Document toolboxDocument toolbox

Alerts monitoring

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 08, 2023
2 min read

The following tables can help you monitor different aspects of the existing alerts in the web application. This may be useful in case you want to have a general overview of the alerts in the system, check their parameters, or spot potential errors.

siem.logtrust.alert.info

In this table, you can find detailed information about all alerts triggered in the current domain. You can see below the most relevant fields included in this table along with a brief explanation.

Field

Data type

Description

Field

Data type

Description

domain

str

Domain to which the alert belongs.

priority

float

Priority level assigned to the alert, represented as a numerical value:

  • 0 → Very low

  • 3 → Low

  • 5 → Normal

  • 7 → High

  • 10 → Very high

Devo alert priorities VS SecOps alert priorities

Please keep in mind that these priority levels do not correspond to the ones used in the Security Operations application.

context

str

Contextualization of the alert resulting from a combination of its category, domain and name.

category

str

Highest classification level which indicates the type of alert (custom vs predefined).

status

int

Condition of the triggered alert regarding their life cycle, represented as a numerical value:

  • Unread → 0

  • Updated → 1

  • Watched → 100

  • False positive → 2

  • Closed → 300

alertId

str

Unique ID assigned to the alert when triggered.

username

str

User who created the alert.

extraData

str

Information extracted from the different fields that show their condition when the alert was triggered.

siem.logtrust.alert.error

In this table, you can find detailed information about all the alert errors that occurred in the current domain, understanding an error as an event in which the conditions have been met but the alert has not been triggered. It is very similar to the siem.logtrust.alert.info table except for the fact that this table focuses on the errors and excludes the alerts triggered. You can see below the most relevant fields included in this table along with a brief explanation.

Field

Data type

Description

Field

Data type

Description

domain

str

Domain to which the alert belongs.

errorCode

str

Explanation about the reason for the alert not being triggered. The most common are:

  • Due to post-filter conditions

  • Due to system anti-flooding

priority

float

Priority level assigned to the alert, represented as a numerical value:

  • 0 → Very low

  • 3 → Low

  • 5 → Normal

  • 7 → High

  • 10 → Very high

context

str

Contextualization of the alert resulting from a combination of its category, domain and name.

category

str

Highest classification level which indicates the type of alert (custom vs predefined).

status

int

Condition of the triggered alert regarding their life cycle, represented as a numerical value:

  • Unread → 0

  • Updated → 1

  • Watched → 100

  • False positive → 2

  • Closed → 300

alertId

str

Unique ID assigned to the alert when triggered.

username

str

User who created the alert.

extraData

str

Information extracted from the different fields that show their condition when the alert was triggered.

Â