/
Simple Each alert

Simple Each alert

 

Description

This flow triggers an Each-type alert and sent a notification through an email and a Slack direct message when a particular user navigates into the Devo web app and registers more than 1000 entries in the Devo table that stores user activity in a domain (siem.logtrust.web.activity).

Flow configuration

The following table describes the units needed to create this flow, as well as how to configure and link them.

Unit type and description

Configuration

Unit type and description

Configuration

DevoSource

This unit will launch a query and send its results to the indicated outputs. In this case, we want to query the Devo table that stores all the domain's users activity (siem.logtrust.web.activity).

Drag a DevoSource unit to the canvas and open its configuration options by double-clicking it.

Enter a Name for the unit (in this example, GetWebActivity), and in the Query field, enter the query from which you want to get data. In this example, we will use the following:

from siem.logtrust.web.activity select *

Also, you can optionally choose a Start time for the query. In this case, we enter 03/31/20 00:00:00

Click Apply to save the configuration.

Filter

We will use this unit to filter the events that come from the indicated table and get only those that include actions taken by a specific user in our domain.

Drag a Filter unit to the canvas and link the output port data of the DevoSource unit to the input port of this unit.

Then, open the configuration options of the unit by double-clicking it. Enter a Name for the unit (in this example, GetUsername), and in the Predicate field, we enter the conditions for the filter. In this case, we want to get only entries for a specific user, so we indicate his email address. Also, we will get rid of null values. This is the expression that we will use:

username != null && username.equals("email_address")

Click Apply to save the configuration.

Reducer

This unit applies the reduce function to the events sent by the source query. In this case, it will add a  count of all the events that match the condition of the filter applied.

Drag a Reducer unit to the canvas and link the output port out of the Filter unit to the input port in of this unit.

Then, open the configuration options of the unit by double-clicking it. Fill the following fields with these values:

  • Name - Enter a name for the unit (in this example, reducerCount).

  • InitValue - Expression that determines the initial value of the reducer. In this example, we enter 0L.

  • Field name - Enter a name for the field that will be added to the events with the reducer results. In this case, we will name it counter.

  • Accumulator Type - The expected data type of the values generated by the reducer. In this case, we select Long.

  • Expression - Groovy expression that will determine the behavior of the reducer. In this case, we will add the following expression to get the count of occurrences:
    _acc_ +1

Click Apply to save the configuration.

Filter

This unit will filter only those events where the counter value added by the Reducer is 1000 or more.

Drag a Filter unit to the canvas and link the output port out of the Reducer unit to the input port of this unit.

Then, open the configuration options of the unit by double-clicking it. Enter a Name for the unit (in this example, Counter1000), and in the Predicate field, we enter the conditions for the filter. In this case, we want to get only those events where the counter field shows a value equal to or higher than 1000. This is the expression that we will use:
counter %% 1000 == 0

Click Apply to save the configuration.

EmailSink

This unit will send the results to an indicated email address.

Drag an EmailSink unit to the canvas and link the output port out of the Filter unit to the input port of this unit.

Then, open the configuration options of the unit by double-clicking it. In the General tab, add a Name to the unit (in this example, we called it toMail), the Subject of the mails that will be sent (in this example, User activity > 1000) and the Message to be sent. This is the message that we used in this example, referencing the counter column:

The alert has been fired %%﹛counter﹜times

Now go to the To recipients tab, click the + icon in the TOs section, and enter the email addresses you want to send the mails.

Click Apply to save the configuration.

SlackSink

the Slack Sink unit sends a Slack message to a configurable channel. 

Drag a SlackSink unit to the canvas and link the output port out of the same Filter unit used before with EmailSink to the input port of the SlackSink unit.

Then, open the configuration options of the unit by double-clicking it and enter the following information:

  • Name - Add a name to the unit (in this example, we called it toSlack).

  • Message - This is the message that will be sent to the specified Slack channel. In this example, we will include the following message, referencing the counter column:
    The alert has been fired %%﹛counter﹜times

  • Slack WebHook - Enter the Slack Webhook that references the required Slack workspace and channel where the messages will be sent. Learn more about Slack Webhooks and how to use them here.

Click Apply to save the configuration.

Result

Once you have defined the whole Flow, click the Start button to activate it. If everything is correctly configured, the addresses indicated in the EmailSink unit and the Slack channel specified in the SlackSink unit through the corresponding Webhook will receive a notification when the indicated user registers 1000 or more entries in the siem.logtrust.web.activity table.

This is the notification sent to the indicated email(s):

And this is how the Slack message looks like:

Import this Flow

Download this Flow in JSON format and import it to your domain using the Import option.

Add the required data to make this Flow work

As explained in the Flow configuration section, you must include the required email addresses in the first Filter unit added and in the EmailSink unit, and also the required Slack Webhook in the SlackSink unit to make this flow work.