- You have configured an alert rule to look at a resource group as part of the conditions under the configure step.
- Events are being created from assets in that resource group.
- You are not receiving notifications from this rule that you believe you should be.
- Cloud Integration configured
- Using a resource group for a cloud account such as "All AWS Accounts" or one you have created yourself
The default resource groups for cloud platform accounts are the following:
AWS - “All AWS Accounts”
GCP - “All Organisations and Projects”
Azure - “All tenants and subscriptions”
You could also create a custom resource group for a cloud account.
If you use a cloud account resource group in your alert rule, only events that come from the "compliance" or "Cloud Activity" events for that cloud account will trigger the rule. Agents deployed on compute instances within these cloud accounts are not included as being within that cloud account resource group.
Events such as application, file, machine etc. from agent data will not be included from resource groups that are specifically looking at cloud accounts.
Instead, resource groups that look at machines or containers should be used for events originating from these sources regardless of what cloud account they are deployed within.
When building an alert rule, certain events can only come from certain resource types. Pay close attention to the events types that you select and ensure that your resource group can produce those type of events.