Setting up an Alerts Telemetry Panel
Alerts telemetry come from IDS sensors like Snort or mixed telemetries like
application logs that contain some metadata and some alert messages. While it is
possible to set up a new panel for each alert telemetry, it is more desirable to set up
a single panel that contains all of the alerts. To do so you need a specific query. Each
telemetry message in HCP that contains an alert is tagged with is_alert=true
field
.
Determine the type of telemetry panel you want to set up.
While it is possible to set up a new panel for each alert telemetry, it is more desirable to set up a single panel that contains all of the alerts.
Create a query.
A query to look for all alerts would look something like: is_alert=true.
This query will pull in alerts from multiple telemetries (even mixed mode telemetries that have some metadata and some alerts associated with them).
See the “Alerts” table for a detailed table containing only alerts.
Customize the fields displayed for each alerts table by checking or clearing the field name boxes.
Ideally, you want the fields of most importance as well as the standard fields that telemetries are correlated on to be displayed.