How to generate TCP_PAYLOAD events?

I’d like to be able to create Triggers that look at TCP payloads and feed that data into a Custom Detection. However, when creating a Trigger and using the TCP_PAYLOAD event, I don’t seem to get any data from that event type. I do get data in the FLOW_* event types. I’ve attempted just some simple debugging within the Trigger like this:

// Type trigger code below

Nothing Triggers on that, nothing in the debug log.

I’m ultimately trying to accomplish a detection like this:

// Global variables
var tcp_data = Flow.sender.payload.toString('hex');

// Check if the payload contains the hexadecimal value 0xb5196f94
if (tcp_data.includes('b5196f94')) {
    //Trigger custom detection
    commitDetection('testdetection', {
        categories: ['sec.caution'],
        title: 'This is a test',
        description: "This is a test: " + Flow.client.ipaddr,
        riskScore: 60,
        participants: [{
            object: Flow.client.device,
            role: 'offender'}],
        identityKey: [
        identityTtl: 'hour',

Can anyone help me understand any prerequisite settings/features that need to be configured/enabled, or any other potential issues preventing TCP_PAYLOAD data from being generated?

Hi @jace.walker

Which devices do you have this trigger assigned to? Are you using any of the Advanced Options?

I would highly recommend setting the ‘Bytes Per Packet to Capture’ to the absolute minimum you need, as well as playing around with client/server ports and the buffer search strings. All of these will help limit the instances where the trigger will fire and lower the load that it causes on the system. A wide open payload scanning trigger with little or no limitations can be very expensive.