Skip to content

Alerting

The nzyme alerting engine can trigger actions for two kinds of events:

  • Detection Events
  • System Events

Each detection alert or system event is creating an event in nzyme. Actions, like email notifications, can be subscribed to any event type.

flowchart
    TR[Tap Reports]
    NM[Network Monitor]
    AS[Authentication Service]
    HM[Health Monitor]
    SD[Signal Track Monitor]
    EE{{Event Engine}}
    AE{{Alert Engine}}

    D[(Database)]

    A1([Email])
    A2([Splunk Message])

    %% System Events
    subgraph SE [System Event Sources]
        AS
        HM
    end

    %% Detection Events
    subgraph DE [Detection Event Sources]
        SD
        TR
        NM
    end

    DE -- Alert --> AE
    AE --> D 

    DE -- Notify --> EE
    SE -- Notify --> EE

    EE -- Trigger --> A1
    EE -- Trigger --> A2

It is important to understand that detection alerts trigger an event, which triggers all subscribed actions. Alerts and their details are organized in the alerts section of the web interface.

Detection Events

Detection events are triggered by the WiFi and Ethernet detection engines. Any detection alert thrown will create a detection event. Actions can be subscribed to detection events.

Super administrators, organization administrators and tenant users with the View/Handle Alerts feature permission can see all triggered alerts at Alerts -> Overview. Additionally, Super administrators, organization administrators and tenant users with the Manage Alerts feature permission can create and manage action subscriptions at Alerts - Subscriptions.

Alert Grouping & Re-Triggering

Detection alerts have attributes that are used by nzyme to group them together. For example, an unexpected BSSID network monitor alert will not create a new alert and event each time it sees the BSSID again. Instead, it checks if there already is an alert of the same type for the same BSSID and updates the last seen attribute and alert timeline instead.

A new event (which triggers actions) is only created if 5 minutes have passed since the alert was last seen. A new alert timeline entry will be created in such cases and the alert is considered re-triggered.

Active Alerts

An alert that has been seen in the last 5 minutes is considered active. After that, it is marked as inactive.

Alert Runs

The term alert run means how often nzyme is checking for detection alert conditions. How much time passes between a condition appearing and the detection engine noticing it depends on the type of alert:

  • Tap Reports/Detection
    • Every detection alert triggered by taps directly (for example the WiFi Pwnagotchi detector that has to look into (individual frame data) is part of the periodic tap reports and triggered immediately on receive. Maximum latency is about 10 seconds.
  • Signal Track Monitor
    • The signal track monitor checks for the WiFi multiple signal tracks alert every 60 seconds.
  • Network Monitor
    • The network monitor compares expected state of monitored networks with observed state in tap reports. Maximum latency is about 10 seconds.

Marking Alerts as Resolved

Marking an alert as resolved immediately marks it as inactive. If the underlying alert condition is not resolved, the alert will be re-triggered on the next alert run.

A new event (which triggers actions) is only created if 5 minutes have passed since the alert was last seen, no matter if the alert had been marked as resolved or not.

Deleting Alerts

Deleting an alert removes it from the database entirely. If the underlying alert condition is not resolved, a new alert will be created on the next alert run. This will also create a new event and trigger subscribed actions.

System Events

System events are split into two groups:

  • Super Administrator Events
  • Organization Events

Super Administrator Events

These events are related to super administrator authentication or system events and can only be accessed and managed by super administrators. As a super administrator, you can find the events under System - Events & Actions.

Super administrator events are never tied to organizations or tenants and always affect the nzyme cluster as a whole. For example, creating or modifying super administrator user accounts will trigger super administrator events. Enabled system health indicator changes will do the same. Common receivers of super administrator event notifications (actions) are the system administrators of the affected nzyme cluster.

Organization Events

Organization events are system events that affect a organization. Examples are newly created users in the organization or an edited organization administrator.

These events can be managed by organization administrators at Organization -> Events & Actions. Organization administrators should consider subscribing to notifications (actions) for organization events.