Single Alert View - New UI
SECURITY Refer to Global > Monitor and Sites > Monitor in Permissions.
NAVIGATION New UI > Global > Alerts > click an alert message
NAVIGATION New UI > Sites > All Sites > click the name of a site > Alerts (left navigation menu) > click an alert message
NAVIGATION New UI > Device Summary page > Alerts card > click an alert message. To view the various navigation paths you can use to access the Device Summary page, refer to Device Summary - New UI.
NAVIGATION New UI > Dashboards > click the name of a dashboard > view the Recent Alerts widget or click an area of any alert widget to drill into a list of alert messages > click an alert message
NAVIGATION New UI > Sites > All Sites > click the name of a site > click the name of a dashboard (left navigation menu) > view the Recent Alerts widget or click an area of any alert widget to drill into a list of alert messages > click an alert message
An alert is the automatic response to a device operating outside of the parameters defined in a monitor. To learn how to create a monitor, refer to Creating a monitor.
The Single Alert View page features a clear structure to ensure that alert information is relevant, in context, and actionable. The title and overview areas provide at-a-glance information about the alert, with all alerts titled according to the semantic [Priority] [Category] Alert On [Device Name], mirroring the data presented in Dashboards widgets or alert tables. In addition, use of color to communicate urgency as well as time stamps helps you quickly understand and take action on key information.
Time stamps reflect the user time zone and preferred date format configured on the Setup > My Settings page. Hovering over any time stamp will show its date in the alternative format. Refer to User Time Zone and Date Format.
NOTE Alerts are retained for six months. An alert will be re-raised for any monitor that is in alert condition for more than six months.
Different device types have different action buttons displayed at the top of the page. To access all action buttons, you may need to click the Alert Actions icon at the end of the row. The table below lists the available action buttons per device type. Further down, you will find information about each action button.
|Action Button||Server/Laptop/Desktop||Network Device||Printer||ESXi|
Only displayed for online devices and if the Web Remote option is turned ON in the Remote Control Tools section of your security level. Click the button to connect to the device using a Web Remote session. The session will open in a new browser tab.
IMPORTANT Web Remote sessions can be initiated from Windows, macOS, Linux, iOS, or Android devices using a recent version of the Chrome, Firefox, Edge, or Safari browser; no installed Agent is required. However, only Windows and macOS devices with a Managed Agent installed can be controlled via a Web Remote session.
For Web Remote to function properly on macOS devices running Mojave or later, the following applications must be listed and selected for the following options in System Preferences > Security & Privacy > Privacy (or, for Ventura, System Settings > Privacy & Security > Privacy section):
• Accessibility: AEM Agent, Vine Server
• Full Disk Access: AEM Agent, Vine Server
• Screen Recording: AEM Agent, Vine Server
File Transfer requires the Agent Process to be running using .NET Core.
For more information, refer to Web Remote.
Only displayed for online devices and if the RDP option is turned ON in the Remote Control Tools section of your security level. Click the button to initiate a connection to the device using the Agent Browser. You will automatically be logged in to the Agent Browser. Once you are connected to the device, you will be presented with a list of actions you can perform on it. For further information, refer to Agent Browser tools.
IMPORTANT A connection through the Agent Browser can only be initiated from Windows devices with a Managed Agent installed. OnDemand Agents and operating systems other than Windows do not have an Agent Browser.
Click the button to resolve the alert. Once the alert is resolved, this action button will disappear, and an update will appear in the Timeline card. Refer to Timeline.
Only displayed if no ticket has yet been created for the alert. When displayed, it allows you to create a new ticket if you have a PSA integration enabled. Once the ticket is created, the ticket number automatically appears in the Ticket field in the Overview card, the Ticket column in the Open Device Alerts card, and as an update in the Timeline card. Refer to Overview, Device Alerts, and Timeline for more details.
Click the button to run a quick job against the device. Refer to Quick jobs - New UI.
Only displayed if the IT Glue Integration is enabled. Refer to IT Glue Integration.
Click the button to open the IT Glue pane on the right side of the page. Refer to IT Glue pane in Datto RMM.
The Overview card for a single alert displays the following information:
|Open in Datto EDR||Only displayed for Endpoint Security alerts and if Datto EDR is enabled for the Datto RMM account. Refer to Get started with Datto EDR in Licenses - New UI and Datto EDR in Endpoint Security policy. Click the button to navigate to a filtered list of alerts for the device in Datto EDR. To learn about the Alerts page in Datto EDR, refer to the Alerts page topic in the Datto EDR Online Help.
|Message||Displays the alert message.|
|Created||Displays when the alert was created.|
|Status||Displays the status of the alert: Open or Resolved.|
|Alert UID||Displays the unique identifier of the alert.|
|Device||Displays the hostname of the device that the alert was triggered from. Click the link to open the Device Summary page. Refer to Device Summary - New UI.
You may see the following visual indicators next to the device name:
• The device is online (green circle) or offline (transparent circle).
• The device has Privacy Mode enabled.
NOTE If a device's online/offline or Privacy Mode status changes, the respective status icon is automatically refreshed 60 seconds after the change.
|Site||Displays the name of the site that the device belongs to. Click the site name to open the Site Summary page.|
|Policy||The name of the policy associated with the device that the alert was triggered from. Click the policy name to see the policy details. Refer to Editing a policy.|
|Ticket||Displays a ticket number if the monitor was configured to create a ticket when an alert is raised. Refer to Create a monitor in the legacy UI or Creating a monitor in the New UI.
If a PSA integration is enabled and you click the ticket number, the ticket will open in a new window in your PSA. If you are already logged in to your PSA or single sign-on is configured for you, you will be directed to the ticket. If you are not logged in to your PSA, you will be required to enter your login credentials first. Refer to Managing tickets.
The Timeline card displays a list of events associated with the alert in chronological order.
The following information is displayed:
|When?||Displays how long ago the event occurred.|
|Event Type|| The card can display the following events:
• Alert created
• Diagnostic information. Diagnostic text that exceeds 1,048,576 (1,024*1,024) characters will be truncated. To learn about Endpoint Security alerts, refer to Endpoint Security alerts: diagnostic information.
• Response component run
• Email created
• Ticket pending/created
• Alert resolved
• Ticket closed
|Event Details||Displays the name and various details of the event, such as the date, time, ticket number (if applicable), and recipient email address. Successful events are highlighted in green, while failed events are highlighted in red.|
Endpoint Security alerts: diagnostic information
Datto EDR collects evidence of attacks by analyzing multiple events to determine if they are part of a serious threat. Datto RMM bundles these events into a single alert; however, you can drill down into the diagnostic events to see additional information, including security threat details. For some types of Endpoint Security alerts, the additional information also includes recommendations for remediation.
Click Show all events to expand a series of related diagnostic events, or click Download events to download a .json file containing information for each event.
Click View Event to open a page of additional information about the event.
If SHA1 information is available for a process within an event, the Threat Details section will display an Open in Datto EDR button. Click the button to navigate to the process in Datto EDR where you can flag it or configure its threat level. To learn more, refer to the Alerts page topic in the Datto EDR Online Help.
This video provides an overview of Endpoint Security alert management in Datto RMM.
The table displays a list of the device's alerts. The card header has a badge showing the number of alerts. By default, the table displays all open alerts.
The single alert you are currently viewing is highlighted in the list.
This card adds context to the single alert details displayed in the Overview card. While some alerts are isolated incidents, some are part of a wider issue affecting the device, and viewing all of this information in one place allows you to decrease troubleshooting time. From this list, you can resolve the single alert, or you can resolve multiple related alerts all at once. You can also export all or selected rows to CSV. Refer to Alerts.
The Column Chooser allows you to select which columns should be visible in the list. Refer to Column Chooser field definitions for descriptions of all of the available fields.The filter selection in the columns will not persist the next time the page is accessed as the table will return to the default view.
The table density is set to condensed theme by default. To change it to relaxed theme, click the density toggle icon. The selection will persist across all pages.
The number of results displayed can be specified by selecting the desired number from the pagination control. This selection will persist the next time the page is accessed.