Skip to main content

Alerts

Overview

Built into SPR is an alerting mechanism. When an event arrives that matches an alert configuration, an alert can be presented as a Notification or stored into the Event Database as an alert to be resolved at a later time.

alerts-overview

Viewing & Resolving Alerts

To see alerts stored in the database head over to the Alerts page.

Alerts have a 'State' variable which is currently one of New or Resolved. Click the resolve or resolve all buttons to move alert events to the Triaged state.

alerts-resolve

Defining Custom Alerts

The alert rules are a little bit complicated seeming at first but they are flexible and configurable.

Alerts match an Event Prefix. In the example below, these are nft:drop:mac events. We optionally copy the event fields into the alert that will be stored.

Click Add Condition Filter + to create field requirements beyond the event topic prefix. If 'Match All' is set, then all conditions must match, otherwise just one. The conditions can also be logically inverted. In the screenshot, we add a condition that the UDP Source Port should be 42 to create the alert. This is a nonsensical requirement to demonstrate the feature.

The syntax used for the event matchings uses JSONPath. See https://jsonpath.com/ for details.

alerts-custom

Event Templating

In addition to custom event matches, alert titles and bodies can be written as templates for what to render in the frontend. In general, take the field to display and wrap it in curly brackets, for example: {{Ethernet.SrcMAC}}.

Decorators

The event template also supports decorators. The following are supported: Device, DeviceIcon, DeviceName, DeviceIP, DeviceMAC. To apply a decorator follow up a field name with "#Decorator". This allows converting a MAC address to a device's known IP for example, or rendering the assigned device icon for that device.

Here is an example template with decorators: MAC IP Violation {{IP.SrcIP#Device}} {{IP.SrcIP}} {{Ethernet.SrcMAC}} to {{IP.DstIP}} {{Ethernet.DstMAC}}