Alerts monitoring
- Juan Tomás Alonso Nieto (Deactivated)
- Borja Moro Moreno
- Sarah Bigault (Deactivated)
The following tables can help you monitor different aspects of the existing alerts in the web application. This may be useful in case you want to have a general overview of the alerts in the system, check their parameters, or spot potential errors.
siem.logtrust.alert.info
In this table, you can find detailed information about all alerts triggered in the current domain. You can see below the most relevant fields included in this table along with a brief explanation.
Field | Data type | Description |
|---|---|---|
alertHost |
| Internal field: this field indicates an internal Devo component related to alert dispatching. |
domain |
| Devo domain to which the alert belongs. |
| Priority level assigned to the alert, represented as a numerical value:
Devo alert priorities VS SecOps alert priorities Please keep in mind that these priority levels do not correspond to the ones used in the Security Operations application. | |
context |
| Contextualization of the alert resulting from a combination of its category, domain and name. Special characters in the alert name Alert names are normalized upon creation, replacing all special characters (not alphanumeric) by underscores (_). |
category |
| Deprecated field: information is not provided in this field anymore. |
alertId |
| Unique ID assigned to the alert when triggered. |
status |
| Condition of the triggered alert regarding their life cycle, represented as a numerical value:
|
srcIp |
| Deprecated field: information is not provided in this field anymore. |
srcPort |
| Deprecated field: information is not provided in this field anymore. |
srcHost |
| Deprecated field: information is not provided in this field anymore. |
dstIp |
| Deprecated field: information is not provided in this field anymore. |
dstPort |
| Deprecated field: information is not provided in this field anymore. |
dstHost |
| Deprecated field: information is not provided in this field anymore. |
protocol |
| Deprecated field: information is not provided in this field anymore. |
username |
| User who created the alert definition. |
application |
| Deprecated field: information is not provided in this field anymore. |
engine |
| Deprecated field: information is not provided in this field anymore. |
extraData |
| Information extracted from different fields to indicate the conditions that triggered the alert (more info here). |
AlertContextSubscription |
| Deprecated field: information is not provided in this field anymore. |
Alertcreationdate |
| Exact date on which the specified alert conditions were met and the alert triggered, which may reveal a slight delay with the eventdate (date on which the event was registered in the Devo table). |
siem.logtrust.alert.error
In this table, you can find detailed information about all the alert errors that occurred in the current domain, understanding an error as an event in which the conditions have been met but the alert has not been triggered. It is very similar to the siem.logtrust.alert.info table except for the fact that this table focuses on the errors and excludes the alerts triggered. You can see below the most relevant fields included in this table along with a brief explanation.
Field | Data type | Description |
|---|---|---|
alertHost |
| Internal field: this field indicates an internal Devo component related to alert dispatching. |
errorCode |
| Explanation about the reason for the alert not being triggered. The most common are:
|
domain |
| Domain to which the alert belongs. |
priority |
| Priority level assigned to the alert, represented as a numerical value:
|
context |
| Contextualization of the alert resulting from a combination of its category, domain and name. Special characters in the alert name Alert names are normalized upon creation, replacing all special characters (not alphanumeric) by underscores (_). |
category |
| Deprecated field: information is not provided in this field anymore. |
status |
| Condition of the triggered alert regarding their life cycle, represented as a numerical value:
|
alertId |
| Unique ID assigned to the alert when triggered. |
srcIp |
| Deprecated field: information is not provided in this field anymore. |
srcPort |
| Deprecated field: information is not provided in this field anymore. |
srcHost |
| Deprecated field: information is not provided in this field anymore. |
dstIp |
| Deprecated field: information is not provided in this field anymore. |
dstPort |
| Deprecated field: information is not provided in this field anymore. |
dstHost |
| Deprecated field: information is not provided in this field anymore. |
protocol |
| Deprecated field: information is not provided in this field anymore. |
username |
| User who created the alert definition. |
application |
| Deprecated field: information is not provided in this field anymore. |
engine |
| Internal field: this field indicates an internal Devo component related to alert dispatching. |
extraData |
| Information extracted from different fields to indicate the conditions that triggered the alert (more info here). |
AlertContextSubscription |
| Deprecated field: information is not provided in this field anymore. |
Alertcreationdate |
| Exact date on which the specified alert conditions were met but did not trigger an alert due to an error, which may indicate a slight delay with the event date (date on which the error event was registered in the Devo table). |
devo.audit.alert.definition
In this table, you can find detailed information about all alerts defined in the current domain and the changes they undergo. You can see below the fields included in this table along with a brief explanation.
Field | Data type | Description |
|---|---|---|
actiondate |
| Date of the action performed. |
Id |
| Unique ID automatically assigned to the alert when defined. |
name |
| Name assigned to the alert when defined. |
action |
| The action carried out, which can be one of the following:
|
username |
| User who performed the action. |
info |
| Detailed information about the alert definition settings whenever it’s created or edited (name, description, subcategory, ID, triggering method, priority, etc.). When the action involves enabling, disabling, or deleting, this field will be empty. See siem.logtrust.alert.info for the meaning of numerical values in fields such as priority. |
devo.audit.alert.triggered
In this table, you can find detailed information about all alerts triggered in the current domain and the changes they undergo. You can see below the fields included in this table along with a brief explanation.
Field | Data type | Description |
|---|---|---|
hostname |
| Domain where the alert was triggered. |
actiondate |
| Date of the action performed. |
Id |
| Unique ID automatically assigned to the alert when defined. |
name |
| Name assigned to the alert when defined. |
action |
| The action carried out, which can be one of the following:
|
username |
| User who performed the action. |
info |
| Whenever a modification is made to a triggered alert, the information related to the change is collected and displayed here to indicate the new values assigned. Depending on the action (indicated in the action field), the displayed values vary:
|