You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently alerts can be created in VQL using watch_monitoring() to watch for events from clients and server. This work but it is very cumbersome and requires a lot of custom VQL to make it work smoothly.
There are some differences between client event monitoring and alerts:
Client monitoring applies to each client separately - this means we have to search for client, select client events screen and then select one of the client event queries to see them. An alert should be easily seen regardless of which client it came from.
Alerts are usually quite low volume compared to client events - for example process execution events are expected to be large in number but an alert is immediately actionable and should be much rarer.
We should have alerts as a built in concept in Velociraptor. This means:
Client artifacts should be able to explicitly sent an alert to the server - including important details from VQL.
Alerts sholuld be easily linked to the client and event stream it came from - so the user can drill down quickly.
The GUI should have an alert viewing screen.
Alerts should be easily routed to escalation paths like slack notifications, emails etc.
The text was updated successfully, but these errors were encountered:
Currently alerts can be created in VQL using
watch_monitoring()
to watch for events from clients and server. This work but it is very cumbersome and requires a lot of custom VQL to make it work smoothly.There are some differences between client event monitoring and alerts:
We should have alerts as a built in concept in Velociraptor. This means:
The text was updated successfully, but these errors were encountered: