Triggered alerts' extraData
- Borja Moro Moreno
- Elsa Ferreira
About the extraData
The extraData is the field that consolidates the content of the different event fields related to the triggered alert to provide the user with context about the triggering conditions.
The extraData can be checked in the siem.logtrust.alert.info table, where you can find the details of all triggered alerts. You can also check the extraData in the alert’s details window, where you can find the details of an individual triggered alert.
Content of the extraData
As the extraData reflects the conditions that triggered the alert, its content is intimately related to both the query and the triggering method established for the alert when defined. Additionally, the eventdate is always included (in the user’s timezone in the decoded version), as it’s necessary to pinpoint the alert chronologically.
Each-type alerts
Alerts defined using this triggering method primarily rely on the query expression to populate the extraData. Apart from the eventdate, only those fields explicitly invoked in the query will be included unless the option to include them all is marked.
For example, an each-type alert with the following query and settings would return the following extraData:
Query | Triggering method settings | extraData |
|---|---|---|
from firewall.all.traffic
where ispublic(dstIp), ge(bytes, 50000000)
group every 30m by srcIp, dstIp every 6h |
| {"dstIp": "/11.111.1.111",
"srcIp": "/22.22.222.22",
"eventdate": "2024-03-16 00:00:00.000"} |
Several-type alerts
Alerts defined using this triggering method rely on the specific settings (threshold, period, and keep counter for each value in fields) to populate the extraData. It will include the number of registered events exceeding the set threshold, the eventdate corresponding to the beginning of the designated monitoring period, and the fields being monitored for value counter (if added).
For example, a several-type alert with the following query and settings would return the following extraData:
Query | Triggering method settings | extraData |
|---|---|---|
from siem.logtrust.web.activity
where url = "https://us.devo.com/search", type = "request", method = "GET" |
|
Low-type alerts
Alerts defined using this triggering method rely on the specific settings (threshold and period) to populate the extraData. It will include the number of registered events not reaching the set threshold and the eventdate corresponding to the beginning of the designated monitoring period.
For example, a low-type alert with the following query and settings would return the following extraData:
Query | Triggering method settings | extraData |
|---|---|---|
|
Inactivity-type alerts
Alerts defined using this triggering method rely on the specific settings (period and keep track for each value in fields and period) to populate the extraData. It will include the fields being monitored for missing value and the eventdate corresponding to the beginning of the designated monitoring period.
For example, an inactivity-type alert with the following query and settings would return the following extraData:
Query | Triggering method settings | extraData |
|---|---|---|
|
Rolling-type alerts
Alerts defined using this triggering method rely on the specific settings (run every and check last) to populate the extraData, as well as the grouping and aggregation keys specified in the query. Additionally, a creationdate field is included to indicate the moment it was checked for occurrence, in contrast with the moment it occurred.
This means that the extraData will include creationdate (in the user’s timezone in the decoded version), eventdate (in the user’s timezone in the decoded version), grouping and aggregation keys, backperiod (milliseconds back in time that are being checked), and ticktime (end date of the monitoring period expressed in epoch milliseconds).
For example, a rolling-type alert with the following query and settings would return the following extraData:
Query | Triggering method settings | extraData |
|---|---|---|
|
Deviation-type alerts
Alerts defined using this triggering method rely on the specific settings (deviation calculation and numeric column) and the period median to populate the extraData, as well as the grouping keys specified in the query.
This means that the extraData will include eventdate, grouping keys, period median, deviation from the median in the specified format (absolute vs percentage), and value that deviates from the median.
For example, a deviation-type alert with the following query and settings would return the following extraData:
Query | Triggering method settings | extraData |
|---|---|---|
|
Gradient-type alerts
Alerts defined using this triggering method rely on the specific settings (variation calculation and numeric column) and the period difference to populate the extraData, as well as the grouping keys specified in the query.
This means that the extraData will include eventdate, grouping keys, difference from previous to current period expressed in the specified format (absolute vs percentage), and current period value.
For example, a deviation-type alert with the following query and settings would return the following extraData:
Query | Triggering method settings | extraData |
|---|---|---|
|