The _raise query directive helps an analyst trigger modules and incidents from a filtered dataset. The directive can also be used for sending instant notifications or alerts based on the insights gathered from the data.


_raise [module|notify_group|notify_email|incident] value

The _raise directive uses the following options to trigger modules and incidents:

_ raise module:

Using the module option users can trigger an existing module, as per observations in the result set


_raise module <module_name> <module_weight>


  • module_name: is a slug-name of an existing module. In order to create a module please refer the How To Create Modules document.

  • module_weight: is a number that represents the severity of the module. This number is user defined and can be used in second level of correlation.


_raise module port_reconnaissance 3

In the above example, port_reconnaissance is the module slug-name and 3 is the module-weight.

_raise incident:

The incident option helps in deriving further insights from a set of events and modules, as per the match-cases in the additional layer of correlation. This incident is a finalized outcome of checks.


_raise incident <incident-name> match #labelA.key AND #labelB.key | #labelC.key AND #labelD.key


  • incident-name: is a user defined name in reference to the incident. This name does not support blank-spaces and special characters.

  • #label: are the variables from the _fetch directive, which holds the values to match. To learn more about label, please refer the document, How to use label.


_raise incident port_reconnaissance_on_server match #labelA.$SrcIP AND #labelB.$SrcIP

In the above example, an incident is converted if #labelA.$SrcIP is the same as #labelB.$SrcIP.

_raise notify_email:

The notify_email option is an additional feature of the _raise directive to send an instant alert email from search to a defined email address. However, unlike the _trigger directive, these emails are in the default format.


_raise notify_email <email-address-1>, <email-address-2>, ...

Here, email-address: are the email-IDs of the recipients.


_raise notify_email [email protected], [email protected]

_raise notify_group:

Similar to the notify_email option, this feature sends an instant alert-email directly from search to a group of email addresses, as defined in the NOTIF GROUP within the DNIF console.

The benefit of using notify_group over notify_email is that the user does not have to make changes in live queries in workbooks to add or remove email recipients.


_raise notify_group <slug-name-of-group>


slug-name-of-group: is the name of the email group defined by the user. To learn how to create a group, please refer the document, How to create Notif Group.


_raise notify_group trainer_dnif

In the above example, trainer_dnif is the slug-name-of-group.