Action Type: Falcon LogScale Repository

Security Requirements and Controls

Falcon LogScale Repository Action sends events from a trigger to a LogScale repository. This can be used to summarize all such events, or to aggregate information from multiple triggers.

Configuring Falcon LogScale Repository Action

Figure 177. Configuring Falcon LogScale Repository Action

Parameter Description
Name The name provided for the repository action.
Ingest token An Ingest Tokens for the repository receiving the events.

The events from the trigger are parsed and ingested using the ingest token. If the ingest token has an associated parser, it is used; otherwise, the built-in-parser json-for-action is used.

The events sent to the parser contain the following fields in addition to the fields in the event:

Field Value The id of the trigger. The user-made name of the trigger.
@trigger.description The user-made description of the trigger.
@trigger.type The type of the trigger. Either alert or scheduled-search.
@trigger.query.start The query start time (e.g. 10m).
@trigger.query.end The query end time (e.g. now).
@trigger.invocation.triggeredAt The time at which the trigger was triggered, formatted as ISO 8601.
@trigger.invocation.uuid A unique id for an invocation of the trigger. Can be used to identify events from the same invocation of the trigger.
@trigger.invocation.start The actual query start time as Unix Time in milliseconds.
@trigger.invocation.end The actual query end time as Unix Time in milliseconds. The name of the repository in which the trigger is defined.
@rawstring The original event from the trigger, encoded as JSON. A prefix # character in a field name is replaced by @tag., so that e.g. #source becomes @tag.source.

The default json-for-action parser will extract the original event from the @rawstring field, so that the parsed event contains all the original fields together with all the @trigger.XXX fields. It will not parse any timestamps, so if the original event does not contain a @timestamp field, the event will get "now" as timestamp.

The events you send through this action count towards the daily ingest limit.

Testing Repository Actions

A Repository action can be tested by creating mock triggers.

Testing Falcon LogScale Repository Action

Figure 178. Testing Falcon LogScale Repository Action

  1. Click Test action to start the test.

  2. Use the Advanced options pull-down to configure which mock events triggered your action. This is useful if you need to test how your action handles certain types of events. You can include multiple events.

  3. Click Trigger test alert to fire your repository test action.