Cole McDonald

Conditional EventSources

Recommended Posts

Specific need here that could be useful elsewhere.  If an event source could conditionally raise an alert based on the existence or not of a related alert, that would be useful.  Example: under windows, if a user initiates a reboot of the system, a few alerts are thrown.  The request, the systems's response, and the final shutdown notice.  It's also followed up by an informational message that occurs whether the reboot was requested by a user or an unexpected crash.  So we always need to get that last one, but not if we got the first one as the first has much better information and timing for us than the last one.

If you could at least add a scripty piece to the eventSource, I could query existing alert for a device and use that to throw a new alert or not. (I could also use that to automate remediations as a bonus).

Share this post


Link to post
Share on other sites

I agree and raise you -- there should be a general correlation facility.  I would be excessively happy right now to even be able to reference the value of a different datapoint in the same datasource in an alert string.  The right solution would be to define correlation rules similar to Zabbix (https://www.zabbix.com/documentation/4.2/manual/config/event_correlation) where you would suppress alerts depending on a complex evaluation of any LogicModule result.  For events specifically, they themselves need to be bucketed with a "correlation key" and counters with alerts tied to more than just an ephemeral point in time (see SEC for a great simple-ish tool that does this for event streams (https://simple-evcorr.github.io/).

  • Upvote 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.