_trigger


The _trigger is a query directive which enables users to trigger reports, templates and API alerts if the specified conditions are met. This directive also helps in delivering relevant insights directly to your inbox via email.

The _trigger directive enables you to trigger:

  • Reports/alerts using queries.
  • Custom email templates for different alerts.
  • API calls, to send relevant messages over various channels such as slack etc.

Syntax:

_trigger [report | template_email | template_group] <package_name_slug>      <{report_name_slug | email_template_slug}> [notify_email | notify_group] <{email-ID_1, email-ID_2...email-ID_n | group_slug_name}>

_trigger api [slack | <custom-plugin>] <{channel}, {message},{$Field}>

_trigger report

Email a report with default template.

Note- See How To Create Reports to create custom report templates.

Usage:

_trigger report waf_pack daily_status_report notify_email [email protected]

Here,

  • waf_pack is a slug name of the package which contains the required report template (for more information on packages, checkout our help guide on create and view packages .
  • daily_status_report is a slug name of report template.
  • notify_email is a parameter to send an email.
  • [email protected] is the target email address to whom the report needs to be sent.

Emails can be sent to multiple email addresses by separating each email address by a comma.

Example 1:

_trigger report waf_pack daily_status_report notify_email [email protected],[email protected],[email protected]`

Similar to notify_email, the notify_group parameter can be used to send emails to a group of users without defining comma separated email addresses. Similar to notify_email, this feature helps if a notification needs to be sent to bulk users.

Example 2:

_trigger report waf_pack daily_status_report notify_group web_admins

Here, web_admins is a slug name of a notification-group.

Note- See create notification group to learn how to create a notif group.

_trigger template_email

Similar to report, template_email and template_group are used to trigger alerts in a customized format, which can be achieved by using either queries or workbook.

Note- See how to create templates to create custom templates.

Usage:

_trigger template_email web_pack redirect_alert notify_email [email protected]

Here,

  • web_pack is a slug name of the package which contains the required report template.
  • redirect_alert is a slug name of the report template.
  • notify_email is a parameter to send an email.
  • [email protected] is the target email address.

Note- Similar to report, you can use comma separated email addresses or can use notify_group to alert a notification-group.

_trigger template_group

Example:

_trigger template_group web_pack redirect_alert notify_group web_admin

Here, web_admin is a slug name of a notification-group.

Note- See create notification group in order to learn how to create a notification group.

_trigger api

_trigger also enables you to communicate with third party APIs like Slack, hipchat, flowdock etc, to send relevant messages over specified channels. This integration is plugin-based and can be customized by users as per their requirements. Users can also write their own custom plugin by placing its python file in /dnif/<Deployment-Key>/trigger_plugins folder. In order to create one, make sure you follow our guidelines on writing custom code for plugins.

For demo purposes, we are using the ‘slack’ plugin, to send messages on a slack channel.

Usage:

_fetch * from event where $Intel=True limit 1
>> _agg count_unique $SrcIP
>> _trigger api slack chan_write devops, Source found positive in Intel check , $SrcIP
Retrieve events which are known bad actors as per threat intel feeds

In the above query, chan_write is a function which sends the message ‘Source found positive in Intel check’ followed by source IP address $SrcIP, on our slack channel named devops.

Send a message on slack from DNIF Web Console

Extended Example

Search for client side errors in web access events:

  _fetch * from event where $Duration=1d AND $LogType=WEBSERVER AND $HTTPRetCode=4** group count_unique $HTTPRetCode,$SrcIP limit 10
Retrieve events from webserver for whom http return code startes with 4

Trigger a report for the same:

  _trigger report extended_examples report_on_client_side_errors notify_email [email protected]
trigger a report with relevant values in datastack