Alert Tag Object
BigPanda normalizes alert data from integrated monitoring systems into standard key-value pairs, called tags. Alert tags are the fundamental data model for your alerts and drive alert deduplication, correlation, and enrichment.
In addition to the core properties such as name, active status, and description, all alert tags also include at least one enrichment item. Enrichment items set rules and conditions to populate values for the tag based on event-payload fields.
There are 3 types of enrichment items:
Composition
Extraction
Mapping
Enrichment items are tied to their tag. If all enrichment items are deleted from a tag, the tag will also be removed from the system. Deleting a tag will remove all of the tag’s enrichment items as well.
Delete mapping enrichment items
To delete a tag with mapping enrichment items, you must first delete the associated mapping enrichment schema.
Mapping enrichment schemas apply to multiple tags, and deleting a schema will remove the mapping enrichment from all associated tags. If any associated tags should remain in BigPanda, we recommend first creating the new schema, then deleting the old one.
Run order is an important part of successful alert enrichment, allowing you to create tags that leverage the values of other tags. Alert tags and the enrichment items within each tag can be reordered so that tag values are populated in the needed order.
Enrichment item order is based on the order it appears in the API call. When merging new or changing enrichment items, new enrichment items will be added to the top of the order.
Config object required
The config object is required when creating an enrichment item. When adding your array of enrichment items, make sure to expand the config object and include all required parameters.
Literal Pipes in Tag Array Values
Pipes: | are used in BigPanda as a delimiter for array values.
If the value should have a literal pipe, wrap the entire cell in three quotes: """this is a | literal pipe"""
If the value should have both a literal pipe and quotation marks, then the cell should be wrapped in three quotes, and the quoted text needs to be wrapped in four quotes: """this is a | literal pipe with """"quoted"""" text"""
Config object required
The config object is required when creating an enrichment item. When adding your array of enrichment items, make sure to expand the config object and include all required parameters.
Parameters
The Alert Tag object schema includes the following attributes:
Attribute | Description | Type |
|---|---|---|
name | Tag name in BigPanda. | String |
created_by | The unique ID associated with the user who created the tag. | String |
created_at | The Unix epoch time when the tag was created (in seconds). | Timestamp |
updated_by | The unique ID associated with the user who last updated the tag. | String |
updated_at | The Unix epoch time when the tag was last updated (in seconds). | Timestamp |
description | A brief summary of the tag | String |
active | Whether the tag should be applied to incoming alerts. | Boolean |
enrichments | List of automatic enrichment items configured for this tag. Items are listed in their run order. | Array of Objects |
Sample Return Object
{
"name": "tag_name",
"created_by": "565ee8e0dab117512da3c411",
"created_at": 1464080054,
"updated_by": "58d77efa5eafe459163f4211",
"updated_at": 1641796851,
"description": "",
"active": true,
"enrichments": [
{
"id": "191217f6-481d-464e-9f12-3ed846a72b11",
"type": "composition",
"active": true,
"when": {
"IN": [
"source_system",
[
{
"type": "regex",
"value": "*"
}
]
]
},
"version": 1,
"config": {
"destination": "source",
"value": "compttest"
},
"created_by": "58d77efa5eafe459163f4211",
"updated_by": "58d77efa5eafe459163f4211",
"note": null
},
{
"id": "74092648-393a-4896-b5c4-798ab0f00a11",
"type": "extraction",
"active": true,
"when": {
"AND": [
{
"IN": [
"source_system",
[
"api.test"
]
]
}
]
},
"version": 1,
"config": {
"source": "source",
"destination": "tag_name",
"regex": "Erroz: [^\\[]+ \\[[^\\]]+\\][\\. ]?\\[([^\\]^\\.]+)\\..*\\]",
"template": "$1"
},
"created_by": "565ee8e0dab117512da3c411",
"updated_by": "58d77efa5eafe459163f4211",
"note": null
}
]
}