- Print
- DarkLight
Schedule events are triggered automatically at various intervals per organization or per sensor, observable in D&R rules via the schedule
target.
Scheduling events have a very similar structure whether they are per-sensor or per-org.
The event
component contains a single key, frequency
which is the number of seconds frequency this scheduling event is for. The event type also contains the human readable version of the frequency.
The following frequencies are currently emitted:
30m
:30m_per_org
and30m_per_sensor
1h
:1h_per_org
and1h_per_sensor
3h
:3h_per_org
and3h_per_sensor
6h
:6h_per_org
and6h_per_sensor
12h
:12h_per_org
and12h_per_sensor
24h
:24h_per_org
and24h_per_sensor
168h
(7 days):168h_per_org
and168h_per_sensor
Scheduling events are generated for each org that meets the following criteria:
- Has had at least 1 sensor online in the last 7 days.
Scheduling events are generated for each sensor that meets the following criteria:
- Has been online at least once in the last 30 days.
Scheduling events are not retained as part of the year retention in LimaCharlie. To leverage them, create D&R rules that target the schedule
target and take the relevant action
when matched. For example to issue an os_packages
once per week on Windows hosts:
detect:
target: schedule
event: 168h_per_sensor
op: is platform
name: windows
respond:
- action: task
command: os_packages
investigation: weekly-package-list
*_per_org
Events that are emitted once per period per org. This allows you to schedule things at a global level.
{
"event": {
"frequency": 86400
},
"routing": {
"event_id": "0f236fbb-31df-4d11-b6ab-c6b71a63a072",
"event_time": 1673298756512,
"event_type": "1h_per_org",
"oid": "8cbe27f4-bfa1-4afb-ba19-138cd51389cd",
"sid": "00000000-0000-0000-0000-000000000000",
"tags": []
}
}
*_per_sensor
Events that are emitted once per period per sensor. This allows you to schedule automation for each
sensor within an org.
This event includes a runtime_mtd
component for sensors recently online which includes snapshot in time metadata about their running state.
{
"event": {
"frequency": 1800,
"runtime_mtd": {
"entity_name": "81c72a07-9540-4341-9c35-66f6cfe1b9d7",
"entity_type": "sensor",
"mtd": {
"bytes_recv": 6202524,
"conn_at": 1689819872,
"eps_in": 1,
"eps_out": 0,
"q_size": 0
},
"published_at": 1689858693935
},
},
"routing": {
"arch": 5,
"did": "",
"event_id": "247bbf44-5e60-41c3-9642-410447aa04d2",
"event_time": 1673298757318,
"event_type": "30m_per_sensor",
"ext_ip": "34.82.75.115",
"hostname": "prod-domain-controler",
"iid": "ebda4de0-aaaa-aaaa-aaaa-698a5a10c3af",
"int_ip": "192.168.10.2",
"oid": "8cbe27f4-aaaa-aaaa-aaaa-138cd51389cd",
"plat": 536870912,
"sid": "640f2a6f-aaaa-aaaa-aaaa-dcc55726b450",
"tags": [
"prod",
"domain",
]
}
}
*_per_cloud_adapter
Events that are emitted once per period per cloud adapter. This can be useful to check adapters are continuously online.
This event includes a runtime_mtd
component for adapters recently online which includes snapshot in time metadata about their running state.
{
"event": {
"frequency": 1800,
"adapter_name": "office-audit",
"runtime_mtd": {
"entity_name": "81c72a07-9540-4341-9c35-66f6cfe1b9d7",
"entity_type": "adapter",
"mtd": {
"platform": "office365",
"hostname": "office-365-audit",
"adapter_type": "office365"
},
"published_at": 1689858693935
},
},
"routing": {
"arch": 5,
"did": "",
"event_id": "247bbf44-5e60-41c3-9642-410447aa04d2",
"event_time": 1673298757318,
"event_type": "30m_per_sensor",
"ext_ip": "34.82.75.115",
"hostname": "prod-domain-controler",
"iid": "ebda4de0-aaaa-aaaa-aaaa-698a5a10c3af",
"int_ip": "192.168.10.2",
"oid": "8cbe27f4-aaaa-aaaa-aaaa-138cd51389cd",
"plat": 536870912,
"sid": "640f2a6f-aaaa-aaaa-aaaa-dcc55726b450",
"tags": [
"prod",
"domain",
]
}
}