Triggers¶

Triggers define output of correlators, baselines etc. They live in the trigger section of the correlator. Each rule in the library can define many triggers (it is a list).

The trigger can access the original event by !EVENT statement, it is the last event that passed evaluation test.

The value from the aggregator function is availabe at !ARG.

`event` trigger¶

This trigger inserts a new event into the complex event lane.

Example of the event trigger:

trigger:
  - event:
      threat.indicator.confidence: "Medium"
      threat.indicator.ip: !ITEM EVENT source.ip
      threat.indicator.port: !ITEM EVENT source.port
      threat.indicator.type: "ipv4-addr"

There may be up to 5 results, like in mean spike aggregator:

trigger:
  - event:
      events: !ARG EVENTS
      MeanSpike:
        !GET
        from: !ARG RESULTS
        what: 0
      MeanSpikeLastCount:
        !GET
        from: !ARG RESULTS
        what: 1
      MeanSpikeMean:
        !GET
        from: !ARG RESULTS
        what: 2

`lookup` trigger¶

Lookup trigger manipulates with the content of the lookup. It means that it can add (set), increment (add), decrement (sub) and remove (delete) an entry in the lookup.

The entry is identified by a key, which is a unique primary key.

Example of the trigger that adds an entry to the lookup user_list:

 trigger:
  - lookup: user_list
    key: !ITEM EVENT user.name
    set:
      score: 1

Example of the trigger that removes an entry from the lookup user_list:

 trigger:
  - lookup: user_list
    delete: !ITEM EVENT user.name

Example of the trigger that increments a counter (field my_counter) in the entry of the lookup user_list:

 trigger:
  - lookup: user_list
    key: !ITEM EVENT user.name
    add: my_counter

Example of the trigger that decrements a counter (field my_counter) in the entry of the lookup user_list:

 trigger:
  - lookup: user_list
    key: !ITEM EVENT user.name
    sub: my_counter

If the counter field does not exist, it is created with the default value of 0.

`notification` trigger¶

This trigger inserts a new notification into the primary data path, that is read by asab-iris.

Example of the notification trigger:

  - notification:
      type: email
      template: "/Templates/Email/notification_4728.md"
      to: eliska.novotna@teskalabs.com
      variables:
        name: "brute-force"
        events: !ARG

Triggers¶

event trigger¶

lookup trigger¶

notification trigger¶

`event` trigger¶

`lookup` trigger¶

`notification` trigger¶