Custom Creation¶
Go to Security Monitoring > Security Incident Management > Create to start creating.
Detection Type¶
| Field | Description |
|---|---|
| SIEM | Security Information and Event Management A security technology that aggregates and analyzes log and event data from different systems (such as servers, network devices, cloud services, applications) based on built-in query functions. |
| CSPM | Cloud Security Posture Management A set of automated processes and tools for continuously managing and reducing configuration risks in cloud environments. Its core function is to automatically identify misconfigurations that violate security baselines and compliance standards by scanning cloud infrastructure (such as compute instances, storage services, and network configurations). |
Basic Settings¶
Detection Frequency¶
The rule runs at the interval set here (e.g., every 5 minutes, every 1 hour). Options include last 1 minute, last 5 minutes, last 15 minutes, last 30 minutes, last 1 hour, last 6 hours, last 12 hours, last 24 hours.
In addition to the specific options provided by the system, you can also enter a custom crontab task to configure scheduled task execution based on cycles such as seconds, minutes, hours, days, months, weeks.
Detection Interval¶
Represents the time range for data query each time the task is executed. The available detection intervals vary depending on the detection frequency.
| Detection Frequency | Detection Interval (Dropdown Options) |
|---|---|
| 1m | 1m/5m/15m/30m/1h/3h |
| 5m | 5m/15m/30m/1h/3h |
| 15m | 15m/30m/1h/3h/6h |
| 30m | 30m/1h/3h/6h |
| 1h | 1h/3h/6h/12h/24h |
| 6h | 6h/12h/24h |
| 12h | 12h/24h |
| 24h | 24h |
Define Detection Rule¶
When defining security detection logic, you can use DQL to query data in the script and set signal triggering logic by defining conditional expressions (e.g., field matching, threshold judgment, etc.).
When writing rules independently, you can:
- Set text auto-wrap or content overflow;
- Use shortcuts for formatting;
- Copy with one click;
- Write script content directly in the content box;
- Use fx functions;
- Test scripts;
- Edit scripts in full screen.
Example:
# data1,ok = dql("T::re(`.*`):(avg(duration), service, span_id, status) by host limit 1")
# #data2 = dql("T::re(`.*`):(max(duration), service, span_id, status) by host limit 2")
# #result:Detection result, required, type basic type (string, integer, float)
# #result = data1.avg(duration)
# #dimension_tags:Detection object, optional, type map
# #dimension_tags = {"host":data1['series'][0][0]['tags']['host']}
# #status:Level, optional, type enum, if defined here, priority overrides user page defined level
# #Optional values: critical, high, medium, low, info
# status = "high"
# #extra_data:Additional attributes, optional, type map
# #related_data = {"service":"wwwww"}
# #related_data = {"service":data1['series'][0][0]['columns']['service'],
# # "span_id":data1['series'][0][0]['columns']['span_id'],
# # "status":data1['series'][0][0]['columns']['status']}
# #fn trigger(result: int|float|bool|str, level: str = "", dim_tags: map = {}, related_data: map = {})
# #trigger(data1,status,dimension_tags,related_data)
# host = dql_series_get(data1,"host")
# service = dql_series_get(data1,"service")
# status = dql_series_get(data1,"status")
# trigger(data1,status,dimension_tags={"host":host},related_data={"service":service,"status":status})
data1 = dql("T::re(`.*`):(avg(duration), service, span_id, status) by host limit 1")
status = "high"
host = dql_series_get(data1,"host")
#printf("%v", {"host": host_o})
#host_info = dql_series_get(host_o,"host")
#printf("%v", {"host": host_info})
service = dql_series_get(data1,"service")
span_id = dql_series_get(data1,"span_id")
trigger(data1,status,dimension_tags={"host":host[0][0]},related_data={"service":service,"span_id":span_id})
In the script example above, it is mainly divided into three parts:
-
Data Query: Query all metrics (
re(.*)) via DQL, calculate the average value of thedurationfield for eachhostgroup, and return theservice,span_id,statusfields.limit 1means only one result is returned; -
Data Processing:
-
Alert Triggering:
trigger(data1,status,dimension_tags={"host":host[0][0]},related_data={"service":service,"span_id":span_id})
Indicates triggering an alert with a priority of high. dimension_tags identifies the detection object (here using host as the dimension tag),
and related_data attaches associated data (service and span_id).
Note
During script editing, information will only appear in the final generated event if the dimension_tags and related_data fields are added.
Security Level¶
Select the security level for the current monitoring rule:
| Level | df_status Value |
|---|---|
| Critical | critical |
| High | high |
| Medium | medium |
| Low | low |
| Info | info |
Note
If the security level is customized through conditional judgment in the detection rule (e.g., status=high), the system will prioritize the security level defined in the rule, and the global security level configuration will no longer take effect.
Configure Rule Description¶
When adding a detection rule, input the detection conclusion and remediation suggestions. These will be sent as the title and description of the alert notification.
- Define the rule title;
- Input the rule description.
- Choose to add global labels for the current rule.
Alert Configuration¶
Associate with existing alert strategies within the current workspace. After the rule is enabled, alert notifications will be triggered based on the selected alert strategy.
Permissions¶
Set view permissions for security monitoring data to enhance data security.
Member roles with "Security Monitoring" management permissions within the workspace can operate this rule.
Only specified members can operate this rule. Members, roles, and teams within the workspace can be selected.