Triggers are used to track events based on query strings. You are notified when a condition is met via the Alert Inbox, Email, Incident creation, or a combination of the three. The faster an alert is received, the faster the threat can be identified and stopped.
Think of the DefenseStorm GRID as a car. Within the cars computer, there are programed triggers to alert you when something may be wrong. For example, if your seatbelt isn't on, you have low tire pressure, low fuel, etc, you receive a notification. Some of the notifications are loud beeping, a simple message on your dash, or a message on your dash with a light to draw further attention. Triggers serve the same function. You create a trigger, set an interval, and customize the notification method when your query is matched.
The default view of the Trigger homepage displays Active Triggers of all severity levels. You can filter the list to view paused or deleted triggers, and/or only certain severity levels.
Triggers can be implemented by either creating one or copying one from the default library provided by DefenseStorm. The library was carefully curated by our own security experts on the TRAC Team to provide useful and efficient triggers for targeted alerting.
Ways to implement triggers
- Copy & modify library trigger
- Create a new trigger
Trigger Field Options
Whether you decide to customize a trigger from the library or create your own, the following fields are available.
These fields are for your records, information, reporting, compliance, etc.
- Name: Choose a meaningful name for quick identification. Append any custom triggers with your company initials.
- Description: Displays within main trigger list. Make it a short, simple explanation of why you created the trigger.
- Severity: How critical this trigger is. Options are None, Low, Medium, or High.
Lets us know what events you want us to look for and how the results display.
- Query: Conditions to search for. Include -category:alert in the string to prevent duplicate alerts. For more information on query strings, see Query Syntax.
- Aggregate: Field to group by. For example, if you want to create a trigger to fire if a larger number of alerts for a specified username go off, you would enter user_name in this field.
- Count (default): Number of matching events
- Count distinct: Number of different categories of matching events.
- The following fields work best when a numeric field is specified. This allows the functions to work correctly and provide accurate information. For example, you can determine the average time it takes backups to run, the sum of bytes, etc.
Schedule and Intervals*
How often you want to be notified.
Monitor activity only during a specific time period to reduce false positives.
- Alerts > Schedules > +
- Enter information into New Schedule window > Select Create
- Alerts > Triggers > click desired Trigger > edit
- + Add Schedule > select schedule > Click Add Schedule
- Save Trigger
Interval (only for Interval based triggers)
It is recommended to select an interval that reduces noise and alert overload. Once a Trigger is saved, you cannot modify the interval. To edit an interval, clone the trigger, adjust the interval, and delete the old trigger.
- Example: If you set your trigger with a threshold of 1, an interval of 30 minutes AND
you have 3 matching events from 1:30 pm to 2:00 pm, you receive a single alert at 2:05 pm with all 3 matching events.
Type any desired tags for enhanced searching, reporting, and organizing of triggers. Example tags could be FFIEC, Failed Login, Nancy Smith, etc. This allows you to type in any tag into the search portion of Triggers and pull up the list of all triggers with matching tags.
Determines the method and person for notifications.
- Notify via email: If you want to receive an email, select this checkbox and insert email addresses of anyone who should receive a notification email.
- Create an Incident: Once the checkbox is checked, select an owner to oversee the incident.
Results Fields to include in Email
Add particular fields you want included in your email. For details on fields that can be included in the email, see Event Fields.
Add any desired, related policies for compliance, metrics, and reporting.
Creating a new Trigger
- Select Alerts > Triggers.
- Click the + at the far right of the screen.
- Select trigger type: Every Event, Interval, Anomaly
- Complete the trigger form by filling in all desired fields based on the information provided above.
- Select Save to enable the trigger.
Copying a trigger from the library
- Select Alerts > Library to display the list of trigger groups.
- Click on the desired group to display individual triggers.
- Select the checkbox(es) of the triggers you wish to copy to your network.
- Click Copy Selected.
- Go to Alerts > Triggers and click on the trigger copied to your network.
- Review and modify the trigger as desired. Select Save to enable the trigger.
Modifying a trigger
- Go to Alerts > Triggers.
- Select the trigger you wish to modify, select the pencil icon.
- Modify fields as desired. Select Save to enable the modified trigger.
You can search through triggers to create a more manageable and useful list for reporting or tracking purposes.
- Alerts > Triggers.
- Filter your triggers as desired using the Status/Severity filters and Search tags.
- Select the cloud icon to generate the CSV of filtered triggers.
- Save as an Excel sheet and format as desired for reporting.