Skip to content

Correlator triggers

Triggers define output of correlators. They live in the trigger section of the correlator. Each correlator can define many triggers (it is a list).

The trigger can access the original event by !EVENT statement, it is the last event that passed evaluation test.

The value from the aggregator function is availabe at !ARG.

event trigger

This trigger inserts a new event/alert into the primary data path.

Example of the event trigger:

trigger:
  - event:
      !DICT
      type: "{str:any}"
      with:
        AnalyzeValue:
          !GET
          from: !ARG RESULTS
          what: 0
        LastEvent: !EVENT
        AnotherAttribute: Foo

There may be up to 5 results, like in mean spike aggregator:

trigger:
  - event:
      !DICT
      type: "{str:any}"
      with:
        events: !ARG EVENTS
        MeanSpike:
          !GET
          from: !ARG RESULTS
          what: 0
        MeanSpikeLastCount:
          !GET
          from: !ARG RESULTS
          what: 1
        MeanSpikeMean:
          !GET
          from: !ARG RESULTS
          what: 2

lookup trigger

Lookup trigger manipulates with the content of the lookup. It means that it can add (set), increment (add), decrement (sub) and remove (delete) an entry in the lookup.

The entry is identified by a key, which is a unique primary key.

Example of the trigger that adds an entry to the lookup UserList:

 trigger:
  - lookup: UserList
    key: !ITEM EVENT UserName
    set:
      Timestamp: !NOW
      Foo: Bar

Example of the trigger that removes an entry from the lookup UserList:

 trigger:
  - lookup: UserList
    delete: !ITEM EVENT UserName

Example of the trigger that increments a counter (field my_counter) in the entry of the lookup UserList:

 trigger:
  - lookup: UserList
    key: !ITEM EVENT UserName
    add: my_counter

Example of the trigger that decrements a counter (field my_counter) in the entry of the lookup UserList:

 trigger:
  - lookup: UserList
    key: !ITEM EVENT UserName
    sub: my_counter

For both add and sub, the counter field name can be omitted. Hence the default attribute _counter will be used implicitly:

 trigger:
  - lookup: UserList
    key: !ITEM EVENT UserName
    sub:

If the counter field does not exist, it is created with the default value of 0.

Remark: Lookup entries can be accessed from the declarative expressions by !LOOKUP.GET and !LOOKUP.CONTAINS entries.

notification trigger

This trigger inserts a new notification into the primary data path, that is read by asab-print.

Example of the notification trigger:

  - notification:
      type: mail
      template: notification.html
      to: eliska.novotna@teskalabs.com
      alert:
        !DICT
        type: "{str:any}"
        with:
          message: "brute-force"
      event:
        !DICT
        type: "{str:any}"
        with:
          ecs.version: "1.10.0"
          event.kind: "alert"
          event.type: "brute-force"
          event.category: "attack"
          event.dataset: "correlator-webserver"