Simple Each alert
Â
Description
This flow triggers an Each-type alert and sent a notification through an email and a Slack direct message when a particular user navigates into the Devo web app and registers more than 1000 entries in the Devo table that stores user activity in a domain (siem.logtrust.web.activity
).
Flow configuration
The following table describes the units needed to create this flow, as well as how to configure and link them.
Unit type and description | Configuration |
---|---|
DevoSource This unit will launch a query and send its results to the indicated outputs. In this case, we want to query the Devo table that stores all the domain's users activity ( | Drag a DevoSource unit to the canvas and open its configuration options by double-clicking it. Enter a Name for the unit (in this example, GetWebActivity), and in the Query field, enter the query from which you want to get data. In this example, we will use the following: from siem.logtrust.web.activity
select * Also, you can optionally choose a Start time for the query. In this case, we enter 03/31/20 00:00:00 Click Apply to save the configuration. |
Filter We will use this unit to filter the events that come from the indicated table and get only those that include actions taken by a specific user in our domain. | Drag a Filter unit to the canvas and link the output port data of the DevoSource unit to the input port of this unit. Then, open the configuration options of the unit by double-clicking it. Enter a Name for the unit (in this example, GetUsername), and in the Predicate field, we enter the conditions for the filter. In this case, we want to get only entries for a specific user, so we indicate his email address. Also, we will get rid of null values. This is the expression that we will use:
Click Apply to save the configuration. |
Reducer This unit applies the reduce function to the events sent by the source query. In this case, it will add a count of all the events that match the condition of the filter applied. | Drag a Reducer unit to the canvas and link the output port out of the Filter unit to the input port in of this unit. Then, open the configuration options of the unit by double-clicking it. Fill the following fields with these values:
Click Apply to save the configuration. |
Filter This unit will filter only those events where the counter value added by the Reducer is 1000 or more. | Drag a Filter unit to the canvas and link the output port out of the Reducer unit to the input port of this unit. Then, open the configuration options of the unit by double-clicking it. Enter a Name for the unit (in this example, Counter1000), and in the Predicate field, we enter the conditions for the filter. In this case, we want to get only those events where the counter field shows a value equal to or higher than 1000. This is the expression that we will use: Click Apply to save the configuration. |
EmailSink This unit will send the results to an indicated email address. | Drag an EmailSink unit to the canvas and link the output port out of the Filter unit to the input port of this unit. Then, open the configuration options of the unit by double-clicking it. In the General tab, add a Name to the unit (in this example, we called it toMail), the Subject of the mails that will be sent (in this example, User activity > 1000) and the Message to be sent. This is the message that we used in this example, referencing the counter column:
Now go to the To recipients tab, click the + icon in the TOs section, and enter the email addresses you want to send the mails. Click Apply to save the configuration. |
SlackSink the Slack Sink unit sends a Slack message to a configurable channel. | Drag a SlackSink unit to the canvas and link the output port out of the same Filter unit used before with EmailSink to the input port of the SlackSink unit. Then, open the configuration options of the unit by double-clicking it and enter the following information:
Click Apply to save the configuration. |
Result
Once you have defined the whole Flow, click the Start button to activate it. If everything is correctly configured, the addresses indicated in the EmailSink unit and the Slack channel specified in the SlackSink unit through the corresponding Webhook will receive a notification when the indicated user registers 1000 or more entries in the siem.logtrust.web.activity
table.
This is the notification sent to the indicated email(s):
And this is how the Slack message looks like:
Import this Flow
Download this Flow in JSON format and import it to your domain using the Import option.
Add the required data to make this Flow work
As explained in the Flow configuration section, you must include the required email addresses in the first Filter unit added and in the EmailSink unit, and also the required Slack Webhook in the SlackSink unit to make this flow work.