Siren Alert is an App Plugin that extends Siren Investigate with dynamic Alerting and Reporting functionality

Designed to monitor, validate and inform users and systems on data series changes using standard or join queries, programmable result validators, transformers and templates to send out notifications using a variety of configurable actions reaching users, interfacing with remote APIs for data and commands, generating new Elasticsearch documents, arbitrary metrics towards any other platform, planting triggers for itself to use and so much more.

Using watchers

Siren Alert enables automation of recurring questions (as queries) by using Watchers. For example:


  • QUESTION: How many hits does index X receive hourly?

  • WATCHER: query index and return count of hits in last hour

  • ACTION: Notify with number of Hits per hour


  • QUESTION: Are any of my monitored metrics surpassing a certain value?

  • WATCHER: query index and type for specific values, aggregated by an arbitrary field.

  • ACTION: Notify with aggs bucket details every time a threshold is surpassed or spike anomaly detected.


  • QUESTION: Are any of my users trying to reach blacklisted destinations?

  • WATCHER: query firewall logs comparing destination IPs to a blacklist.

  • ACTION: Notify admin using email if any IP >= 10 matches returned


  • QUESTION: Are there recurring failure attempts authenticating users on my network?

  • WATCHER: query Active Directory logs for login failures in last hour and compare to user index. .

  • ACTION: Notify admin using webhook if >= 10 matches returned

  • LEAK DETECTION (chain)

  • QUESTION: Are there any public leaks about my data I was not aware of?

  • WATCHER: query for user emails included in published leaks ingested from third parties.

  • ACTION: Save hits in secondary result Index. Notify using email if leak was not known in a secondary Watcher