Inactivity alert
- Juan Tomás Alonso Nieto (Deactivated)
- Borja Moro Moreno
Overview
The inactivity method operates on a similar principle as the several and low alert types, differing in the number of events necessary to trigger the alert. It is triggered every time a monitored field stops recording one of its values for a given time period.
An inactivity alert builds a transparent list of active values in a field, which is updated every minute with incoming values and checked in search of missing values. When one of them stops showing after one minute and remains absent for the specified period, an alert is triggered and the value removed from the list. This means that an alert is not triggered after subsequent periods of inactivity unless the value reappears afterwards and disappears again. The inactivity periods are rolling and always start counting from the minute the value stops showing.
This alert type could prove valuable in identifying when a machine ceases operations or experiences downtime.
What data do I need to create this alert?
To create an alert using this triggering method, you can apply filters and create new fields in your query but you cannot group events. If you grouped, this alert type will not appear for you to select in the alert definition window.
Specific settings
To create an inactivity alert, you have to define the following variables:
Period
This setting determines the duration of the intervals (minimum of 5 minutes, maximum of 30 days) used by the system to check for inactivity and trigger the corresponding alert when the inactivity extends beyond that duration. You can use preset periods or create custom periods:
Preset periods: click the dropdown and select the desired option (you can use the editable field to filter them).
Custom periods: click the dropdown, write the desired period in the editable field and then click the green field that appears below to confirm it. You have to introduce a valid format, otherwise you will get an error message. The accepted format consists of a number followed by a duration code without space between them:
Duration | Format | Example |
|---|---|---|
Days | (0-n)d | 1 day → 1d |
Hours | (0-24)h | 15 hours → 15h |
Minutes | (0-59)m | 45 min → 45m |
Seconds | (0-59)s | 50 seconds → 50s |
Compound: you can stack the different durations to create a compound | (0-n)d(0-24)h(0-59)m(0-59)s  | 15 hours, 45 minutes, 50 seconds → 15h45m50s |
Internal one-minute rolling interval
The system verifications are internally segmented into one-minute intervals that will be used to determine the presence or absence of values in the series. After detecting a missing value in one minute, the system will monitor if its absence extends beyond the specified period, and will trigger an alert in such a case.
Triggering delay
Due to the one-minute window explained above, a slight delay between the actual occurrence and the alert generation might occur. This delay accounts for the minute that follows the end of the inactive period, confirming its status as a true period of inactivity. This is especially relevant when checking the query data in the table.
Keep track for each value in fields
You must specify one or more fields to keep track of their unique values to trigger the alert. Drag the required field(s) into the box below or select them on the table and click the Add selected fields button.
This means that there will be a separate counter for each unique value and an alert will be triggered every time one of them is absent for the specified period. In case you add more than one field, the counter will consider unique value combinations instead of individual values to trigger alerts.
Example: let's see an example to better understand this option. The table below shows the events received by three collectors, with an inactivity period set to 5 minutes and the collector_name field used to keep track of its values.
An alert would be triggered a while after 10:38 for the period between 10:33:00 and 10:37:59 because Collector2 did not register any event for 5 minutes.
It wouldn’t be triggered for the period between 10:31:00 and 10:31:59 because the inactivity occurred for less than 5 minutes.
 | 10:30 | 10:31 | 10:32 | 10:33 | 10:34 | 10:35 | 10:36 | 10:37 | 10:38 | 10:39 |
|---|---|---|---|---|---|---|---|---|---|---|
collector_name | Collector 1 | Collector 1 | Collector 1 | Collector 1 | Collector 1 | Collector 1 | Collector 1 | Collector 1 | Collector 1 | Collector 1 |
Collector 2 | Â | Collector 2 | Â | Â | Â | Â | Â | Collector 2 | Â | |
Collector 3 | Collector 3 | Collector 3 | Collector 3 | Collector 3 | Collector 3 | Collector 3 | Collector 3 | Collector 3 | Collector 3 |
Monitoring the absence of events
If we want to monitor the total absence of events in a period instead of the absence of a specific value, we can add an artificial field that we can use for value tracking (using the syntax select "any_value" as key). As it’s the only value in the field, its absence will mean the absence of any event, thus triggering an alert.
Using field values in the Summary and Description
You can use the $fieldName command to include the field values of the events that triggered the alert within the Summary and Description fields of the alert. This command can be employed with the $eventdate and the fields added to keep track. Using a different one will not activate the command and will be interpreted as plain text.
In the following query and with the following fields added to keep track, you could use:
Â
from siem.logtrust.web.activity
where responseTime > 1
where responseLength >= 40000Â
Â
Â
Â
$eventdate
$domain
Â
Query example
Example 1: machine downtime
To detect if a machine is down or lost connection for more than one hour you can use the following query and set an inactivity alert with the following settings:
from box.unixExample 2: collector not registering data in Devo
To detect if a collector has stopped registering data in Devo for more than 30 minutes you can use the following query and set an inactivity alert with the following settings:
from devo.collectors.out
where isnotnull(collector_name)
where collector_name != ""Â
Related Articles: