Implements new alerts database and drilldown

alert store skeleton Alert database type changes Implement alert store for host alerts. All alert store skeletons. Fix class method access Enable tracing Implements simple queries for host alerts Implement flow alert store Fixes escaping of INSERT queries Flow alerts database schema fixes Adds escaping for alert JSON in flows and hosts Implements queries .select() for alerts store Adds limit and offset to perform paginated queries Adds new REST getter for flow alerts Name changes alert_severity to severity, alert_json to json Fixes alert message not shown Implement active monitoring alerts store Implements sort of queries in the new dataabase Changes alert_type to alert_id Implement mac alerts store Fixes flow alert messages Implement system alerts store Implement snmp alert store Add missing items to the flow alerts Add missing items to the host alerts Add missing items to the mac alerts Implements COUNT aplerts api Add device_name to snmp alerts add flow alerts templates updated gitignore fix for missing order field add families defined in `alert_store_schema.sql` Reworks and simplifies alert store subclasses Implements REST API to fetch alert timeseries Fixes date in flow REST api Host alert json fix Add get/host/alert/list.lua Move alert/list.lua to alert/past/list.lua Add alert/past/list.lua for all alert families Add entity_id to system table to identify the alert type based on <alert_id, entity_id> Add missing field Implements facilities to query engaged alerts via REST Handle both historical and past alerts in alert/list.lua Fix count Update params of select_historical Implement method to add family-specific filters Add alert/ts.lua for all alert families Implements facilities and REST endpoints to delete alerts Implements ordering of alert queries Fix add_order_by group_by Rest API tests update Tests output update Remove debug trace Use alert_id instead of type. Add more flow alert info. Update http lint Format obsolete tlv version alerts. Add more host info. Add row_id to list of alerts Fix selection of engaged alerts Add test for mac alerts (bcast domains) Removes attempt to format alerts as flow alerts Fixes interface selection for active monitoring Update test output with rest changes Add more fields to be ignores Set alert count to 1 for the time being add bar timeseries chart add apexcharts improvements on timeseries bar chart registered chart callbakcs working on alert page fix for date format Fixes acrive monitoring REST API Fixes alignment of grouped alert data Additional fix for alert histogram remove useless if formatting alerts page fixes on flows alert stats table rename local networks to device format host pagie in alert_stats add tag support for hosts and flow implemented single delete action add release modal Fixes format of threshold cross interface alerts Fixes wrong increase of dropped alerts Implements exclusion list for invalid dns queries Reworks exclusions lists for hosts and flows Addresses #5212 Addresses #5113 Adds host alert keys in host callbacks definitions Adds alert ids to flow callbacks fix for not working button (#5215) Fixes reported timeseries name removed any additional button inside chart's toolbar (#5200) Add tables for interfaces, networks, users to the schema. Skeleton alert_store classes fixed broken range picker layout in firefox (#5199) Alert insert fixes Add more info to network alerts Add rest endpoint for interface, network, user alerts Fix endpoint selection in alerts_stats Unifies columns between engaged and past alerts Fixes Missing mandatory 'alert_granularity' Minor fixes for missing alert_severity Fixes arithmetic on a nil value (field 'last_seen') Fixes get/system/alert/list.lua use tstamp for column names (#5221) Implements host alert formatter Add alerts_store format_record_common Use common format_record for am, system alerts Use common format_record for all alerts Fixes formatting of alerts of all types Fixes nil in function 'hostinfo2label' fixes on disable modal add pages for network, user and interface endpoint (#5224) Set alert_entity in all classes Unifies influxdb alerts into system alerts Addresses #5224 Unifies process alerts into system alerts Addresses #5224 Cleanup unused periodicActivityEntity Unifies category lists alerts into system alerts Addresses #5224 Aligns new alert enums Addresses #5224 Fixes alert page links Fixes insertion of interface alerts Implement filters for Host alerts Fixes active monitoring alerts not triggering Implement filters on flow alerts Fixes for internal alerts timestamp and subtype implements disable for the alerts formatted alert disable label Add address and device type to mac alert records fix for delete alert toggle Fix access to entity_val in alert_unexpected_new_device add mac address and device type inside table Fixes for new alert fields not handled Fixes alert_definitions to handle new fields Add ip/port to snmp alert records Implements deletion of stored flow alerts Add alert_name to all alert records via rest. Fix duration. fixes for snmp tab Implements delete of past host alerts Add name to snmp alert records fixes on system tab Fix Date column fixes link Update menu Fixes bad argument #3 to 'format' in snmp alerts updated interface link new alerts url for host (#5228) Fixes sort of engaged alert Minor cleanup Fixes data returned for local network alerts Fix duration for one shot. Note. Fix duration override Fixes interface selection for system alerts Move host alert page fixes for local network tab Minor fix Fix engaged host alerts fixes on user tab Fix alert_user_activity message
2026-05-01 16:30:10 +00:00 · 2021-04-26 19:41:34 +02:00 · 2021-04-26 19:41:34 +02:00 · c7082a4647
commit c7082a4647
parent f6d010dbf6
276 changed files with 5957 additions and 1063 deletions
--- a/scripts/lua/modules/alert_definitions/flow/alert_remote_access.lua
+++ b/scripts/lua/modules/alert_definitions/flow/alert_remote_access.lua
@ -35,7 +35,7 @@ end
 -- #######################################################

 function alert_remote_access.format(ifid, alert, alert_type_params)
-   local time = alert_type_params["last_seen"] - alert_type_params["first_seen"]
+   local time = alert["tstamp_end"] - alert["tstamp"]

   if time == 0 then
      time = "< 1"
--- a/scripts/lua/modules/alert_definitions/flow/alert_tls_old_protocol_version.lua
+++ b/scripts/lua/modules/alert_definitions/flow/alert_tls_old_protocol_version.lua
@ -49,7 +49,7 @@ function alert_tls_old_protocol_version.format(ifid, alert, alert_type_params)
 	 ver_str = string.format("%u", alert_type_params.tls_version)
      end

-      msg = msg .. " (" .. ver_str .. ")"
+      msg = i18n("alerts_dashboard.tls_protocol_version", {version = ver_str})
   end

   return(msg)
--- a/scripts/lua/modules/alert_definitions/host/host_alert_dns_server_contacts.lua
+++ b/scripts/lua/modules/alert_definitions/host/host_alert_dns_server_contacts.lua
@ -50,14 +50,14 @@ end
 -- @return A human-readable string
 function host_alert_dns_server_contacts.format(ifid, alert, alert_type_params)
  local alert_consts = require("alert_consts")
-  local entity = alert_consts.formatAlertEntity(ifid, alert_consts.alertEntityRaw(alert["alert_entity"]), alert["alert_entity_val"])
+  local entity = alert_consts.formatHostAlert(ifid, alert["ip"], alert["vlan_id"])
  local value = alert_type_params.value

  if(value == nil) then value = 0 end
  
  return i18n("alert_messages.host_alert_dns_server_contacts", {
-    entity = firstToUpper(entity),
-    host_category = format_utils.formatAddressCategory((json.decode(alert.alert_json)).alert_generation.host_info),
+    entity = entity,
+    host_category = format_utils.formatAddressCategory((json.decode(alert.json)).alert_generation.host_info),
    value = string.format("%u", math.ceil(value or 0)),
    threshold = alert_type_params.threshold or 0,
  })
--- a/scripts/lua/modules/alert_definitions/host/host_alert_dns_traffic.lua
+++ b/scripts/lua/modules/alert_definitions/host/host_alert_dns_traffic.lua
@ -51,11 +51,11 @@ end
 -- @return A human-readable string
 function host_alert_dns_traffic.format(ifid, alert, alert_type_params)
  local alert_consts = require("alert_consts")
-  local entity = alert_consts.formatAlertEntity(ifid, alert_consts.alertEntityRaw(alert["alert_entity"]), alert["alert_entity_val"])
+  local entity = alert_consts.formatHostAlert(ifid, alert["ip"], alert["vlan_id"])

  return i18n("alert_messages.host_alert_dns_traffic", {
    entity = entity,
-    host_category = format_utils.formatAddressCategory((json.decode(alert.alert_json)).alert_generation.host_info),
+    host_category = format_utils.formatAddressCategory((json.decode(alert.json)).alert_generation.host_info),
    value = string.format("%u", math.ceil(alert_type_params.value)),
    op = "&".. (alert_type_params.operator or "gt") ..";",
    threshold = alert_type_params.threshold,
--- a/scripts/lua/modules/alert_definitions/host/host_alert_flow_anomaly.lua
+++ b/scripts/lua/modules/alert_definitions/host/host_alert_flow_anomaly.lua
@ -48,12 +48,10 @@ end
 -- @return A human-readable string
 function host_alert_flow_anomaly.format(ifid, alert, alert_type_params)
  local alert_consts = require("alert_consts")
-  local entity = alert_consts.formatAlertEntity(ifid, alert_consts.alertEntityRaw(alert["alert_entity"]), alert["alert_entity_val"])
-  local value = alert_type_params.value
-  local alert_json = json.decode(alert.alert_json)
-  local is_client_alert = alert_json.is_client_alert
+  local json = json.decode(alert.json)
+  local is_client_alert = json.is_client_alert
  local role
-  local host = alert.alert_entity_val
+  local host = alert_consts.formatHostAlert(ifid, alert["ip"], alert["vlan_id"])
  
  if(is_client_alert) then
     role = "client"
--- a/scripts/lua/modules/alert_definitions/host/host_alert_flow_flood.lua
+++ b/scripts/lua/modules/alert_definitions/host/host_alert_flow_flood.lua
@ -50,7 +50,7 @@ end
 -- @return A human-readable string
 function host_alert_flow_flood.format(ifid, alert, alert_type_params)
  local alert_consts = require("alert_consts")
-  local entity = alert_consts.formatAlertEntity(ifid, alert_consts.alertEntityRaw(alert["alert_entity"]), alert["alert_entity_val"])
+  local entity = alert_consts.formatHostAlert(ifid, alert["ip"], alert["vlan_id"])
  local value = alert_type_params.value
  local i18n_key

@ -61,8 +61,8 @@ function host_alert_flow_flood.format(ifid, alert, alert_type_params)
  end

  return i18n(i18n_key, {
-    entity = firstToUpper(entity),
-    host_category = format_utils.formatAddressCategory((json.decode(alert.alert_json)).alert_generation.host_info),
+    entity = entity,
+    host_category = format_utils.formatAddressCategory((json.decode(alert.json)).alert_generation.host_info),
    value = string.format("%u", math.ceil(value)),
    threshold = alert_type_params.threshold,
  })
--- a/scripts/lua/modules/alert_definitions/host/host_alert_ntp_server_contacts.lua
+++ b/scripts/lua/modules/alert_definitions/host/host_alert_ntp_server_contacts.lua
@ -50,14 +50,14 @@ end
 -- @return A human-readable string
 function host_alert_ntp_server_contacts.format(ifid, alert, alert_type_params)
  local alert_consts = require("alert_consts")
-  local entity = alert_consts.formatAlertEntity(ifid, alert_consts.alertEntityRaw(alert["alert_entity"]), alert["alert_entity_val"])
+  local entity = alert_consts.formatHostAlert(ifid, alert["ip"], alert["vlan_id"])
  local value = alert_type_params.value

  if(value == nil) then value = 0 end
  
  return i18n("alert_messages.host_alert_ntp_server_contacts", {
-    entity = firstToUpper(entity),
-    host_category = format_utils.formatAddressCategory((json.decode(alert.alert_json)).alert_generation.host_info),
+    entity = entity,
+    host_category = format_utils.formatAddressCategory((json.decode(alert.json)).alert_generation.host_info),
    value = string.format("%u", math.ceil(value or 0)),
    threshold = alert_type_params.threshold or 0,
  })
--- a/scripts/lua/modules/alert_definitions/host/host_alert_p2p_traffic.lua
+++ b/scripts/lua/modules/alert_definitions/host/host_alert_p2p_traffic.lua
@ -51,11 +51,11 @@ end
 -- @return A human-readable string
 function host_alert_p2p_traffic.format(ifid, alert, alert_type_params)
  local alert_consts = require("alert_consts")
-  local entity = alert_consts.formatAlertEntity(ifid, alert_consts.alertEntityRaw(alert["alert_entity"]), alert["alert_entity_val"])
+  local entity = alert_consts.formatHostAlert(ifid, alert["ip"], alert["vlan_id"])

  return i18n("alert_messages.host_alert_p2p_traffic", {
    entity = entity,
-    host_category = format_utils.formatAddressCategory((json.decode(alert.alert_json)).alert_generation.host_info),
+    host_category = format_utils.formatAddressCategory((json.decode(alert.json)).alert_generation.host_info),
    value = string.format("%u", math.ceil(alert_type_params.value)),
    op = "&".. (alert_type_params.operator or "gt") ..";",
    threshold = alert_type_params.threshold,
--- a/scripts/lua/modules/alert_definitions/host/host_alert_remote_connection.lua
+++ b/scripts/lua/modules/alert_definitions/host/host_alert_remote_connection.lua
@ -46,7 +46,7 @@ end
 -- @return A human-readable string
 function host_alert_remote_connection.format(ifid, alert, alert_type_params)
   local alert_consts = require "alert_consts"
-   local host = alert_consts.formatAlertEntity(ifid, alert_consts.alertEntityRaw(alert["alert_entity"]), alert["alert_entity_val"])
+   local host = alert_consts.formatHostAlert(ifid, alert["ip"], alert["vlan_id"])

   return i18n("alerts_dashboard.remote_connection_alert_descr", {
 		  host = host,
--- a/scripts/lua/modules/alert_definitions/host/host_alert_score.lua
+++ b/scripts/lua/modules/alert_definitions/host/host_alert_score.lua
@ -51,11 +51,11 @@ end
 -- @return A human-readable string
 function host_alert_score.format(ifid, alert, alert_type_params)
  local alert_consts = require("alert_consts")
-  local entity = alert_consts.formatAlertEntity(ifid, alert_consts.alertEntityRaw(alert["alert_entity"]), alert["alert_entity_val"])
-
+  local entity = alert_consts.formatHostAlert(ifid, alert["ip"], alert["vlan_id"])
+  
  return i18n("alert_messages.host_alert_score", {
    entity = entity,
-    host_category = format_utils.formatAddressCategory((json.decode(alert.alert_json)).alert_generation.host_info),
+    host_category = format_utils.formatAddressCategory((json.decode(alert.json)).alert_generation.host_info),
    value = string.format("%u", math.ceil(alert_type_params.value)),
    op = "&".. (alert_type_params.operator or "gt") ..";",
    threshold = alert_type_params.threshold,		 
--- a/scripts/lua/modules/alert_definitions/host/host_alert_score_anomaly.lua
+++ b/scripts/lua/modules/alert_definitions/host/host_alert_score_anomaly.lua
@ -48,12 +48,10 @@ end
 -- @return A human-readable string
 function host_alert_score_anomaly.format(ifid, alert, alert_type_params)
  local alert_consts = require("alert_consts")
-  local entity = alert_consts.formatAlertEntity(ifid, alert_consts.alertEntityRaw(alert["alert_entity"]), alert["alert_entity_val"])
-  local value = alert_type_params.value
-  local alert_json = json.decode(alert.alert_json)
-  local is_client_alert = alert_json.is_client_alert
+  local json = json.decode(alert.json)
+  local is_client_alert = json.is_client_alert
  local role
-  local host = alert.alert_entity_val
+  local host = alert_consts.formatHostAlert(ifid, alert["ip"], alert["vlan_id"])
  
  if(is_client_alert) then
     role = "client"
--- a/scripts/lua/modules/alert_definitions/host/host_alert_smtp_server_contacts.lua
+++ b/scripts/lua/modules/alert_definitions/host/host_alert_smtp_server_contacts.lua
@ -50,14 +50,14 @@ end
 -- @return A human-readable string
 function host_alert_smtp_server_contacts.format(ifid, alert, alert_type_params)
  local alert_consts = require("alert_consts")
-  local entity = alert_consts.formatAlertEntity(ifid, alert_consts.alertEntityRaw(alert["alert_entity"]), alert["alert_entity_val"])
+  local entity = alert_consts.formatHostAlert(ifid, alert["ip"], alert["vlan_id"])
  local value = alert_type_params.value

  if(value == nil) then value = 0 end
  
  return i18n("alert_messages.host_alert_smtp_server_contacts", {
    entity = firstToUpper(entity),
-    host_category = format_utils.formatAddressCategory((json.decode(alert.alert_json)).alert_generation.host_info),
+    host_category = format_utils.formatAddressCategory((json.decode(alert.json)).alert_generation.host_info),
    value = string.format("%u", math.ceil(value or 0)),
    threshold = alert_type_params.threshold or 0,
  })
--- a/scripts/lua/modules/alert_definitions/host/host_alert_tcp_syn_flood.lua
+++ b/scripts/lua/modules/alert_definitions/host/host_alert_tcp_syn_flood.lua
@ -51,7 +51,7 @@ end
 -- @return A human-readable string
 function alert_tcp_syn_flood.format(ifid, alert, alert_type_params)
  local alert_consts = require "alert_consts"
-  local entity = alert_consts.formatAlertEntity(ifid, alert_consts.alertEntityRaw(alert["alert_entity"]), alert["alert_entity_val"])
+  local entity = alert_consts.formatHostAlert(ifid, alert["ip"], alert["vlan_id"])
  local i18n_key

  if alert_type_params.is_attacker then
@ -61,8 +61,8 @@ function alert_tcp_syn_flood.format(ifid, alert, alert_type_params)
  end

  return i18n(i18n_key, {
-    entity = firstToUpper(entity),
-    host_category = format_utils.formatAddressCategory((json.decode(alert.alert_json)).alert_generation.host_info),
+    entity = entity,
+    host_category = format_utils.formatAddressCategory((json.decode(alert.json)).alert_generation.host_info),
    value = string.format("%u", math.ceil(alert_type_params.value or 0)),
    threshold = alert_type_params.threshold or 0,
  })
--- a/scripts/lua/modules/alert_definitions/host/host_alert_tcp_syn_scan.lua
+++ b/scripts/lua/modules/alert_definitions/host/host_alert_tcp_syn_scan.lua
@ -41,7 +41,7 @@ end

 function host_alert_tcp_syn_scan.format(ifid, alert, alert_type_params)
  local alert_consts = require("alert_consts")
-  local entity = alert_consts.formatAlertEntity(ifid, alert_consts.alertEntityRaw(alert["alert_entity"]), alert["alert_entity_val"])
+  local entity = alert_consts.formatHostAlert(ifid, alert["ip"], alert["vlan_id"])
  local i18n_key

  if alert_type_params.is_attacker then
@ -51,8 +51,8 @@ function host_alert_tcp_syn_scan.format(ifid, alert, alert_type_params)
  end

  return i18n(i18n_key, {
-    entity = firstToUpper(entity),
-    host_category = format_utils.formatAddressCategory((json.decode(alert.alert_json)).alert_generation.host_info),
+    entity = entity,
+    host_category = format_utils.formatAddressCategory((json.decode(alert.json)).alert_generation.host_info),
    value = string.format("%u", math.ceil(alert_type_params.value or 0)),
    threshold = alert_type_params.threshold or 0,
  })
--- a/scripts/lua/modules/alert_definitions/other/alert_attack_mitigation_via_snmp.lua
+++ b/scripts/lua/modules/alert_definitions/other/alert_attack_mitigation_via_snmp.lua
@ -58,7 +58,7 @@ function alert_attack_mitigation_via_snmp.format(ifid, alert, alert_type_params)
   local alert_consts = require("alert_consts")
   local snmp_consts = require "snmp_consts"

-   local entity = alert_consts.formatAlertEntity(ifid, alert_consts.alertEntityRaw(alert["alert_entity"]), alert["alert_entity_val"])
+   local entity = alert_consts.formatAlertEntity(ifid, alert_consts.alertEntityRaw(alert["entity_id"]), alert["entity_val"])
   local engine_label = alert_consts.alertEngineLabel(alert_consts.alertEngine(alert_consts.sec2granularity(alert["alert_granularity"])))

   local i18n_k = "alert_messages.attack_mitigation_via_snmp_success"
--- a/scripts/lua/modules/alert_definitions/other/alert_contacts_anomaly.lua
+++ b/scripts/lua/modules/alert_definitions/other/alert_contacts_anomaly.lua
@ -52,7 +52,7 @@ function alert_contacts_anomaly.format(ifid, alert, alert_type_params)
   
   return(i18n("alerts_dashboard.unexpected_host_behavior_description",
 		{
-		   host = firstToUpper(alert_consts.formatAlertEntity(ifid, alert_consts.alertEntityRaw(alert["alert_entity"]), alert["alert_entity_val"])),
+		   host = firstToUpper(alert_consts.formatAlertEntity(ifid, alert_consts.alertEntityRaw(alert["entity_id"]), alert["entity_val"])),
 		   type_of_behaviour = i18n("alert.anomalies.contacts") or "",
 		   value = alert_type_params.value,
 		   prediction = alert_type_params.prediction or 0,
--- a/scripts/lua/modules/alert_definitions/other/alert_device_connection.lua
+++ b/scripts/lua/modules/alert_definitions/other/alert_device_connection.lua
@ -47,7 +47,7 @@ end
 function alert_device_connection.format(ifid, alert, alert_type_params)
  return(i18n("alert_messages.device_has_connected", {
    device = info.device,
-    url = getMacUrl(alert.alert_entity_val),
+    url = getMacUrl(alert.entity_val),
  }))
 end

--- a/scripts/lua/modules/alert_definitions/other/alert_device_disconnection.lua
+++ b/scripts/lua/modules/alert_definitions/other/alert_device_disconnection.lua
@ -48,12 +48,12 @@ function alert_device_disconnection.format(ifid, alert, alert_type_params)
  local device = info.device

  if not device or device == "" then
-    device = alert.alert_entity_val
+    device = alert.entity_val
  end

  return(i18n("alert_messages.device_has_disconnected", {
    device = device,
-    url = getMacUrl(alert.alert_entity_val),
+    url = getMacUrl(alert.entity_val),
  }))
 end

--- a/scripts/lua/modules/alert_definitions/other/alert_flow_flood_victim.lua
+++ b/scripts/lua/modules/alert_definitions/other/alert_flow_flood_victim.lua
@ -50,14 +50,14 @@ end
 -- @return A human-readable string
 function alert_flow_flood_victim.format(ifid, alert, alert_type_params)
  local alert_consts = require("alert_consts")
-  local entity = alert_consts.formatAlertEntity(ifid, alert_consts.alertEntityRaw(alert["alert_entity"]), alert["alert_entity_val"])
+  local entity = alert_consts.formatAlertEntity(ifid, alert_consts.alertEntityRaw(alert["entity_id"]), alert["name"])
  local value = alert_type_params.value

  if(value == nil) then value = 0 end
  
  return i18n("alert_messages.flow_flood_victim", {
    entity = firstToUpper(entity),
-    host_category = format_utils.formatAddressCategory((json.decode(alert.alert_json)).alert_generation.host_info),
+    host_category = format_utils.formatAddressCategory((json.decode(alert.json)).alert_generation.host_info),
    value = string.format("%u", math.ceil(value)),
    threshold = alert_type_params.threshold,
  })
--- a/scripts/lua/modules/alert_definitions/other/alert_host_log.lua
+++ b/scripts/lua/modules/alert_definitions/other/alert_host_log.lua
@ -46,7 +46,7 @@ end
 -- @param alert_type_params Table `alert_type_params` as built in the `:init` method
 -- @return A human-readable string
 function alert_host_log.format(ifid, alert, alert_type_params)
-  local hostinfo = hostkey2hostinfo(alert.alert_entity_val)
+  local hostinfo = hostkey2hostinfo(alert.entity_val)

  return(i18n("alert_messages.host_log", {
    host = alert_type_params.host,
--- a/scripts/lua/modules/alert_definitions/other/alert_host_pool_connection.lua
+++ b/scripts/lua/modules/alert_definitions/other/alert_host_pool_connection.lua
@ -18,9 +18,9 @@ local alert_host_pool_connection = classes.class(alert)
 -- ##############################################

 alert_host_pool_connection.meta = {
-  alert_key = other_alert_keys.alert_host_pool_connection,
-  i18n_title = "alerts_dashboard.host_pool_connection",
-  icon = "fas fa-sign-in",
+   alert_key = other_alert_keys.alert_host_pool_connection,
+   i18n_title = "alerts_dashboard.host_pool_connection",
+   icon = "fas fa-sign-in",
 }

 -- ##############################################
@ -37,7 +37,7 @@ end
 function alert_host_pool_connection.format(ifid, alert, alert_type_params)
  return(i18n("alert_messages.host_pool_has_connected", {
    pool = alert_type_params.pool,
-    url = getHostPoolUrl(alert.alert_entity_val),
+    url = getHostPoolUrl(alert.entity_val),
  }))
 end

--- a/scripts/lua/modules/alert_definitions/other/alert_host_pool_disconnection.lua
+++ b/scripts/lua/modules/alert_definitions/other/alert_host_pool_disconnection.lua
@ -37,7 +37,7 @@ end
 function alert_host_pool_disconnection.format(ifid, alert, alert_type_params)
  return(i18n("alert_messages.host_pool_has_disconnected", {
    pool = alert_type_params.pool,
-    url = getHostPoolUrl(alert.alert_entity_val),
+    url = getHostPoolUrl(alert.entity_val),
  }))
 end

--- a/scripts/lua/modules/alert_definitions/other/alert_ip_outsite_dhcp_range.lua
+++ b/scripts/lua/modules/alert_definitions/other/alert_ip_outsite_dhcp_range.lua
@ -46,7 +46,7 @@ end
 -- #######################################################

 function alert_ip_outsite_dhcp_range.format(ifid, alert, alert_type_params)
-  local hostinfo = hostkey2hostinfo(alert.alert_entity_val)
+  local hostinfo = hostkey2hostinfo(alert.entity_val)
  local hostkey = hostinfo2hostkey(hostinfo)
  local router_info = hostkey2hostinfo(alert_type_params.router_info)

--- a/scripts/lua/modules/alert_definitions/other/alert_login_failed.lua
+++ b/scripts/lua/modules/alert_definitions/other/alert_login_failed.lua
@ -42,7 +42,7 @@ end
 -- @return A human-readable string
 function alert_login_failed.format(ifid, alert, alert_type_params)
  return(i18n("user_activity.login_not_authorized", {
-    user = alert.alert_entity_val,
+    user = alert.entity_val,
  }))
 end

--- a/scripts/lua/modules/alert_definitions/other/alert_misconfigured_app.lua
+++ b/scripts/lua/modules/alert_definitions/other/alert_misconfigured_app.lua
@ -46,7 +46,7 @@ end
 function alert_misconfigured_app.format(ifid, alert, alert_type_params)
  local alert_severities = require "alert_severities"
  local alert_consts = require("alert_consts")
-  local entity = alert_consts.formatAlertEntity(ifid, alert_consts.alertEntityRaw(alert["alert_entity"]), alert["alert_entity_val"])
+  local entity = alert_consts.formatAlertEntity(ifid, alert_consts.alertEntityRaw(alert["entity_id"]), alert["entity_val"])

  if alert.alert_subtype == "too_many_flows" then
    return(i18n("alert_messages.too_many_flows", {iface=entity, option="--max-num-flows/-X"}))
--- a/scripts/lua/modules/alert_definitions/other/alert_port_duplexstatus_change.lua
+++ b/scripts/lua/modules/alert_definitions/other/alert_port_duplexstatus_change.lua
@ -26,16 +26,18 @@ alert_port_duplexstatus_change.meta = {

 -- @brief Prepare an alert table used to generate the alert
 -- @param device_ip A string with the ip address of the snmp device
+-- @param device_name The device name
 -- @param if_index The index of the port that changed
 -- @param interface_name The string with the name of the port that changed
 -- @param status The new duplex status
 -- @return A table with the alert built
-function alert_port_duplexstatus_change:init(device_ip, if_index, interface_name, status)
+function alert_port_duplexstatus_change:init(device_ip, device_name, if_index, interface_name, status)
   -- Call the parent constructor
   self.super:init()

   self.alert_type_params = {
      device = device_ip,
+      device_name = device_name,
      interface = if_index,
      interface_name = interface_name,
      status = status
--- a/scripts/lua/modules/alert_definitions/other/alert_port_errors.lua
+++ b/scripts/lua/modules/alert_definitions/other/alert_port_errors.lua
@ -26,15 +26,17 @@ alert_port_errors.meta = {

 -- @brief Prepare an alert table used to generate the alert
 -- @param device_ip A string with the ip address of the snmp device
+-- @param device_name The name of the snmp device
 -- @param if_index The index of the port that changed
 -- @param interface_name The string with the name of the port that changed
 -- @return A table with the alert built
-function alert_port_errors:init(device_ip, if_index, interface_name)
+function alert_port_errors:init(device_ip, device_name, if_index, interface_name)
   -- Call the parent constructor
   self.super:init()

   self.alert_type_params = {
      device = device_ip,
+      device_name = device_name,
      interface = if_index,
      interface_name = interface_name,
   }
--- a/scripts/lua/modules/alert_definitions/other/alert_port_load_threshold_exceeded.lua
+++ b/scripts/lua/modules/alert_definitions/other/alert_port_load_threshold_exceeded.lua
@ -26,18 +26,20 @@ alert_port_load_threshold_exceeded.meta = {

 -- @brief Prepare an alert table used to generate the alert
 -- @param device_ip A string with the ip address of the snmp device
+-- @param device_name The device name
 -- @param if_index The index of the port that changed
 -- @param interface_name The string with the name of the port that changed
 -- @param in_load The ingress load in percentage
 -- @param out_load The egress load in percentage
 -- @param load_threshold The threshold configured for the load
 -- @return A table with the alert built
-function alert_port_load_threshold_exceeded:init(device_ip, if_index, interface_name, in_load, out_load, load_threshold)
+function alert_port_load_threshold_exceeded:init(device_ip, device_name, if_index, interface_name, in_load, out_load, load_threshold)
   -- Call the parent constructor
   self.super:init()

   self.alert_type_params = {
      device = device_ip,
+      device_name = device_name,
      interface = if_index,
      interface_name = interface_name,
      in_load = in_load,
--- a/scripts/lua/modules/alert_definitions/other/alert_port_mac_changed.lua
+++ b/scripts/lua/modules/alert_definitions/other/alert_port_mac_changed.lua
@ -26,18 +26,20 @@ alert_port_mac_changed.meta = {

 -- @brief Prepare an alert table used to generate the alert
 -- @param device_ip A string with the ip address of the snmp device
+-- @param device_name The device name
 -- @param if_index The index of the port that changed
 -- @param interface_name The string with the name of the port that changed
 -- @param mac The string with the mac address that changed port
 -- @param prev_seen_device A string with the ip address of the previous snmp device
 -- @param prev_seen_port The index of the previous port
 -- @return A table with the alert built
-function alert_port_mac_changed:init(device_ip, if_index, interface_name, mac, prev_seen_device, prev_seen_port)
+function alert_port_mac_changed:init(device_ip, device_name, if_index, interface_name, mac, prev_seen_device, prev_seen_port)
   -- Call the parent constructor
   self.super:init()

   self.alert_type_params = {
      device = device_ip,
+      device_name = device_name,
      interface = if_index,
      interface_name = interface_name,
      mac = mac,
--- a/scripts/lua/modules/alert_definitions/other/alert_port_status_change.lua
+++ b/scripts/lua/modules/alert_definitions/other/alert_port_status_change.lua
@ -26,16 +26,18 @@ alert_port_status_change.meta = {

 -- @brief Prepare an alert table used to generate the alert
 -- @param device_ip A string with the ip address of the snmp device
+-- @param device_name The device name
 -- @param if_index The index of the port that changed
 -- @param interface_name The string with the name of the port that changed
 -- @param status A string with the new status
 -- @return A table with the alert built
-function alert_port_status_change:init(device_ip, if_index, interface_name, status)
+function alert_port_status_change:init(device_ip, device_name, if_index, interface_name, status)
   -- Call the parent constructor
   self.super:init()

   self.alert_type_params = {
      device = device_ip,
+      device_name = device_name,
      interface = if_index,
      interface_name = interface_name,
      status = status,
--- a/scripts/lua/modules/alert_definitions/other/alert_process_notification.lua
+++ b/scripts/lua/modules/alert_definitions/other/alert_process_notification.lua
@ -48,7 +48,7 @@ function alert_process_notification.format(ifid, alert, alert_type_params)
  elseif alert_type_params.event_type == "update" then
    return string.format("%s %s", i18n("alert_messages.update"), alert_type_params.msg_details)
  elseif alert_type_params.event_type == "anomalous_termination" then
-    return string.format("%s %s", i18n("alert_messages.anomalous_termination", {url="https://www.ntop.org/support/need-help-2/need-help/"}), alert_type_params.msg_details)
+     return string.format("%s %s", i18n("alert_messages.ntopng_anomalous_termination", {url="https://www.ntop.org/support/need-help-2/need-help/"}), alert_type_params.msg_details)
  end

  return "Unknown Process Event: " .. (alert_type_params.event_type or "")
--- a/scripts/lua/modules/alert_definitions/other/alert_quota_exceeded.lua
+++ b/scripts/lua/modules/alert_definitions/other/alert_quota_exceeded.lua
@ -71,7 +71,7 @@ function alert_quota_exceeded.format(ifid, alert, alert_type_params)

  return(i18n("alert_messages.subject_quota_exceeded", {
    pool = alert_type_params.pool,
-    url = getHostPoolUrl(alert.alert_entity_val),
+    url = getHostPoolUrl(alert.entity_val),
    subject = subject_str,
    quota = quota_str,
    value = value_str
--- a/scripts/lua/modules/alert_definitions/other/alert_slow_purge.lua
+++ b/scripts/lua/modules/alert_definitions/other/alert_slow_purge.lua
@ -52,7 +52,7 @@ end
 -- @return A human-readable string
 function alert_slow_purge.format(ifid, alert, alert_type_params)
  local alert_consts = require("alert_consts")
-  local entity = alert_consts.formatAlertEntity(ifid, alert_consts.alertEntityRaw(alert["alert_entity"]), alert["alert_entity_val"])
+  local entity = alert_consts.formatAlertEntity(ifid, alert_consts.alertEntityRaw(alert["entity_id"]), alert["entity_val"])
  local max_idle_perc = format_utils.round(alert_type_params.edge or 0, 0)
  local actual_idle_perc = format_utils.round(alert_type_params.idle_perc or 0, 0)

--- a/scripts/lua/modules/alert_definitions/other/alert_snmp_device_reset.lua
+++ b/scripts/lua/modules/alert_definitions/other/alert_snmp_device_reset.lua
@ -26,13 +26,15 @@ alert_snmp_device_reset.meta = {

 -- @brief Prepare an alert table used to generate the alert
 -- @param device_ip A string with the ip address of the snmp device
+-- @param device_name The device name
 -- @return A table with the alert built
-function alert_snmp_device_reset:init(device_ip)
+function alert_snmp_device_reset:init(device_ip, device_name)
   -- Call the parent constructor
   self.super:init()

   self.alert_type_params = {
-      device = device_ip
+      device = device_ip,
+      device_name = device_name
   }
 end

--- a/scripts/lua/modules/alert_definitions/other/alert_tcp_syn_flood_victim.lua
+++ b/scripts/lua/modules/alert_definitions/other/alert_tcp_syn_flood_victim.lua
@ -51,11 +51,11 @@ end
 -- @return A human-readable string
 function alert_tcp_syn_flood_victim.format(ifid, alert, alert_type_params)
  local alert_consts = require "alert_consts"
-  local entity = alert_consts.formatAlertEntity(ifid, alert_consts.alertEntityRaw(alert["alert_entity"]), alert["alert_entity_val"])
+  local entity = alert_consts.formatAlertEntity(ifid, alert_consts.alertEntityRaw(alert["entity_id"]), alert["name"])
  
  return i18n("alert_messages.syn_flood_victim", {
    entity = firstToUpper(entity),
-    host_category = format_utils.formatAddressCategory((json.decode(alert.alert_json)).alert_generation.host_info),
+    host_category = format_utils.formatAddressCategory((json.decode(alert.json)).alert_generation.host_info),
    value = string.format("%u", math.ceil(alert_type_params.value)),
    threshold = alert_type_params.threshold,
  })
--- a/scripts/lua/modules/alert_definitions/other/alert_tcp_syn_scan_victim.lua
+++ b/scripts/lua/modules/alert_definitions/other/alert_tcp_syn_scan_victim.lua
@ -41,11 +41,11 @@ end

 function alert_tcp_syn_scan_victim.format(ifid, alert, alert_type_params)
  local alert_consts = require("alert_consts")
-  local entity = alert_consts.formatAlertEntity(ifid, alert_consts.alertEntityRaw(alert["alert_entity"]), alert["alert_entity_val"])
+  local entity = alert_consts.formatAlertEntity(ifid, alert_consts.alertEntityRaw(alert["entity_id"]), alert["name"])

  return i18n("alert_messages.syn_scan_victim", {
    entity = firstToUpper(entity),
-    host_category = format_utils.formatAddressCategory((json.decode(alert.alert_json)).alert_generation.host_info),
+    host_category = format_utils.formatAddressCategory((json.decode(alert.json)).alert_generation.host_info),
    value = string.format("%u", math.ceil(alert_type_params.value)),
    threshold = alert_type_params.threshold,
  })
--- a/scripts/lua/modules/alert_definitions/other/alert_threshold_cross.lua
+++ b/scripts/lua/modules/alert_definitions/other/alert_threshold_cross.lua
@ -51,14 +51,14 @@ end
 -- @return A human-readable string
 function alert_threshold_cross.format(ifid, alert, alert_type_params)
  local alert_consts = require("alert_consts")
-  local entity = alert_consts.formatAlertEntity(ifid, alert_consts.alertEntityRaw(alert["alert_entity"]), alert["alert_entity_val"])
-  local engine_label = alert_consts.alertEngineLabel(alert_consts.alertEngine(alert_consts.sec2granularity(alert["alert_granularity"])))
+  local entity = alert_consts.formatAlertEntity(ifid, alert_consts.alertEntityRaw(alert["entity_id"]), alert["name"])
+  local engine_label = alert_consts.alertEngineLabel(alert_consts.alertEngine(alert_consts.sec2granularity(alert["granularity"])))

  return i18n("alert_messages.threshold_crossed", {
    granularity = engine_label,
    metric = alert_type_params.metric,
    entity = entity,
-    host_category = format_utils.formatAddressCategory((json.decode(alert.alert_json)).alert_generation.host_info),
+    host_category = format_utils.formatAddressCategory((json.decode(alert.json)).alert_generation.host_info),
    value = string.format("%u", math.ceil(alert_type_params.value)),
    op = "&".. (alert_type_params.operator or "gt") ..";",
    threshold = alert_type_params.threshold,
--- a/scripts/lua/modules/alert_definitions/other/alert_too_many_drops.lua
+++ b/scripts/lua/modules/alert_definitions/other/alert_too_many_drops.lua
@ -51,7 +51,7 @@ end
 -- @return A human-readable string
 function alert_too_many_drops.format(ifid, alert, alert_type_params)
  local alert_consts = require("alert_consts")
-  local entity = alert_consts.formatAlertEntity(ifid, alert_consts.alertEntityRaw(alert["alert_entity"]), alert["alert_entity_val"])
+  local entity = alert_consts.formatAlertEntity(ifid, alert_consts.alertEntityRaw(alert["entity_id"]), alert["entity_val"])
  local max_drop_perc = alert_type_params.edge or 0
  local perc_drops = string.format("%.1f", alert_type_params.drop_perc)
  
--- a/scripts/lua/modules/alert_definitions/other/alert_unexpected_new_device.lua
+++ b/scripts/lua/modules/alert_definitions/other/alert_unexpected_new_device.lua
@ -39,7 +39,7 @@ end
 -- #######################################################

 function alert_unexpected_new_device.format(ifid, alert, alert_type_params)
-     -- Pro description
+  -- Pro description
  if(ntop.isPro()) then
    package.path = dirs.installdir .. "/pro/scripts/lua/modules/?.lua;" .. package.path
    local snmp_location = require "snmp_location"
@ -52,7 +52,7 @@ function alert_unexpected_new_device.format(ifid, alert, alert_type_params)
      if access_port then
        return(i18n("unexpected_new_device.status_unexpected_new_device_description_pro", {
          mac_address = alert_type_params.device,
-          host_url = getMacUrl(alert.alert_entity_val),
+          host_url = getMacUrl(alert.entity_val),
          port = access_port.id,
 	  port_url = snmpIfaceUrl(access_port.snmp_device_ip, access_port.id),
 	  interface_name = access_port.name,
@ -66,7 +66,7 @@ function alert_unexpected_new_device.format(ifid, alert, alert_type_params)
  -- Non enterprise software or the host hasn't an snmp location
  return(i18n("unexpected_new_device.status_unexpected_new_device_description", {
    mac_address = alert_type_params.device,
-    host_url = getMacUrl(alert.alert_entity_val),
+    host_url = getMacUrl(alert.entity_val),
  }))
 end

--- a/scripts/lua/modules/alert_definitions/other/alert_user_activity.lua
+++ b/scripts/lua/modules/alert_definitions/other/alert_user_activity.lua
@ -49,13 +49,12 @@ end
 -- #######################################################

 function alert_user_activity.format(ifid, alert, alert_type_params)
-	local decoded = alert_type_params
-	local user = alert.alert_entity_val
+   local decoded = alert_type_params
+   local user = alert.user or alert.entity_val
 
-	if decoded.scope ~= nil then
- 
-	   if decoded.scope == 'login' and decoded.status ~= nil then
+   if decoded.scope ~= nil then
 
+      if decoded.scope == 'login' and decoded.status ~= nil then
 	  if decoded.status == 'authorized' then
 		 return i18n('user_activity.login_successful', {user=user})
 	  else