Document toolboxDocument toolbox

Alerts monitoring

The following tables can help you monitor different aspects of the existing alerts in the web application. This may be useful in case you want to have a general overview of the alerts in the system, check their parameters, or spot potential errors.

siem.logtrust.alert.info

In this table, you can find detailed information about all alerts triggered in the current domain. You can see below the most relevant fields included in this table along with a brief explanation.

Field

Data type

Description

Field

Data type

Description

alertHost

str

Internal field: this field indicates an internal Devo component related to alert dispatching.

domain

str

Devo domain to which the alert belongs.

priority

float

Priority level assigned to the alert, represented as a numerical value:

  • 0 → Very low

  • 3 → Low

  • 5 → Normal

  • 7 → High

  • 10 → Very high

Devo alert priorities VS SecOps alert priorities

Please keep in mind that these priority levels do not correspond to the ones used in the Security Operations application.

context

str

Contextualization of the alert resulting from a combination of its category, domain and name.

Special characters in the alert name

Alert names are normalized upon creation, replacing all special characters (not alphanumeric) by underscores (_).

category

str

Deprecated field: information is not provided in this field anymore.

alertId

str

Unique ID assigned to the alert when triggered.

status

int

Condition of the triggered alert regarding their life cycle, represented as a numerical value:

  • Unread → 0

  • Updated → 1

  • Watched → 100

  • False positive → 2

  • Closed → 300

  • Suppressed → 800

srcIp

ip4

Deprecated field: information is not provided in this field anymore.

srcPort

int

Deprecated field: information is not provided in this field anymore.

srcHost

str

Deprecated field: information is not provided in this field anymore.

dstIp

ip4

Deprecated field: information is not provided in this field anymore.

dstPort

int

Deprecated field: information is not provided in this field anymore.

dstHost

str

Deprecated field: information is not provided in this field anymore.

protocol

str

Deprecated field: information is not provided in this field anymore.

username

str

User who created the alert definition.

application

str

Deprecated field: information is not provided in this field anymore.

engine

str

Deprecated field: information is not provided in this field anymore.

extraData

str

Information extracted from different fields to indicate the conditions that triggered the alert (more info here).

AlertContextSubscription

int

Deprecated field: information is not provided in this field anymore.

Alertcreationdate

timestamp

Exact date on which the specified alert conditions were met and the alert triggered, which may reveal a slight delay with the eventdate (date on which the event was registered in the Devo table).

siem.logtrust.alert.error

In this table, you can find detailed information about all the alert errors that occurred in the current domain, understanding an error as an event in which the conditions have been met but the alert has not been triggered. It is very similar to the siem.logtrust.alert.info table except for the fact that this table focuses on the errors and excludes the alerts triggered. You can see below the most relevant fields included in this table along with a brief explanation.

Field

Data type

Description

Field

Data type

Description

alertHost

str

Internal field: this field indicates an internal Devo component related to alert dispatching.

errorCode

str

Explanation about the reason for the alert not being triggered. The most common are:

  • Due to post-filter conditions

  • Due to system anti-flooding

domain

str

Domain to which the alert belongs.

priority

float

Priority level assigned to the alert, represented as a numerical value:

  • 0 → Very low

  • 3 → Low

  • 5 → Normal

  • 7 → High

  • 10 → Very high

context

str

Contextualization of the alert resulting from a combination of its category, domain and name.

Special characters in the alert name

Alert names are normalized upon creation, replacing all special characters (not alphanumeric) by underscores (_).

category

str

Deprecated field: information is not provided in this field anymore.

status

int

Condition of the triggered alert regarding their life cycle, represented as a numerical value:

  • Unread → 0

  • Updated → 1

  • Watched → 100

  • False positive → 2

  • Closed → 300

  • Suppressed → 800

alertId

str

Unique ID assigned to the alert when triggered.

srcIp

ip4

Deprecated field: information is not provided in this field anymore.

srcPort

int

Deprecated field: information is not provided in this field anymore.

srcHost

str

Deprecated field: information is not provided in this field anymore.

dstIp

ip4

Deprecated field: information is not provided in this field anymore.

dstPort

int

Deprecated field: information is not provided in this field anymore.

dstHost

str

Deprecated field: information is not provided in this field anymore.

protocol

str

Deprecated field: information is not provided in this field anymore.

username

str

User who created the alert definition.

application

str

Deprecated field: information is not provided in this field anymore.

engine

str

Internal field: this field indicates an internal Devo component related to alert dispatching.

extraData

str

Information extracted from different fields to indicate the conditions that triggered the alert (more info here).

AlertContextSubscription

int

Deprecated field: information is not provided in this field anymore.

Alertcreationdate

timestamp

Exact date on which the specified alert conditions were met but did not trigger an alert due to an error, which may indicate a slight delay with the event date (date on which the error event was registered in the Devo table).

devo.audit.alert.definition

In this table, you can find detailed information about all alerts defined in the current domain and the changes they undergo. You can see below the fields included in this table along with a brief explanation.

Field

Data type

Description

Field

Data type

Description

actiondate

timestamp

Date of the action performed.

Id

str

Unique ID automatically assigned to the alert when defined.

name

str

Name assigned to the alert when defined.

action

str

The action carried out, which can be one of the following:

  • CREATE

  • EDIT

  • ENABLE

  • DISABLE

  • DELETE

  • CREATE POST FILTER

  • DELETE POST FILTER

username

str

User who performed the action.

info

json

Detailed information about all settings of the alert definition being created or edited (name, description, subcategory, ID, triggering method, priority, etc.).

When the action involves enabling, disabling, or deleting the alert definition, this field will be empty.

When the action involves applying post-filters to an alert definition, the field contains the following info:

  • Create: conditions set, id of the post-filter, name of the post-filter, action to be performed, and new value (when the action implies a change).
    Example → {"conditions":["(eventdate) = (2024-11-12 14:29:06.072)"],"id":1236,"name":"My suppress filter","action":"change_status","value":"SUPPRESSED"}

  • Delete: id of the post-filter and name of the post-filter.
    Example → {"id":1236,"name":"My suppress filter"}

See siem.logtrust.alert.info for the meaning of numerical values in fields such as priority.

devo.audit.alert.triggered

In this table, you can find detailed information about all alerts triggered in the current domain and the changes they undergo. You can see below the fields included in this table along with a brief explanation.

Field

Data type

Description

Field

Data type

Description

hostname

str

Domain where the alert was triggered.

actiondate

timestamp

Date of the action performed.

Id

str

Unique ID automatically assigned to the alert when defined.

name

str

Name assigned to the alert when defined.

action

str

The action carried out, which can be one of the following:

  • CREATE

  • EDIT STATUS

  • EDIT PRIORITY

  • DELETE

  • CREATE COMMENT

  • REPLY COMMENT

  • UPDATE COMMENT

  • DELETE COMMENT

username

str

User who performed the action.

info

json

Whenever a modification is made to a triggered alert, the information related to the change is collected and displayed here to indicate the new values assigned.

Depending on the action (indicated in the action field), the displayed values vary:

  • Create: the status and priority names, as well as the status and priority codes.
    E.g. → {"statusName":"Unread","priorityName":"Low","statusCode":"0","priorityCode":"3.0"}.

  • Edit status: the new status code and the corresponding status name.
    E.g. → {"statusCode":"100","statusName":"Watched"}.

  • Edit priority: the new priority and the corresponding priority name.
    E.g. → {"priorityCode":"1.0","priorityName":"Very Low"}.

  • Deletion: empty.

  • Comments: type of comment (ALERT-new comment vs REPLY), content of the message, ID assigned to the comment, and other IDs interrelating them with alerts and other comments.