Skip to content

Tripwire Alerts

All tripwire alerts—both test and real—will appear in the Portal under the Alerts page, accessible via Tripwires in the top navigation.

Test alerts are clearly labeled as such in the Portal, email notifications, and webhook events.

Any potentially malicious activity that NodeZero detects on a tripwire will trigger an alert. Each alert includes detailed information about:

  • The actor involved.
  • The specific activity detected.
  • Relevant tripwire details to assist incident responders in taking swift and informed action.

If there are any unread alerts, a red dot will appear next to Tripwires in the top navigation and Alerts in the sub-navigation. You can mark an alert as read by clicking the Mark as Read button on each individual alert.

Note

While NodeZero generates an alert as soon as it detects activity on a tripwire, there may be a slight difference between the Tripped On timestamp and the alert timestamp. This is due to the multiple detection methods NodeZero uses, some of which may take a bit more time.

Note

NodeZero will generate one alert per tripwire per asset, even if an attacker takes multiple actions on the same tripwire in a short period. This is designed to reduce alert noise and avoid overwhelming your team with redundant notifications.