Action Type: Falcon LogScale Repository
Security Requirements and Controls
Change triggers and actions
permission
Falcon LogScale Repository Action sends events from a trigger to a LogScale repository. This can be used to summarize all such events, or to aggregate information from multiple triggers.
Figure 205. Configuring Falcon LogScale Repository Action
Parameter | Description |
---|---|
Name | The name provided for the repository action. |
Ingest token | An Ingest Tokens for the repository receiving the events. |
The events from the trigger are parsed and ingested using the ingest token. If the ingest token has an associated parser, it is used; otherwise, the built-in-parser json-for-action is used.
The events sent to the parser contain the following fields in addition to the fields in the event:
Field | Value |
---|---|
@trigger.id | The id of the trigger. |
@trigger.name | The user-made name of the trigger. |
@trigger.description | The user-made description of the trigger. |
@trigger.type | The type of the trigger. Either alert or scheduled-search. |
@trigger.query.start | The query start time (e.g. 10m). |
@trigger.query.end | The query end time (e.g. now). |
@trigger.invocation.triggeredAt | The time at which the trigger was triggered, formatted as ISO 8601. |
@trigger.invocation.uuid | A unique id for an invocation of the trigger. Can be used to identify events from the same invocation of the trigger. |
@trigger.invocation.start | The actual query start time as Unix Time in milliseconds. |
@trigger.invocation.end | The actual query end time as Unix Time in milliseconds. |
@trigger.repository.name | The name of the repository in which the trigger is defined. |
@rawstring | The original event from the trigger, encoded as JSON. A prefix # character in a field name is replaced by @tag., so that e.g. #source becomes @tag.source. |
The default json-for-action parser will extract the original event from the @rawstring field, so that the parsed event contains all the original fields together with all the @trigger.XXX fields. It will not parse any timestamps, so if the original event does not contain a @timestamp field, the event will get "now" as timestamp.
The events you send through this action count towards the daily ingest limit.
Testing Repository Actions
A Repository action can be tested by creating mock triggers.
Figure 206. Testing Falcon LogScale Repository Action
Click
to start the test.Use the Advanced options pull-down to configure which mock events triggered your action. This is useful if you need to test how your action handles certain types of events. You can include multiple events.
Click
to fire your repository test action.