matano icon indicating copy to clipboard operation
matano copied to clipboard
verified publisher icon matanolabs

Allow a detection to define how many alerts occurred

Open chrismsnz opened this issue 2 years ago • 0 comments

Just dealing with a Google workspace log, this is how it reports 5 failed logins:

...
"events": {
    "name": "login_failure",
    "parameters": [
      {
        "name": "login_type",
        "value": "unknown"
      },
      {
        "multiValue": [
          "password",
          "password",
          "password",
          "password",
          "password"
        ],
        "name": "login_challenge_method"
      }
    ],
    "type": "login"
  },
...

I'd like the detection to be able to be customised to dynamically return (e.g. via a count() function or some such) how many detections have occurred by processing the one log line.

Implementation wise, not sure. run_detection() could return an array of alert data, or create_alert() could create multiple alerts based on a number returned in alert_response. The more efficient way might be to change the threshold logic to respect an "occurrences" number or something in an alert.

chrismsnz avatar Apr 27 '23 21:04 chrismsnz