Alerts and notifications / Creating new alerts / Alert trigger methods / Several alert type

Several alert type

Overview

The several method triggers an alert when a given number of events occur within a given time period.

The threshold for this kind of alert is defined by the time period and the threshold number of events you specify. So, the alert process will maintain a count of events that meet the conditions of your query over the last time period and trigger an alert when the threshold number has been exceeded at the end of the period. The time period is rolling, that is to say, that if your chosen time period is 1 hour, the alert will maintain a running count of events over 60 minutes and it will restart after that time.

This type of alert could be useful when monitoring potentially malicious activity to be informed whenever the acceptable bound is exceeded.

What data do I need to create this alert?

To create an alert using this triggering method, you can apply filters and create new columns in your query but you cannot group events. If you grouped, this alert type will not appear for you to select in the alert definition window.

Defining the alert

After selecting this type of alert, you have to define the following variables:

This setting specifies how frequently you want the system to check for events matching the conditions of your query. You can use preset periods or create custom periods:

Preset periods: click the dropdown and select the desired option (you can use the editable field to filter them).

Custom periods: click the dropdown, write the desired period in the editable field and then click the green field that appears below to confirm it. You have to introduce a valid format, otherwise, you will get an error message. The accepted format consists of a number followed by a duration code without space between them:

Duration	*Format*	Example
Days	(0-n)d	1 day → 1d
Hours	(0-24)h	15 hours → 15h
Minutes	(0-59)m	45 min → 45m
Seconds	(0-59)s	50 seconds → 50s
You can stack them to create a compound → 15h45m50s

The period will not start counting from the moment of the alert creation but from a fixed division that takes the Epoch reference date as the starting point (midnight Jan 1, 1970). This means that if you created an alert past the hour with a one-hour period, the first time it will be triggered (if the conditions are met) will be when the clock strikes the hour and not after 60 minutes. In other words, if you created it at 9:37, it will be triggered at 10 and not at 10:37

The period will be adjusted according to the timezone specified in the delivery method assigned to the alert. To know more about this check the Manage delivery methods article.

This setting specifies how many events you want to use as a limit to trigger the alert (only when a greater number of events is received, the alert will be triggered). Write the desired number.

You can specify column(s) to keep count of their unique values individually to trigger the alert. This means that there will be a separate counter for each unique value and an alert will be triggered every time one of them exceeds the threshold. In case you add more than one column, the counter will consider unique value combinations instead of individual values to trigger alerts. Drag the required column(s) into the field below or select them on the table and click the Add selected columns button.

Let's see this in an example to better understand this option. The table below shows the events received during a period and we will use the following settings:

Threshold 5: an alert would be triggered because we have 6 events.
Threshold 5, keep counter Name: an alert would not be triggered because we have 4 events for Mike, 1 for François, and 1 for Lara; none of them above 5.
Threshold 3, keep counter Name: an alert would be triggered because we have 4 events for Mike.
Threshold 3, keep counter Name-City: an alert would not be triggered because we have 1 event for Mike-Liverpool, 3 for Mike-London, 1 for François-Paris, and 1 for Lara-Madrid, none of them above 3.
Threshold 2, keep counter Status: two alerts would be triggered because we have 3 events for online and 3 for away, both of them above 2.

Using column values in Summary and Description

You can use the $columnName command to display in the Summary and Description fields the column values of the events that triggered the alert. This command can be employed with the names of the columns and properties below. Using a different one will not activate the command and will be interpreted as plain text.

$eventdate
$columnName of those added to Keep counter for each value in columns.
$count: even though it is not the name of a column, it is a feature that can be used with the several alert type to display the number of events collected during the specified period.

In the following query, you could use:

from demo.ecommerce.data
where statusCode = 404,
bytesTransferred >= 4000

$eventdate
$bytesTransferred
$timeTaken
$count

Query example

In the demo.ecommerce.data table, imagine that you want to receive an alert when you receive more than 5 events where the bytes transferred exceed 3000 and the status code is 404 in every 30 minutes period.

First of all, you need to filter your query data using the Greater than (gt, >) and Equal (eq, =) operations. Then you need to open the alert definition window, select the several type alert and fill in all the details (pay special attention to the specific settings of this alert type).

To save time, you can copy the following query to reproduce the aforementioned example from the demo.ecommerce.data sample table and create a several type alert.

from demo.ecommerce.data
where bytesTransferred > 3000,
statusCode = 404

Related Articles:

Download as PDF