and conditions are:

  • Flag, or display an alert in the web interface, for all situations that include events with a classification of “warning” or higher.
  • Send an email to a specific user when Unomaly receives a certain known event more than once.
  • Post messages to the team Slack channel when the production environment produces significant anomalous events.
  • Run an external script when Unomaly detects events that are tagged with “security”.
  • More complex logic, such as: Flag all situations that contains events tagged with “known security” that also contains anomalies.

To post or notify to a team chat room, or other external solution, you need to create and configure a plugin to post to that chat service. Unomaly ships with plugins for Slack and HipChat.

Add a new action

In the Actions view, hover over the context menu to the upper right of the page and click “New Action”.

In the “New Action” dialogue, define an action by:

  1. Defining the conditions to match.
  2. Selecting the systems or groups.
  3. Specifying the actions to execute.
  4. Saving the action.

1. Define conditions to match

You can define one or more conditions for Unomaly to match against when triggering actions. Conditions are based on the state of a system or contents of a situation.

  1. Click the plus sign next to “Add condition”.

    After you select one of conditions in the column, more options will appear to help you refine the condition.

    Condition Description
    system is away Select the predefined away period or define the threshold in seconds.
    situation has score Specify the score, between 1 and 10.
    situation contains known Select the known with id, classification, or tag. Optionally, specify the number of times the known is seen.
    situation contains anomaly Select the known from a list of predefined anomalies.
  2. After you finish defining the condition, click “Apply”.

2. Select the systems or groups

Select the systems or group of systems to monitor for the conditions you defined.

3. Select the actions to execute

You can specify one or more actions to run when the conditions are met. Default actions include email notifications and alerts. You can also select actions from configured plugins, such as integrations with external services. If you have custom actions available, you can select them in this list.

Email notifications

To define an email notification:

  1. Select “send email to”.

  2. Type in or select the email addresses to notify.

  3. Click “Apply”.

Alerts

To define an alert:

  1. Select “flag situation as alert for”.

  2. Specify the number of days to display an open alert (red exclamation point).

    An open alert displays as a red exclamation point on situations that match the defined conditions.

  3. Click “Apply”.

You can then review the situations that are flagged and close the alerts manually. Otherwise, the alerts will close automatically after the specified duration.

Custom actions

Custom actions are plugins that you have configured to use with Unomaly actions. For example, you can write plugins to send notifications to external services, send an SMS to your phone, or run an external script. Unomaly ships with plugins for Slack and HipChat. See “Create custom plugins”.

To execute a custom action:

  1. Select the custom action from the list.

    If the plugin has configuration options, you will be prompted to fill out information in a form. For example, the Slack plugin will ask you to type in the channel you want to post to. This means that you can define actions to send your situations to different Slack channels.

  2. Click “Apply”.

4. Save the action

After you define the conditions and actions, click “Save” at the bottom right.

Actions are named automatically when you save them. The action names are based on the defined conditions.

Examples

Email notification for classified knowns

This example demonstrates how to define an email action for critical or warning situations in the Production systems group.

Unomaly Actions view

Send email for critical situations in Production

Email notification for failed admin log in attempts

This example demonstrates how to trigger an action after an event is seen a certain number of times. For example, you want to be notified if an administrator attempts to log in and fails more than 5 times, because it can be a sign of unathorized access.

New actions view

Trigger action after 5 admin login attempts