Last Updated: Mar. 27, 2022
Coralogix’s ‘New Value’ alert is triggered by the first occurrence of a new value within a time interval. All values are tested against a list that is being dynamically created while the alert is active.
The alert is set by a specific query to identify a subset of logs (if needed), and defined with a key of choice to track for new values within the desired interval.
In many use cases, this alert enables you to detect a possible abnormal behavior within your system, automatically.
A few use cases examples for this alert type include:
- Security: An alert may be triggered by a new domain connection. As Coralogix Cloud Security logs all security information across all network traffic, a new domain connection will result with the field ‘security.highest_registered_domain’ having a new value. This can point to a possible attack (Command & Control activity, Data ex-filtration, etc…).
- Monitoring: An alert may be triggered by a new application error code. Many applications send an ‘error_code’ field. A new value for this field indicates a new issue with the application.
Create ‘New Value’ Alerts
To create such an alert, go to the Alerts tab, open a new alert, and name it. Then, select the ‘New Value’ alert type. Enter a query that will identify the subsets of logs that will be tracked. Select the time frame (between 12H and 3 months) and the actual key that will be tracked for new values. It is good practice to verify that the selected field exists in the logs you are matching with the query filter.
- A new/updated alert will become active after the configured alert time window or 7 days (the shorter of the two). This is in order for Coralogix to train on the set of different values, capture a baseline as well as try to prevent false notifications.
- The alert can track up to 50K unique values in the defined time window. When the captured values list gets to 50K, the alert will not be triggered until values are cleared from the list. A value will be cleared from the list when its age in the list is equal to the alert time window. The first detection of this value after it was deleted will trigger an alert.
- The first 255 Characters will be taken as the value (i.e if you have 2 values that have the same first 255 chars, they will be considered as the same value).
- There is a 5 min “silence” period after the alert was triggered. During this time, new values will be added to the list but the alert will not be triggered.
If you are already a Coralogix customer and have any questions please reach out to us at [email protected]
If not, you can try this feature for free by signing up for a free trial.