Trigger properties
Security Requirements and Controls
Create triggerspermissionUpdate triggerspermission
Different types of automated alerts, including scheduled searches, aggregate alerts, filter alerts, and legacy alerts have different properties and configuration settings. This content provides detailed information about essential properties like scheduling options, timestamps, throttling, and permissions, with specific emphasis on scheduled search configurations including UTC offsets, max wait times, backfill limits, and strategies for managing search execution timing.
The following properties are available and configurable when creating new triggers or editing existing triggers:
| Property | Scheduled Search | Aggregate Alert | Filter Alert | Legacy Alert |
|---|---|---|---|---|
| Name | Required | Required | Required | Required |
| Description | Optional | Optional | Optional | Optional |
| Labels | Optional | Optional | Optional | Optional |
| Query type can be either Live or Scheduled search | Required to run | Required to run | Required to run | Required to run |
| Alert type available if using Live Query type | - | Required | Required | Required |
| Time window | Required | Required | - | Required |
| Throttling | - | Required | Optional | Required |
| Select actions | Required to run | Required to run | Required to run | Required to run |
| Select timestamp | is default; | is default; can be used | ||
| Schedule | Required to use either or configuration to set schedule. Fields in Schedule adjust according to this selection. | - | - | - |
| Delay run | Available if using | - | - | - |
| Max wait time | Required if using | - | - | - |
| Backfill Limit | Available if using | - | - | - |
| Query model | Required | Required | Required | Required |