Impact analysis and incident correlation Note: Part of the Reveal plan
event_telemetry
The event_telemetry data source provides aggregated metrics about the events processed by your intakes.
It allows you to monitor, report, and troubleshoot data ingestion across your Sekoia.io tenant.
Each record in event_telemetry represents a time-bucketed summary of event activity for a given intake, including the number of events, total data volume, event sizes, and processing lags.
This makes it easy to:
Analyze your data usage over time, per intake
Identify anomalies such as sudden spikes in data volume or processing delays
Detect potential misconfigurations that could lead to unexpected data costs or ingestion issues
Typical Use Cases:
Usage reporting: Track how much data each intake is sending over specific timeframes.
Performance monitoring: Observe event size distributions and processing lags to ensure optimal pipeline performance.
Root cause analysis: Investigate policy violations or overages by drilling down into intake-level telemetry.
You can query event_telemetry in the SOL query builder and combine it with other sources (e.g., intakes) to enrich your reports with intake names and configurations.
Property
Description
community_uuid
UUID of the community the events belongs to
intake_uuid
UUID of the intake source generating the events
intake_dialect_uuid
UUID representing the dialect used for the intake
bucket_start_date
UTC timestamp representing the beginning of the aggregation window
bucket_end_date
UTC timestamp representing the end of the aggregation windows
occurrences
Number of events in the aggregation
total_message_size
Total size (in bytes) of raw events in the bucket
max_message_size
Size (in bytes) of the largest raw event in the bucket
min_message_size
Size (in bytes) of the smallest raw event in the bucket
total_event_size
Total size (in bytes) of all events in the bucket
max_event_size
Size (in bytes) of the largest event in the bucket
min_event_size
Size (in bytes) of the smallest event in the bucket
max_lag
Maximum observed delay (in seconds) between the event's timestamp and its reception date.
min_lag
Minimum observed delay (in seconds) between the event's timestamp and its reception date.
total_lag
Total accumulated lag (in seconds) across all events in the bucket.
max_processing_lag
Maximum processing time (in seconds) taken by Sekoia.io to process an event.
min_processing_lag
Minimum processing time (in seconds) taken by Sekoia.io to process an event.
total_processing_lag
Total accumulated processing time (in seconds) for all events in the bucket.
alerts
Alert Property
Description
uuid
A unique identifier for the alert.
short_ID
A concise identifier for quick reference to the alert.
community_uuid
A unique identifier for the community the alert belongs to.
entity_uuid
A unique identifier representing the entity associated with the alert.
entity_name
The name of the entity linked to the alert.
rule_name
The name assigned to the rule that triggered the alert.
rule_pattern
The detection pattern of the alert.
detection_type
The method by which the alert was detected.
alert_type_category
The category of the alert.
alert_type_value
The type of the alert.
status
The current state of the alert (e.g., open, acknowledged, resolved).
urgency
The level of urgency assigned to the alert.
created_at
The date and time when the alert was initially created.
update_at
The date and time when the alert was last updated.
first_seen_at
The date and time of the first alert occurrence.
last_seen_at
The date and time of the last alert occurrence.
time_to_detect
Duration taken to identify the alert from its occurrence in seconds.
time_to_acknowledge
Time elapsed from detection to official acknowledgment of the alert in seconds.
time_to_respond
Duration taken to take action after acknowledgment in seconds.
time_to_resolve
The total time taken to completely resolve the alert in seconds.
time_to_ingest
The duration from alert generation to its final ingestion into the system in seconds.
occurrences
The number of alert occurrences
rule_instance_uuid
A unique identifier for the rule that generated the alert.
cases
List of cases associated to the alert.
assets
List of assets associated to the alert.
threats
List of threats associated the alert.
cases
Property
Description
uuid
A unique identifier for the case.
short_id
A concise identifier for quick reference to the case.
community_uuid
A unique identifier for the community related to the case.
title
The title or subject line of the case.
description
A detailed description outlining the case's context or issues.
priority
The importance level assigned to the case, indicating its urgency.
created_at
The date and time when the case was created.
created_by
The user or system that created the case.
created_by_type
The type of entity that created the case (e.g., user, automated system).
updated_at
The date and time when the case was last updated.
updated_by
The user or system that last updated the case.
updated_by_type
The type of user that last updated the case.
first_seen_at
The date and time when the case was first detected.
last_seen_at
The date and time when the case was last observed or updated.
custom_statuses
Property
Description
uuid
A unique identifier for the custom status.
community_uuid
A unique identifier for the community related to the custom status.
level
The numeric level of the status.
created_at
The date and time when the custom status was created.
created_by
The user or system that created the custom status.
created_by_type
The type of entity that created the custom status (e.g., avatar, apikey).
updated_at
The date and time when the custom status was last updated.
updated_by
The user or system that last updated the custom status.
updated_by_type
The type of entity that last updated the custom status.
stage
The workflow stage of the status (e.g., New, In progress, Closed).
label
The display label for the status.
description
A text description of the status.
type
The type(s) this status applies to (e.g., case, alert).
custom_priorities
Property
Description
uuid
A unique identifier for the custom priority.
community_uuid
A unique identifier for the community related to the custom priority.
level
The numeric level of the priority.
created_at
The date and time when the custom priority was created.
created_by
The user or system that created the custom priority.
created_by_type
The type of entity that created the custom priority (e.g., avatar, apikey).
updated_at
The date and time when the custom priority was last updated.
updated_by
The user or system that last updated the custom priority.
updated_by_type
The type of entity that last updated the custom priority.
color
The color associated with the priority (CSS variable or color name).
label
The display label for the priority.
description
A text description of the priority.
communities
Property
Description
uuid
A unique identifier for the community.
name
The name of the community.
description
The description of the community.
homepage_url
The homepage url of the community.
picture_mode
The picture mode of the community.
created_at
The date and time when the community was created.
created_by
The user or system that created the community.
created_by_type
The type of entity that created the community (e.g., avatar, apikey).
updated_at
The date and time when the community was last updated.
company_size
The size of the company.
company_security_team_size
The size of the security team.
company_sector
The sector of the company.
company_location
The location of the company.
is_parent
Indicate if the community is a parent community.
parent_uuid
A unique identifier of the parent community.
subcommunities
Indicate if the community has subcommunities.
is_mfa_enforced
Indicate if MFA is enforced at the community level.
session_timeout
The duration before users are automatically logged after inactivity.
disable_inactive_avatars
Indicate if users are disabled after 90 days of inactivity.
disabled
Indicate if the community is disabled.
intakes
Property
Description
uuid
A unique identifier for the intake.
name
The name of the intake.
community_uuid
A unique identifier for the community related to the intake.
entity_uuid
A unique identifier for the entity related to the intake.
format_uuid
A unique identifier for the format related to the intake.
intake_key
The intake key of the intake.
created_at
The date and time when the intake was created.
created_by
The user or system that created the intake.
created_by_type
The type of entity that created the intake (e.g., avatar, apikey).
updated_at
The date and time when the intake was last updated.
updated_by
The user or system that last updated the intake.
updated_by_type
The type of user that last updated the intake.
is_custom_format
Indicate if the intake uses a custom format.
connector_configuration_uuid
A unique identifier for the connector configuration related to the intake.
intake_formats
Property
Description
uuid
A unique identifier for the intake format.
community_uuid
A unique identifier for the community related to the intake format.
name
The name of the intake format.
slug
A URL-friendly identifier for the intake format (e.g., azure-application-gateway).
description
A description of the intake format.
created_at
The date and time when the intake format was created.
created_by
The user or system that created the intake format.
created_by_type
The type of entity that created the intake format (e.g., avatar, apikey).
updated_at
The date and time when the intake format was last updated.
updated_by
The user or system that last updated the intake format.
updated_by_type
The type of entity that last updated the intake format.
automation_connector_uuid
A unique identifier for the automation connector related to the intake format.
For example queries using intake_formats, see Join examples.
entities
Property
Description
uuid
A unique identifier for the entity.
name
The name of the entity.
alerts_generation
The alert generation mode of the entity.
description
The description of the entity.
entity_id
The ID of the entity.
community_uuid
A unique identifier for the community related to the entity.
created_at
The date and time when the entity was created.
updated_at
The date and time when the entity was last updated.
assets
Property
Description
uuid
A unique identifier for the asset.
community_uuid
A unique identifier for the community related to the asset.
name
The name of the Asset
type
Type of asset (host, account or network.)
category
Category of the asset
criticality
Criticality of the asset
created_at
The date and time when the asset was created.
updated_at
The date and time when the asset was last updated.
revoked
Indicates whether the asset is revoked
reviewed
Indicates if the asset has been reviewed
atoms
List of related names/identifiers (e.g., hostname, IPs, etc.)
SOL Getting Started: This tutorial walks you through writing your first SOL queries. By the end, you'll be able to search events, filter results, and save queries for reuse.
SOL How-to Guides: Learn how to use the main functions of SOL to reach your goals (aggregate data, join tables, use external data, build a query library...).
SOL Datasets: Discover the CSV import feature that enables SOC analysts to enrich security investigations by importing external data sources directly into the SOL query environment.