Adding external or additional data into alerts and detections

Adding external or additional data into alerts and detections

There might be a need to add extra data into alerts and detections ( e.g. External TIcket ID ).

To do this in UI:
Open Alerts or Detections page.
Select the alert, click on the "Manage" icon and add the data into the "Additional Details" field.

To query the data use the following query (replace the <ALERT ID> placeholder with the your alert Id) :
SELECT
    a.*,
    n.memo
FROM
    upt_alerts a
    LEFT JOIN upt_notes n
    ON a.note_id = n.id
WHERE
    a.id = '<ALERT ID>'

To find the alert by external data value use the following query:

SELECT
    a.*,
    n.memo
FROM
    upt_alerts a
    LEFT JOIN upt_notes n
    ON a.note_id = n.id
WHERE
    n.memo = 'ExternalTicketId=12345'


In the following example, we will pass multiple values as a JSON into the Detection



Example query to get the data ( Replace <DETECTION ID> placeholder:
SELECT
    d.*,
n.memo,
    json_extract_scalar(n.memo, '$["External Ticket ID"]') AS "External Ticket ID",
    json_extract_scalar(n.memo, '$["External Ticket Name"]') AS "External Ticket Name"
FROM
    upt_detections d
    LEFT JOIN upt_notes n
    ON d.note_id = n.id
WHERE
    d.id = '<DETECTION ID>'


To find the detection by the external data value, simply replace the WHERE clause.

SELECT
    d.*,
    n.memo,
    json_extract_scalar(n.memo, '$["External Ticket ID"]') AS "External Ticket ID",
    json_extract_scalar(n.memo, '$["External Ticket Name"]') AS "External Ticket Name"
FROM
    upt_detections d
    LEFT JOIN upt_notes n
    ON d.note_id = n.id
WHERE
    json_extract_scalar(memo, '$["External Ticket ID"]') = '12345'