Custom Creation¶
Go to Security Monitoring > Security Incident Management > Create to start creating.
Detection Types¶
| Field | Description |
|---|---|
| SIEM | Security Information and Event Management A security technology that aggregates and analyzes log and event data from different systems (such as servers, network devices, cloud services, and applications) based on built-in query functions. |
| CSPM | Cloud Security Posture Management A set of automated processes and tools for continuously managing and reducing configuration risks in cloud environments. Its core is to automatically identify misconfigurations that violate security baselines and compliance standards by scanning cloud infrastructure (such as compute instances, storage services, and network configurations). |
Basic Settings¶
Detection Frequency¶
The rule will run at the time interval set here (e.g., every 5 minutes, every 1 hour). Includes the last 1 minute, last 5 minutes, last 15 minutes, last 30 minutes, last 1 hour, last 6 hours, last 12 hours, last 24 hours.
In addition to the specific options provided by the system, you can also input a custom crontab task to configure the execution of scheduled tasks based on seconds, minutes, hours, days, months, weeks, etc.
Detection Interval¶
Represents the time range for data querying each time the task is executed. The available detection intervals vary depending on the detection frequency.
| Detection Frequency | Detection Interval (Dropdown Options) |
|---|---|
| 1m | 1m/5m/15m/30m/1h/3h |
| 5m | 5m/15m/30m/1h/3h |
| 15m | 15m/30m/1h/3h/6h |
| 30m | 30m/1h/3h/6h |
| 1h | 1h/3h/6h/12h/24h |
| 6h | 6h/12h/24h |
| 12h | 12h/24h |
| 24h | 24h |
Define Detection Rules¶
When defining security detection logic, you can use DQL to query data in the script and set signal trigger logic by defining conditional expressions (e.g., field matching, threshold judgment, etc.).
When writing rules independently, you can:
- Set text auto-wrap or content overflow;
- Use shortcuts for content formatting;
- Copy with one click;
- Write script content directly in the content box;
- Use fx functions;
- Test the script;
- Edit the script in full screen.
Example:
# data1,ok = dql("T::re(`.*`):(avg(duration), service, span_id, status) by host limit 1")
# #data2 = dql("T::re(`.*`):(max(duration), service, span_id, status) by host limit 2")
# #result: Detection result, required, type basic type (string, integer, float)
# #result = data1.avg(duration)
# #dimension_tags: Detection object, optional, type map
# #dimension_tags = {"host":data1['series'][0][0]['tags']['host']}
# #status: Level, optional, type enum, here if defined, priority is higher than user page defined level
# #Optional values: critical, high, medium, low, info
# status = "high"
# #extra_data: Additional attributes, optional, type map
# #related_data = {"service":"wwwww"}
# #related_data = {"service":data1['series'][0][0]['columns']['service'],
# # "span_id":data1['series'][0][0]['columns']['span_id'],
# # "status":data1['series'][0][0]['columns']['status']}
# #fn trigger(result: int|float|bool|str, level: str = "", dim_tags: map = {}, related_data: map = {})
# #trigger(data1,status,dimension_tags,related_data)
# host = dql_series_get(data1,"host")
# service = dql_series_get(data1,"service")
# status = dql_series_get(data1,"status")
# trigger(data1,status,dimension_tags={"host":host},related_data={"service":service,"status":status})
data1 = dql("T::re(`.*`):(avg(duration), service, span_id, status) by host limit 1")
status = "high"
host = dql_series_get(data1,"host")
#printf("%v", {"host": host_o})
#host_info = dql_series_get(host_o,"host")
#printf("%v", {"host": host_info})
service = dql_series_get(data1,"service")
span_id = dql_series_get(data1,"span_id")
trigger(data1,status,dimension_tags={"host":host[0][0]},related_data={"service":service,"span_id":span_id})
In the above script example, it is mainly divided into three parts:
- Data query: Query all metrics (
re(.*)) through DQL, calculate the average value of thedurationfield under eachhostgroup, and return theservice,span_id,statusfields,limit 1means only return 1 result; -
Data processing:
3. Alert triggering:
trigger(data1,status,dimension_tags={"host":host[0][0]},related_data={"service":service,"span_id":span_id})
high, dimension_tags identifies the detection object (here using host as the dimension tag), and related_data attaches related data (service and span_id).
Note
During script editing, only after adding the dimension_tags and related_data fields will the relevant information appear in the final event.
Security Level¶
Select the security level of the current monitoring rule:
| Level | df_status Value |
|---|---|
| Critical | critical |
| High | high |
| Medium | medium |
| Low | low |
| Info | info |
Note
If the security level is customized through conditional judgment in the detection rule (e.g., status=high), the system will prioritize the security level defined in the rule, and the global security level configuration will no longer take effect.
Configure Rule Description¶
When adding a detection rule, input the detection conclusion and remediation suggestions. These contents will be sent as the title and description of the alert notification.
- Define the rule title;
- Input the rule description.
- Choose to add global labels to the current rule.
Alert Configuration¶
Select the existing alert strategies in the current workspace for association. After the rule is enabled, alert notifications will be triggered according to the selected alert strategies.
Permissions¶
Set view permissions for security monitoring data to enhance data security.
In the workspace, member roles with "Security Monitoring" management permissions can operate this rule.
Only specified members can operate this rule, and members, roles, and teams within the workspace can be selected.