Alerts

Security Requirements and Controls

Alerts use live-queries that run continuously, trigger one or more actions when the query returns a result. Using alerts enables automation for notifying analysts and administrators through different integrations such as email or forward to another repo. This means you don't have to rely on a routine of checking LogScale and executing queries manually or programmatically and can detect problems as soon as they occur.

The alert types that are available:

  • Filter Alerts are based on non-aggregate queries, and are configured to trigger the corresponding action at least once. Filter alerts also use a live query, but must not use an aggregate function for execution. Each event in the result set from the alert query triggers the actions associated with the alert.

  • Standard Alerts are triggered by queries that generate a result set. If the query is not already an aggregate query result, tail(200) is appended to the query to make it an aggregate query. Aggregate queries associated with a standard alert are run as live queries, and when the result set is executed and generates results, these are fed to the configured actions. Actions are triggered for the combined result set.

The attributes of the two alert types are compared in the following table:

Feature Standard Alerts Filter Alerts
Supports aggregates Yes No
Sends aggregate results to Actions Yes No
Supports joins No, see warnings with live joins No
Needs search window Yes No
Triggered by Aggregate result Single event
Action invocation Sequentially Concurrently
Can be throttled Yes Yes (from version 1.129)
Can be used in packages Yes Yes