Siren Platform User Guide

Using watchers

Siren Alert enables automation of recurring questions (as queries) by using Watchers. For example:

  • QUESTION: How many hits does index X receive hourly?
  • WATCHER: query index and return count of hits in last hour
  • ACTION: Notify with number of Hits per hour
  • QUESTION: Are any of my monitored metrics surpassing a certain value?
  • WATCHER: query index and type for specific values, aggregated by an arbitrary field.
  • ACTION: Notify with aggs bucket details every time a threshold is surpassed or spike anomaly detected.
  • QUESTION: Are any of my users trying to reach blacklisted destinations?
  • WATCHER: query firewall logs comparing destination IPs to a blacklist.
  • ACTION: Notify admin using email if any IP >= 10 matches returned
  • QUESTION: Are there recurring failure attempts authenticating users on my network?
  • WATCHER: query Active Directory logs for login failures in last hour and compare to user index. .
  • ACTION: Notify admin using webhook if >= 10 matches returned
  • LEAK DETECTION (chain)
  • QUESTION: Are there any public leaks about my data I was not aware of?
  • WATCHER: query for user emails included in published leaks ingested from third parties.
  • ACTION: Save hits in secondary result Index. Notify using email if leak was not known in a secondary Watcher