Skip to content

Programmable Detection

Current Document Location

This document is the second step in the detection rule configuration process. After configuration, please return to the main document to continue with the third step: Event Notification.

Define detection rules through scripting to cover detection needs for various system data types. Supports using DQL to query data and setting signal trigger logic through custom logic (such as field matching, threshold judgment, etc.), enabling flexible monitoring and alerting strategies.

Note

The operation of the programmable detection monitor itself is not billed. Its rules follow the same billing method as Security Detection Scan Traffic.

Detection Configuration

Detection Frequency

Set the time interval for executing detections.

  • Preset options: 30 seconds, 1 minute, 5 minutes (default), 15 minutes, 30 minutes, 1 hour

  • Crontab mode: Click "Switch to Crontab Mode" to configure custom intervals. Supports configuring scheduled task execution based on seconds, minutes, hours, days, months, weeks, etc.

Detection Interval

Set the data time range queried for each detection (❗️If the DQL query in the detection rule specifies a time range, the system will prioritize the time range defined within the rule).

Detection Frequency Detection Interval (Dropdown Options)
30s 1m/5m/15m/30m/1h/3h
1m 1m/5m/15m/30m/1h/3h
5m 5m/15m/30m/1h/3h
15m 15m/30m/1h/3h/6h
30m 30m/1h/3h/6h
1h 1h/3h/6h/12h/24h
  • Custom format: Manually input the detection interval, e.g., 20m (last 20 minutes), 2h (last 2 hours), 1d (last 1 day).

Define Detection Rules

Define security detection logic by writing scripts. Supports using DQL to query data within the script and setting signal trigger logic through conditional expressions (such as field matching, threshold judgment, etc.).

Editor Features

Feature Description
Word Wrap Set text to wrap automatically or display with overflow
fx Functions Use fx functions to assist in writing rules
Shortcuts Use keyboard shortcuts for content formatting
One-click Copy Quickly copy script content to the clipboard
Rule Writing Guide View script writing specifications and examples
Start Test Verify if the script logic executes correctly

Script Example

Example:

data1 = dql("T::re(`.*`):(avg(duration), service, span_id) by host limit 1")
status = "high"
host = dql_series_get(data1,"host")
service = dql_series_get(data1,"service")
trigger(data1,status,dimension_tags={"host":host},related_data={"service":service})

In the above script example, it is mainly divided into the following parts:

  1. Execute a data query to find the worst-performing data (highest average response time) for each host across all services.

  2. Set the alert level: priority is high.

  3. Locate the data source:

    host = dql_series_get(data1,"host")  # Extract the faulty host
service = dql_series_get(data1,"service")  # Extract the problematic service

  4. Finally generate the alert: Service {service} on host {host} has abnormal response time.

Next Steps

After completing the above detection configuration, please continue to configure:

  1. Event Notification: Define event title, content, notification members, data gap handling, and associated incidents.

  2. Alert Configuration: Select alert strategies, set notification targets, and mute periods.

  3. Association: Associate with dashboards for quick navigation to view data.

  4. Permissions: Set operation permissions to control who can edit/delete this monitor.