Working with alerts
Alerts Matano table
All alerts are automatically stored in a Matano table named matano_alerts
. The alerts and rule matches are normalized to ECS and contain context about the original event that triggered the rule match, along with the alert and rule data.
Common queries
View alerts that are activated (exceeded threshold)
select matano.alert.id as alert_id,
count(matano.alert.rule.match.id) as rule_match_count,
array_agg(matano.alert.rule.match.id) as rule_matches,
from matano_alerts
where
ts < current_timestamp - interval '1' hour
and matano.alert.activated = true
group by matano.alert.id, matano.alert.dedupe
Group rule matches by original data
Because the Matano schema for a rule match includes the original event that the detection ran on, you can use this information in your queries. For example, to see what actions are causing rule matches:
select
event.action,
count(matano.alert.rule.match.id) as rule_match_count
from matano_alerts
where matano.alert.activated = true
group by event.action
order by rule_match_count desc