Skip to content

13 - Setup Emergency Account Alerting

1. Create Alert Rule

  1. Go to the LAW you setup earlier and go to Alerts > Create > Alert Rule

  2. Follow the guide located here for setting up best practice alert rule - use UPN for the query: Manage emergency access admin accounts - Microsoft Entra ID | Microsoft Learn

2. Configure Alert/Action Group

When making the Alert/Action Group:

  1. Action group name: AG-Alerting-EAALogon

  2. Display Name: Alert Group

  3. On the notifications page, set it to send an email to Azure Resource Manager Owner role and give it a name of 'Emergency Access Account Alert'. Enable Common Alert Schema

  4. Then on the Action tab set it to use a Webhook and enter the following URI as the Webhook:

    • https://stratus-internal.app.n8n.cloud/webhook/3ff9fcf3-48e1-4c99-958e-9087ecf6c893
    • Use the name: Emergency Access Account Action

  5. On the Details tab specify the following:

    • Severity: 0 - Critical
    • Alert Rule Name: EmergencyAccessAccount-LogonDetected
    • Alert rule description: Triggers an alert when the logon of the emergency access account is detected. This also triggers an alert to a webhook URI to start an n8n workflow for a HaloPSA ticket to be created
    • Identity: Default

  6. Create

3. Configure N8N Workflow

Ensure the n8n workflow is configured to have a split added to correctly parse the environment to the relevant HaloPSA client for ticket creation (refer to Reed if required).