Programmable Detection¶

Cover detection requirements for various system data types by scripting detection rules.

Detection Configuration¶

Detection Frequency¶

The rule will run at the set time interval (e.g., every 5 minutes, every 1 hour). Includes:

• 30 seconds
• 1 minute
• 5 minutes
• 15 minutes
• 30 minutes
• 1 hour

In addition to the specific options provided by the system, you can also input Custom Crontab Tasks to configure scheduled task execution based on seconds, minutes, hours, days, months, weeks, etc.

Detection Interval¶

Represents the time range of data query each time the task is executed. The optional detection interval will vary depending on the detection frequency.

Define Detection Rules¶

When defining security detection logic, you can use DQL to query data in the script and set signal trigger logic by defining conditional expressions (e.g., field matching, threshold judgment, etc.).

When writing rules independently, you can:

• Set text auto-wrap or content overflow;
• Use shortcuts for content formatting;
• One-click copy;
• Write script content directly in the content box;
• Use fx Functions;
• Test scripts;
• Full-screen edit scripts.

Example:

data1 = dql("T::re(`.*`):(avg(duration), service, span_id) by host limit 1")
status = "high"
host = dql_series_get(data1,"host")
service = dql_series_get(data1,"service")
trigger(data1,status,dimension_tags={"host":host},related_data={"service":service})

In the above script example, it is mainly divided into the following parts:

1. Execute data query to find the worst performance data in terms of average response time for each host from all services;

2. Set alert level: priority is high;

3. Locate data source:

   host = dql_series_get(data1,"host")  # Extract faulty host
   service = dql_series_get(data1,"service")  # Extract problematic service
   

4. Finally generate an alert: The response time of the {service} service on host {host} is abnormal

Other Configurations¶

For more details, refer to Rule Configuration.