diff --git a/_monitoring-plugins/alerting/monitors.md b/_monitoring-plugins/alerting/monitors.md index f00d7e78..0306f8af 100644 --- a/_monitoring-plugins/alerting/monitors.md +++ b/_monitoring-plugins/alerting/monitors.md @@ -17,35 +17,30 @@ has_children: false ## Monitor types OpenSearch Dashboard alerting plugin provides four monitor types: -* per query - This monitor runs a query and generates alert notifications based on criteria that matches. -* per bucket - This monitor runs a query that evaluates trigger criteria based on aggregated values in the data set. -* per cluster metrics - Runs API requests on the cluster to monitor its health. -* per document - Runs a query at the document level that returns the amount of documents indexed within the last hour, then it evaluates newly indexed data and returns the documents that match the criteria to generate an alert notification. +* **per query** - This monitor runs a query and generates alert notifications based on criteria that matches. +* **per bucket** - This monitor runs a query that evaluates trigger criteria based on aggregated values in the data set. +* **per cluster metrics** - This monitor runs API requests on the cluster to monitor its health. +* **per document** - This monitor runs a query (or multiple queries combined by a tag) that returns individual documents that match the alert notification trigger condition. + ### More about per document monitors -You can set an alert for individual documents within an index with a per document monitor. The query returns specific documents that contain the fields that match the trigger criteria that you want to monitor. - -The per query and per bucket monitors can only take a single query with one trigger condition. Per document monitors allow you to combine multiple query trigger conditions by adding the same tag to all queries. By default, the Alerting plugin processes the trigger conditions from all queries as a logical OR operation, so if any of the conditions are met, it generates the alert notification. +The per query and per bucket monitors can only take a single query with one trigger condition. Per document monitors allow you to combine multiple query trigger conditions by adding a tag to the queries. Then you can add the tag as a single trigger condition instead of specifying a single query. The Alerting plugin processes the trigger conditions from all queries as a logical OR operation, so if any of the query conditions are met, it generates the alert notification. The Alerting plugin also creates document findings data that contain metadata about which document matches each query. Security analytics can use the document findings data to keep track and analyze the query data separate from the alert processes. The metadata provided for each document finding includes: -* document - The document ID and index name -* Query - The query name that matched the document -* Time found - The timestamp that indicates the time the document was found during the runtime +* Document - The document ID and index name. +* Query - The query name that matched the document. +* Time found - The timestamp that indicates the time the document was found during the runtime. -Per document monitors allow you to define tags that combine trigger criteria by logical operators. You can't do this with the per bucket or per query monitors. - -You can also add tags to each query to fine tune your trigger conditions, and perform combination triggers that return logical OR operation on two queries marked with the same tag. - -You can create a tag that aggregates two conditions by logical operators, then add the tag as a single trigger condition. For example, you could create a tag called "sigma" with a trigger condition that returns requires either of two separate query criterion to be met. ## Key terms Term | Definition :--- | :--- Monitor | A job that runs on a defined schedule and queries OpenSearch indexes. The results of these queries are then used as input for one or more *triggers*. Trigger | Conditions that, if met, generate *alerts*. +Tag | Label that can be applied to multiple queries to combine them with the logical OR operation. Alert | An event associated with a trigger. When an alert is created, the trigger performs *actions*, which can include sending a notification. Action | The information that you want the monitor to send out after being triggered. Actions have a *destination*, a message subject, and a message body. Destination | A reusable location for an action. Supported locations are Amazon Chime, Email, Slack, or custom webhook.