Forum Discussion

Cole_McDonald's avatar
Cole_McDonald
Icon for Professor rankProfessor
6 years ago

Conditional EventSources

Specific need here that could be useful elsewhere.  If an event source could conditionally raise an alert based on the existence or not of a related alert, that would be useful.  Example: under windows, if a user initiates a reboot of the system, a few alerts are thrown.  The request, the systems's response, and the final shutdown notice.  It's also followed up by an informational message that occurs whether the reboot was requested by a user or an unexpected crash.  So we always need to get that last one, but not if we got the first one as the first has much better information and timing for us than the last one.

If you could at least add a scripty piece to the eventSource, I could query existing alert for a device and use that to throw a new alert or not. (I could also use that to automate remediations as a bonus).

  • mnagel's avatar
    mnagel
    Icon for Professor rankProfessor
    6 years ago

    I agree and raise you -- there should be a general correlation facility.  I would be excessively happy right now to even be able to reference the value of a different datapoint in the same datasource in an alert string.  The right solution would be to define correlation rules similar to Zabbix (https://www.zabbix.com/documentation/4.2/manual/config/event_correlation) where you would suppress alerts depending on a complex evaluation of any LogicModule result.  For events specifically, they themselves need to be bucketed with a "correlation key" and counters with alerts tied to more than just an ephemeral point in time (see SEC for a great simple-ish tool that does this for event streams (https://simple-evcorr.github.io/).