The _raise query directive helps an analyst trigger modules and incidents from a filtered dataset. The directive can also be used for sending instant notifications or alerts based on the insights gathered from the data.
_raise [module|notify_group|notify_email|incident] value
The _raise directive uses the following options to trigger modules and incidents:
_ raise module:
Using the module option users can trigger an existing module, as per observations in the result set
_raise module <module_name> <module_weight>
module_name: is a slug-name of an existing module. In order to create a module please refer the How To Create Modules document.
module_weight: is a number that represents the severity of the module. This number is user defined and can be used in second level of correlation.
_raise module port_reconnaissance 3
In the above example, port_reconnaissance is the module slug-name and 3 is the module-weight.
The incident option helps in deriving further insights from a set of events and modules, as per the match-cases in the additional layer of correlation. This incident is a finalized outcome of checks.
_raise incident <incident-name> match #labelA.key AND #labelB.key | #labelC.key AND #labelD.key
incident-name: is a user defined name in reference to the incident. This name does not support blank-spaces and special characters.
#label: are the variables from the _fetch directive, which holds the values to match. To learn more about label, please refer the document, How to use label.
_raise incident port_reconnaissance_on_server match #labelA.$SrcIP AND #labelB.$SrcIP
In the above example, an incident is converted if #labelA.$SrcIP is the same as #labelB.$SrcIP.
The notify_email option is an additional feature of the _raise directive to send an instant alert email from search to a defined email address. However, unlike the _trigger directive, these emails are in the default format.
_raise notify_email <email-address-1>, <email-address-2>, ...
Here, email-address: are the email-IDs of the recipients.
_raise notify_email [email protected], [email protected]
Similar to the notify_email option, this feature sends an instant alert-email directly from search to a group of email addresses, as defined in the NOTIF GROUP within the DNIF console.
The benefit of using notify_group over notify_email is that the user does not have to make changes in live queries in workbooks to add or remove email recipients.
_raise notify_group <slug-name-of-group>
slug-name-of-group: is the name of the email group defined by the user. To learn how to create a group, please refer the document, How to create Notif Group.
_raise notify_group trainer_dnif
In the above example, trainer_dnif is the slug-name-of-group.