Alert Tag Object
BigPanda normalizes alert data from integrated monitoring systems into standard key-value pairs, called tags. Alert tags are the fundamental data model for your alerts and drive alert deduplication, correlation, and enrichment.
In addition to the core properties such as name, active status, and description, all alert tags also include at least one enrichment item. Enrichment items set rules and conditions to populate values for the tag based on event-payload fields.
There are 3 types of enrichment items:
Composition
Extraction
Mapping
Enrichment items are tied to their tag. If all enrichment items are deleted from a tag, the tag will also be removed from the system. Deleting a tag will remove all of the tag’s enrichment items as well.
Delete mapping enrichment items
To delete a tag with mapping enrichment items, you must first delete the associated mapping enrichment schema.
Mapping enrichment schemas apply to multiple tags, and deleting a schema will remove the mapping enrichment from all associated tags. If any associated tags should remain in BigPanda, we recommend first creating the new schema, then deleting the old one.
Run order is an important part of successful alert enrichment, allowing you to create tags that leverage the values of other tags. Alert tags and the enrichment items within each tag can be reordered so that tag values are populated in the needed order.
Enrichment item order is based on the order it appears in the API call. When merging new or changing enrichment items, new enrichment items will be added to the top of the order.
Parameters
The Alert Tag object schema includes the following attributes:
Attribute | Description | Type |
|---|---|---|
name | Tag name in BigPanda. | String |
created_by | The unique ID associated with the user who created the tag. | String |
created_at | The Unix epoch time when the tag was created (in seconds). | Timestamp |
updated_by | The unique ID associated with the user who last updated the tag. | String |
updated_at | The Unix epoch time when the tag was last updated (in seconds). | Timestamp |
description | A brief summary of the tag | String |
active | Whether the tag should be applied to incoming alerts. | Boolean |
enrichments | List of automatic enrichment items configured for this tag. Items are listed in their run order. | Array of Objects |
Sample Return Object
{
"name": "tag_name",
"created_by": "565ee8e0dab117512da3c411",
"created_at": 1464080054,
"updated_by": "58d77efa5eafe459163f4211",
"updated_at": 1641796851,
"description": "",
"active": true,
"enrichments": [
{
"id": "191217f6-481d-464e-9f12-3ed846a72b11",
"type": "composition",
"active": true,
"when": {
"IN": [
"source_system",
[
{
"type": "regex",
"value": "*"
}
]
]
},
"version": 1,
"config": {
"destination": "source",
"value": "compttest"
},
"created_by": "58d77efa5eafe459163f4211",
"updated_by": "58d77efa5eafe459163f4211",
"note": null
},
{
"id": "74092648-393a-4896-b5c4-798ab0f00a11",
"type": "extraction",
"active": true,
"when": {
"AND": [
{
"IN": [
"source_system",
[
"api.test"
]
]
}
]
},
"version": 1,
"config": {
"source": "source",
"destination": "tag_name",
"regex": "Erroz: [^\\[]+ \\[[^\\]]+\\][\\. ]?\\[([^\\]^\\.]+)\\..*\\]",
"template": "$1"
},
"created_by": "565ee8e0dab117512da3c411",
"updated_by": "58d77efa5eafe459163f4211",
"note": null
}
]
}