Skip to content

Create Detection Rules

Enter Security Monitoring > Security Incident Management > Create to start creating.

Basic Settings

Detection Frequency

The rule will run once according to the time interval set here (such as every 5 minutes, every 1 hour). Options include the last 1 minute, last 5 minutes, last 15 minutes, last 30 minutes, last 1 hour, last 6 hours, last 12 hours, and last 24 hours.

In addition to the specific options provided by the system, you can also enter a custom crontab task configured based on minutes, hours, days, months, and weeks for scheduled task execution.

Detection Interval

This indicates the time range of data queries each time the task is executed. The selectable detection intervals are affected by the detection frequency.

Detection Frequency Detection Interval (Dropdown Options)
1m 1m/5m/15m/30m/1h/3h
5m 5m/15m/30m/1h/3h
15m 15m/30m/1h/3h/6h
30m 30m/1h/3h/6h
1h 1h/3h/6h/12h/24h
6h 6h/12h/24h
12h 12h/24h
24h 24h

Define Detection Rules

When defining security detection logic, you can use DQL in scripts to query data and set signal trigger logic through conditional expressions (e.g., field matching, threshold judgment).

When writing rules manually, you can:

  • Enable automatic text wrapping or content overflow;
  • Use shortcuts to format content;
  • Copy with one click;
  • Write script content directly in the content box;
  • Select fx functions;
  • Test scripts;
  • Edit scripts in full screen.

Example:

# data1,ok = dql("T::re(`.*`):(avg(duration), service, span_id, status) by host limit 1")
# #data2 = dql("T::re(`.*`):(max(duration), service, span_id, status) by host limit 2")


# #result:Detection result, required, type basic type (string, integer, float)
# #result = data1.avg(duration)

# #dimension_tags:Detection object, optional, type map
# #dimension_tags = {"host":data1['series'][0][0]['tags']['host']}

# #status:Level, optional, type enumeration, if defined here has priority over user-defined level on the page
# #Options: critical, high, medium, low, info
# status = "high"

# #extra_data:Additional attributes, optional, type map
# #related_data = {"service":"wwwww"}
# #related_data = {"service":data1['series'][0][0]['columns']['service'],
#                # "span_id":data1['series'][0][0]['columns']['span_id'],
#                # "status":data1['series'][0][0]['columns']['status']}


# #fn trigger(result: int|float|bool|str, level: str = "", dim_tags: map = {}, related_data: map = {})
# #trigger(data1,status,dimension_tags,related_data)
# host = dql_series_get(data1,"host")
# service = dql_series_get(data1,"service")
# status = dql_series_get(data1,"status")
# trigger(data1,status,dimension_tags={"host":host},related_data={"service":service,"status":status})



data1 = dql("T::re(`.*`):(avg(duration), service, span_id, status) by host limit 1")
status = "high"
host = dql_series_get(data1,"host")
#printf("%v", {"host": host_o})
#host_info = dql_series_get(host_o,"host")
#printf("%v", {"host": host_info})
service = dql_series_get(data1,"service")
span_id = dql_series_get(data1,"span_id")

trigger(data1,status,dimension_tags={"host":host[0][0]},related_data={"service":service,"span_id":span_id})

In the above script example, it mainly consists of three parts:

  1. Data Query: Using DQL to query all {{ Metrics }} (re(.*)), calculate the average value of the duration field grouped by each host, while returning service, span_id, and status fields. limit 1 means only 1 result will be returned;

  2. Data Processing:

    host = dql_series_get(data1,"host")  # Extract the `host` field from the query results
service = dql_series_get(data1,"service") # Extract the `service` field
span_id = dql_series_get(data1,"span_id") # Extract the `span_id` field
    3. Alert Triggering:

trigger(data1,status,dimension_tags={"host":host[0][0]},related_data={"service":service,"span_id":span_id})
This triggers an alert with a priority of high. dimension_tags identifies the detected objects (using host as a dimension tag), and related_data attaches associated data (service and span_id).

Note

In the script editing process, only after adding the dimension_tags and related_data fields will relevant information appear in the final generated events.

Security Level

Select the security level for the current monitoring rule:

Level df_status Value
Severe critical
High high
Medium medium
Low low
Informational info
Note

If the security level is customized via condition judgments in the detection rule (for example, status=high), the system will prioritize the security level defined in the rule, making the global security level configuration ineffective.

Configure Rule Description

When adding a detection rule, input the detection conclusion and remediation suggestions. This content will be sent out as the title and description of the alert notification.

  1. Define the rule title;
  2. Input rule descriptions.
  3. Choose to add global labels for the current rule.

Alert Configuration

Select an existing alert strategy within the current workspace for association. After the rule is enabled, alerts will be triggered according to the selected alert strategy.

Permissions

Set viewing permissions for security monitoring data to enhance data security.

Members with "Security Monitoring" management permissions within the workspace can operate this rule.

Only specified members can operate this rule, allowing selection of members, roles, and teams within the workspace.

Feedback

Is this page helpful? ×