Alerts and Detection


Powerful alerting to drive your operations

Powerful visibility by itself isnt going to help your team. Trisul provides a powerful totally configurable alerting system to drive your team. The powerful LUA interface ensures that you can practically alert using any mechanism you want if the standard options dont fit you. Out of the box 5 different types of alerts are generated immediately upon installation.

Improve your response times

Different alert types ensure that you never miss out on important events in your network.  A A flow related exfiltration alert is different from a statistical metric threshold crossing alert which is different from a signature based IDS alert.  All alert types in Trisul include flexible email alerting options.

Threshold Crossing

When any metric value crosses fixed thresholds

  • Based on meter values
  • Above and below thresholds
  • Set on any counter,meter, item
  • FIRE and CLEAR conditions helps operators

Flow tracker

Large uploads, unusual uploads, long running remote desktops,

  • Police flow activity
  • Watch large uploads, downloads, long running flows,
  • Set on any counter,meter, item

IDS/IPS alerts

Ingest signature based alerts and correlate with metrics and flows

  • Integrate IDS alerts to flows, metrics, pcaps
  • Investigate everything from one place
  • Single click bulk PCAP from alerts

Threat alerts

Efficiently process hits on known threats

  • Free with the badfellas plugin
  • Match traffic against millions of known threats
  • Includes must-have open feeds
  • Scores impact to help you ignore noisy scanners

ML metric bands

Machine Learning creates bands of  metric usage and detects outliers

  • Continuous learning of metrics usage bands
  • Training window spreads over five weeks
  • Automatically alert on out of band activity of any metric

User alerts

General purpose alert group for your own use

  • Create your own alerts via LUA
  • A catch all alert group for events like failed DNS, failed SSH logins.
  • Single click bulk PCAP from alerts