- KNOWLEDGE BASE
- DNIF Query Language (DQL Language)
- DQL (LEGACY)
-
START YOUR TRIAL
-
DEVICE INTEGRATION
-
CONNECTORS
-
DATA INGESTION
-
HUNTING WITH WORKBOOKS
-
DNIF Query Language (DQL Language)
-
SECURITY MONITORING
-
OPERATIONS
-
MANAGE DASHBOARDS
-
MANAGE REPORTS
-
USER MANAGEMENT & ACCESS CONTROL
-
BILLING
-
MANAGING YOUR COMPONENTS
-
GETTING STARTED
-
INSTALLATION
-
SOLUTION DESIGN
-
AUTOMATION
-
TROUBLESHOOTING AND DEBUGGING
-
LICENSE MANAGEMENT
-
RELEASE NOTES
-
API
-
POLICIES
-
SECURITY BULLETINS
-
BEST PRACTICES
-
DNIF AI
-
DNIF LEGAL AND SECURITY COMPLIANCE
_trigger
_trigger is a query directive typically used to perform an action in response to an event or an investigation conducted. It can be used to make API calls to perform an action on an external system.
Syntax
_trigger api <plugin_name> <function_name> <‘configuration name’>
The _trigger directive uses the api keyword to trigger a function in an installed plugin to make an (external) API call to perform an action.
Ensure your desired responder integration is configured.
Take a look at the example given below:
Below is the configured Palo Alto integration
Execute the following query:
_fetch * from event where $Stream=AUTHENTICATION AND $Reason=INVALID_PASSWORD limit 1
Here:
The _fetch directive retrieves all fields for each event where $Stream is AUTHENTICATION. The result set displays the event where authentication has failed due to invalid password.
_trigger api paloalto add_to_group 'Palo Alto' $SrcIP
where,
paloalto is the plugin_name,
add_to_group is function_name AND
Palo Alto is the configuration name
In the pipelined query function, the _trigger directive uses the api keyword to call the add_to_group function in the paloalto plugin. This function takes the source IP address as a parameter and makes an API call to block the source IP address on the firewall.