Custom Creation¶
Go to Security Monitoring > Security Incident Management > Create to start creating.
Detection Types¶
| Field | Description |
|---|---|
| SIEM | Security Information and Event Management A security technology that aggregates and analyzes log and event data from different systems (such as servers, network devices, cloud services, applications) based on built-in query functions. |
| CSPM | Cloud Security Posture Management A set of automated processes and tools for continuously managing and reducing configuration risks in cloud environments. Its core is to automatically identify misconfigurations that deviate from security baselines and compliance standards by scanning cloud infrastructure (such as compute instances, storage services, and network configurations). |
Basic Settings¶
Detection Frequency¶
The rule will run at the interval set here (e.g., every 5 minutes, every 1 hour). Includes the last 1 minute, last 5 minutes, last 15 minutes, last 30 minutes, last 1 hour, last 6 hours, last 12 hours, last 24 hours.
In addition to the specific options provided by the system, you can also input custom crontab tasks to configure scheduled task execution based on seconds, minutes, hours, days, months, weeks, etc.
Detection Interval¶
Represents the time range for data query each time the task is executed. The optional detection interval will vary depending on the detection frequency.
| Detection Frequency | Detection Interval (Dropdown Options) |
|---|---|
| 1m | 1m/5m/15m/30m/1h/3h |
| 5m | 5m/15m/30m/1h/3h |
| 15m | 15m/30m/1h/3h/6h |
| 30m | 30m/1h/3h/6h |
| 1h | 1h/3h/6h/12h/24h |
| 6h | 6h/12h/24h |
| 12h | 12h/24h |
| 24h | 24h |
Define Detection Rules¶
When defining security detection logic, you can use DQL to query data in the script and set signal trigger logic by defining conditional expressions (such as field matching, threshold judgment, etc.).
When writing rules independently, you can:
- Set text auto-wrap or content overflow;
- Use shortcuts to format content;
- Copy with one click;
- Write script content directly in the content box;
- Use fx functions;
- Test scripts;
- Edit scripts in full screen.
Example:
# data1,ok = dql("T::re(`.*`):(avg(duration), service, span_id, status) by host limit 1")
# #data2 = dql("T::re(`.*`):(max(duration), service, span_id, status) by host limit 2")
# #result: Detection result, required, type basic type (string, integer, float)
# #result = data1.avg(duration)
# #dimension_tags: Detection object, optional, type map
# #dimension_tags = {"host":data1['series'][0][0]['tags']['host']}
# #status: Level, optional, type enum, if defined here, priority is higher than user page defined level
# #Optional values: critical, high, medium, low, info
# status = "high"
# #extra_data: Additional attributes, optional, type map
# #related_data = {"service":"wwwww"}
# #related_data = {"service":data1['series'][0][0]['columns']['service'],
# # "span_id":data1['series'][0][0]['columns']['span_id'],
# # "status":data1['series'][0][0]['columns']['status']}
# #fn trigger(result: int|float|bool|str, level: str = "", dim_tags: map = {}, related_data: map = {})
# #trigger(data1,status,dimension_tags,related_data)
# host = dql_series_get(data1,"host")
# service = dql_series_get(data1,"service")
# status = dql_series_get(data1,"status")
# trigger(data1,status,dimension_tags={"host":host},related_data={"service":service,"status":status})
data1 = dql("T::re(`.*`):(avg(duration), service, span_id, status) by host limit 1")
status = "high"
host = dql_series_get(data1,"host")
#printf("%v", {"host": host_o})
#host_info = dql_series_get(host_o,"host")
#printf("%v", {"host": host_info})
service = dql_series_get(data1,"service")
span_id = dql_series_get(data1,"span_id")
trigger(data1,status,dimension_tags={"host":host[0][0]},related_data={"service":service,"span_id":span_id})
In the above script example, it is mainly divided into three parts:
-
Data query: Query all metrics (
re(.*)) through DQL, calculate the average value of thedurationfield for eachhostgroup, and return theservice,span_id,statusfields,limit 1means only return 1 result; -
Data processing:
-
Alert triggering:
trigger(data1,status,dimension_tags={"host":host[0][0]},related_data={"service":service,"span_id":span_id})
Indicates triggering an alert with a priority of high, dimension_tags identifies the detection object (here host is used as the dimension tag), related_data attaches associated data (service and span_id).
Note
During script editing, only after adding the dimension_tags and related_data fields will the relevant information appear in the final event.
Security Level¶
Select the security level for the current monitoring rule:
| Level | df_status Value |
|---|---|
| Critical | critical |
| High | high |
| Medium | medium |
| Low | low |
| Info | info |
Note
If the security level is customized through conditional judgment in the detection rule (e.g., status=high), the system will prioritize the security level defined in the rule, and the global security level configuration will no longer take effect.
Configure Rule Description¶
When adding detection rules, input detection conclusions and remediation suggestions. These contents will be sent as the title and description of the alert notification.
- Define the rule title;
- Input rule description.
- Choose to add global labels to the current rule.
Alert Configuration¶
Select existing alert strategies in the current workspace to associate. After the rule is enabled, alert notifications will be triggered based on the selected alert strategy.
Permissions¶
Set viewing permissions for security monitoring data to enhance data security.
In the workspace, member roles with "Security Monitoring" management permissions can operate this rule.
Only specified members can operate this rule, and you can select members, roles, and teams within the workspace.