Documentation Index
Fetch the complete documentation index at: https://support.telivy.com/llms.txt
Use this file to discover all available pages before exploring further.
Overview
Rescans tell you how a client’s posture has shifted over a period. Alerts tell you right now. When Telivy detects a specific security event (a new dark web breach, a string of M365 login failures, an admin account with MFA suddenly disabled), it fires a notification to whoever on your team needs to know. You define which events matter and which team members get notified. Alerts work across four coverage areas:- Internal Security: vulnerability changes on managed endpoints
- Dark Web: new breach and account exposures
- Microsoft 365: identity, access, and policy events across connected tenants
- Google Workspace: the same coverage for GWS environments
Configuring Alert Policies
Alert policies are configured at the agency level and apply across all your assessments. Navigate to Alerts → Alert Policies in the Telivy portal to manage them. To add a new policy:- Click Add Policy.
- In the Configure Alert Policy step, select the Alert Category you want to monitor.
- Set the condition that triggers the alert. For Internal Vulnerabilities, for example, you can trigger on severity level, CVSS score, EPSS score, or finding count above a threshold.
- Click Continue.
- In the Configure Alert Delivery step, select which team members on your agency account should receive the notification.
- Click Save.
Alert Categories
Internal Security
| Alert | What triggers it |
|---|---|
| Internal Vulnerabilities | New CVEs discovered on managed endpoints during a scan |
Dark Web
| Alert | What triggers it |
|---|---|
| Dark Web Breach | A client domain or asset appears in a newly indexed data breach |
| Dark Web Account | A specific user account credential is found in a breach dataset |
Microsoft 365
| Alert | What triggers it |
|---|---|
| Failed Logins | A user account records repeated failed sign-in attempts |
| Authentication Token Revoked | An active session or refresh token is revoked |
| Conditional Access Violation | A sign-in attempt is blocked by a Conditional Access policy |
| MFA Failed | A user fails an MFA challenge |
| MFA Disabled | MFA is turned off for a user account |
| MFA Enabled | MFA is turned on for a user account |
| No MFA User | A user account is detected without any MFA method enrolled |
| Password Reset | A user password is reset |
| Login Using Token | A sign-in occurs via token rather than interactive credential |
| Login From Unapproved Location | A sign-in originates from a geography outside the client’s approved list |
| User Created | A new user account is added to the tenant |
| User Deleted | A user account is removed from the tenant |
| Registered Device | A new device is registered to the tenant |
| Admin Role Assignment | A user is granted an admin role |
| Group Membership Change | A user is added to or removed from a security group |
| Admin Policy Change | A tenant-level security policy is modified by an admin |
Google Workspace
Google Workspace alerts mirror the M365 coverage for organizations running GWS instead of (or alongside) Microsoft 365.| Alert | What triggers it |
|---|---|
| Failed Logins | Repeated failed sign-in attempts on a GWS account |
| Authentication Token Revoked | An OAuth token or session is revoked |
| MFA Failed | A user fails a GWS MFA challenge |
| MFA Disabled | MFA is removed from a GWS account |
| MFA Enabled | MFA is added to a GWS account |
| No MFA User | A GWS account has no MFA enrolled |
| Password Reset | A GWS user password is reset |
| Login Using Token | A sign-in via token rather than interactive credential |
| Login From Unapproved Location | Sign-in from outside an approved geography |
| User Created | A new GWS user is provisioned |
| User Deleted | A GWS user account is removed |
| Registered Device | A new device is registered in GWS |
| Admin Role Assignment | A user is granted admin privileges in GWS |
| Group Membership Change | A user is added to or removed from a GWS group |
| Admin Policy Change | A GWS admin-level policy is modified |
FAQ
How quickly does an alert fire after an event is detected?
How quickly does an alert fire after an event is detected?
Cloud events (M365, Google Workspace) are evaluated on each sync cycle. Endpoint-based alerts (Internal Vulnerabilities) are evaluated after each completed agent scan. Manual rescans trigger alert evaluation immediately.
Can I notify multiple team members from the same policy?
Can I notify multiple team members from the same policy?
Yes. In the Configure Alert Delivery step, you can select as many agency users as needed. Each selected user is notified independently when the policy triggers.
Are alert policies scoped to individual clients?
Are alert policies scoped to individual clients?
No. Policies are configured at the agency level and apply across all assessments. You can view alert history filtered to a specific client from that assessment’s Alerts tab, but the policy itself is agency-wide.
Do alerts require Risk Monitoring to be enabled?
Do alerts require Risk Monitoring to be enabled?
No. Alerts are available independently of the automated rescan feature. You can configure alerts on any eligible Risk Assessment without enabling the monitoring cadence.
What's the difference between 'Failed Logins' and 'Conditional Access Violation'?
What's the difference between 'Failed Logins' and 'Conditional Access Violation'?
Failed Logins fire when a user fails to authenticate: wrong password, locked account, etc. Conditional Access Violation fires when the credentials are valid but the sign-in is blocked by a policy rule (e.g. the user is signing in from an unmanaged device or blocked location). Both matter; they indicate different threat patterns.
Can I use webhooks instead of email or SMS?
Can I use webhooks instead of email or SMS?
Yes. Telivy supports outbound webhooks for alert delivery to external systems. See the Webhooks integration guide for configuration details.