How organizations can configure Protective DNS alert sets in the CISA management application

Unidentified Speaker, Presenter, walked through how organizations can configure alert sets in the Protective DNS Management application, saying that "one key component of the Protective DNS Resolver service is that users can configure alerts to be triggered when events of interest occur." The presentation explained two alert types — DNS event alerts and system event alerts — and the email fields and cadence options that control how notifications are delivered.

The presentation said DNS event alerts are triggered when an organization’s DNS queries pass to the Protective DNS resolver and match a filtering policy. Those matches "can be allowed, blocked, or overridden," and may be based on either Cybersecurity and Infrastructure Security Agency (CISA) global policies or organization-specific policies. The speaker recommended that organizations create DNS event alerts for global policies they wish to monitor and choose an appropriate delivery cadence so recipients are not overwhelmed by messages.

The presenter described one example alert configuration: create a new Alert Set from My Organization → Alert Sets, choose DNS events, give the set an alert set name (the example used "Instructional Video Test") and description, select a distribution list, and choose a delivery cadence (hourly, daily or weekly). On selection of a global policy, users can select an action (Allow, Block, or Override) and choose the "on match" option so emails are sent according to the selected cadence when a match occurs.

The presentation stressed particular handling for CISA global policies that include proprietary indicators: "When the DNS request matches a global policy with CISA proprietary indicators, an immediate action is required," the presenter said, and recommended toggling the alert on so the distribution list is notified on the configured cadence. The speaker also showed how to select a source set and authorized source from the relevant dropdowns and enable the resulting policy actions.

For feeds based on popular threat intelligence, the presenter advised setting the delivery cadence to daily or weekly to reduce excessive emails. If the threshold option is chosen, the Protective DNS Resolver performs evaluations using counts (for example allowed or blocked counts) to determine whether the threshold for sending a policy email alert has been met.

The presentation also covered System Event alerts: to create these, users select Add New Set and choose System Events, provide a name and description, select a distribution list and cadence, and enable the event types they want to monitor. The speaker enumerated common system triggers that can generate alerts: onboarding updates, privilege updates, global policy changes, organization policy changes, source changes and system issues.

Finally, the presenter reviewed what alert emails include and recent enhancements. Email alerts now provide a combined total of DNS requests in the message body and list: the alert set name and description, cadence, distribution lists, action, policy name and description, source sets, expressions, whether the policy is global, when the policy was last modified, when it was last matched, how many times it was blocked, overridden or allowed, and dynamic and static policy matches. After saving an alert set, the application redirects to the Alert Sets page and displays a confirmation banner.

The presentation focused on configuration steps, recommended cadence choices for different policy types, and the fields organizations should expect in alert notifications; it did not include any formal policy changes or votes.