Several alert type
The several method triggers an alert when a given number of events occur within a given time period.
The threshold for this kind of alert is defined by the time period and the threshold number of events you specify. So, the alert process will maintain a count of events that meet the conditions of your query over the last time period and trigger an alert when the threshold number has been exceeded at the end of the period. The time period is rolling, that is to say, that if your chosen time period is 1 hour, the alert will maintain a running count of events over 60 minutes and it will restart after that time.
This type of alert could be useful when monitoring potentially malicious activity to be informed whenever the acceptable bound is exceeded.
What data do I need to create this alert?
To create an alert using this triggering method, you can apply filters and create new columns in your query but you cannot group events. If you grouped, this alert type will not appear for you to select in the alert definition window.
Defining the alert
After selecting this type of alert, you have to define the following variables:
This setting specifies how frequently you want the system to check for events matching the conditions of your query. You can use preset periods or create custom periods:
The period will not start counting from the moment of the alert creation but from a fixed division that takes the Epoch reference date as the starting point (midnight Jan 1, 1970). This means that if you created an alert past the hour with a one-hour period, the first time it will be triggered (if the conditions are met) will be when the clock strikes the hour and not after 60 minutes. In other words, if you created it at 9:37, it will be triggered at 10 and not at 10:37
The period will be adjusted according to the timezone specified in the delivery method assigned to the alert. To know more about this check the Manage delivery methods article.
This setting specifies how many events you want to use as a limit to trigger the alert (only when a greater number of events is received, the alert will be triggered). Write the desired number.
You can specify column(s) to keep count of their unique values individually to trigger the alert. This means that there will be a separate counter for each unique value and an alert will be triggered every time one of them exceeds the threshold. In case you add more than one column, the counter will consider unique value combinations instead of individual values to trigger alerts. Drag the required column(s) into the field below or select them on the table and click the Add selected columns button.
Let's see this in an example to better understand this option. The table below shows the events received during a period and we will use the following settings:
Using column values in Summary and Description
You can use the $columnName command to display in the Summary and Description fields the column values of the events that triggered the alert. This command can be employed with the names of the columns and properties below. Using a different one will not activate the command and will be interpreted as plain text.
- $columnName of those added to Keep counter for each value in columns.
- $count: even though it is not the name of a column, it is a feature that can be used with the several alert type to display the number of events collected during the specified period.
In the following query, you could use:
from demo.ecommerce.data where statusCode = 404, bytesTransferred >= 4000
demo.ecommerce.data table, imagine that you want to receive an alert when you receive more than 5 events where the bytes transferred exceed 3000 and the status code is 404 in every 30 minutes period.
First of all, you need to filter your query data using the Greater than (gt, >) and Equal (eq, =) operations. Then you need to open the alert definition window, select the several type alert and fill in all the details (pay special attention to the specific settings of this alert type).
To save time, you can copy the following query to reproduce the aforementioned example from the
demo.ecommerce.data sample table and create a several type alert.
from demo.ecommerce.data where bytesTransferred > 3000, statusCode = 404