_raise


The _raise query directive helps an analyst trigger modules and incidents from a filtered dataset. The directive can also be used for sending instant notifications or alerts based on the insights gathered from the data.

Syntax:

_raise [module|notify_group|notify_email|incident] value

The _raise directive uses the following options to trigger modules and incidents:



_ raise module:

Using the module option users can trigger an existing module, as per observations in the result set

Syntax:

_raise module <module_name> <module_weight>

Here,

  • module_name: is a slug-name of an existing module. In order to create a module please refer the How To Create Modules document.

  • module_weight: is a number that represents the severity of the module. This number is user defined and can be used in second level of correlation.

Example:

_raise module port_reconnaissance 3

In the above example, port_reconnaissance is the module slug-name and 3 is the module-weight.



_raise incident:

The incident option helps in deriving further insights from a set of events and modules, as per the match-cases in the additional layer of correlation. This incident is a finalized outcome of checks.

Syntax:

_raise incident <incident-name> match #labelA.key AND #labelB.key | #labelC.key AND #labelD.key

Here,

  • incident-name: is a user defined name in reference to the incident. This name does not support blank-spaces and special characters.

  • #label: are the variables from the _fetch directive, which holds the values to match. To learn more about label, please refer the document, How to use label.

Example:

_raise incident port_reconnaissance_on_server match #labelA.$SrcIP AND #labelB.$SrcIP

In the above example, an incident is converted if #labelA.$SrcIP is the same as #labelB.$SrcIP.



_raise notify_email:

The notify_email option is an additional feature of the _raise directive to send an instant alert email from search to a defined email address. However, unlike the _trigger directive, these emails are in the default format.

Syntax:

_raise notify_email <email-address-1>, <email-address-2>, ...

Here, email-address: are the email-IDs of the recipients.

Example:

_raise notify_email [email protected], [email protected]



_raise notify_group:

Similar to the notify_email option, this feature sends an instant alert-email directly from search to a group of email addresses, as defined in the NOTIF GROUP within the DNIF console.

The benefit of using notify_group over notify_email is that the user does not have to make changes in live queries in workbooks to add or remove email recipients.

Syntax:

_raise notify_group <slug-name-of-group>

Here,

slug-name-of-group: is the name of the email group defined by the user. To learn how to create a group, please refer the document, How to create Notif Group.

Example:

_raise notify_group trainer_dnif

In the above example, trainer_dnif is the slug-name-of-group.