Skip to content

Custom Creation

Go to Security Monitoring > Security Incident Management > Create to start creating.

Basic Settings

Detection Frequency

The rule will run at the interval set here (e.g., every 5 minutes, every 1 hour). Options include the last 1 minute, last 5 minutes, last 15 minutes, last 30 minutes, last 1 hour, last 6 hours, last 12 hours, last 24 hours.

In addition to the predefined options, you can also input a custom crontab task to configure scheduled tasks based on minutes, hours, days, months, weeks, etc.

Detection Interval

Represents the time range for data query each time the task is executed. The available detection intervals vary depending on the detection frequency.

Detection Frequency Detection Interval (Dropdown Options)
1m 1m/5m/15m/30m/1h/3h
5m 5m/15m/30m/1h/3h
15m 15m/30m/1h/3h/6h
30m 30m/1h/3h/6h
1h 1h/3h/6h/12h/24h
6h 6h/12h/24h
12h 12h/24h
24h 24h

Define Detection Rules

When defining security detection logic, you can use DQL to query data in the script and set signal trigger logic by defining conditional expressions (e.g., field matching, threshold judgment, etc.).

When writing rules independently, you can:

  • Set text auto-wrap or content overflow;
  • Use shortcuts for content formatting;
  • Copy with one click;
  • Write script content directly in the content box;
  • Use fx functions;
  • Test scripts;
  • Edit scripts in full screen.

Example:

# data1,ok = dql("T::re(`.*`):(avg(duration), service, span_id, status) by host limit 1")
# #data2 = dql("T::re(`.*`):(max(duration), service, span_id, status) by host limit 2")


# #result: Detection result, required, type: basic type (string, integer, float)
# #result = data1.avg(duration)

# #dimension_tags: Detection object, optional, type: map
# #dimension_tags = {"host":data1['series'][0][0]['tags']['host']}

# #status: Level, optional, type: enum, if defined here, priority is higher than user-defined level
# #Options: critical, high, medium, low, info
# status = "high"

# #extra_data: Additional attributes, optional, type: map
# #related_data = {"service":"wwwww"}
# #related_data = {"service":data1['series'][0][0]['columns']['service'],
#                # "span_id":data1['series'][0][0]['columns']['span_id'],
#                # "status":data1['series'][0][0]['columns']['status']}


# #fn trigger(result: int|float|bool|str, level: str = "", dim_tags: map = {}, related_data: map = {})
# #trigger(data1,status,dimension_tags,related_data)
# host = dql_series_get(data1,"host")
# service = dql_series_get(data1,"service")
# status = dql_series_get(data1,"status")
# trigger(data1,status,dimension_tags={"host":host},related_data={"service":service,"status":status})



data1 = dql("T::re(`.*`):(avg(duration), service, span_id, status) by host limit 1")
status = "high"
host = dql_series_get(data1,"host")
#printf("%v", {"host": host_o})
#host_info = dql_series_get(host_o,"host")
#printf("%v", {"host": host_info})
service = dql_series_get(data1,"service")
span_id = dql_series_get(data1,"span_id")

trigger(data1,status,dimension_tags={"host":host[0][0]},related_data={"service":service,"span_id":span_id})

In the above script example, it is mainly divided into three parts:

  1. Data Query: Query all metrics (re(.*)) via DQL, calculate the average value of the duration field for each host group, and return the service, span_id, status fields, limit 1 means only 1 result is returned;

  2. Data Processing:

    host = dql_series_get(data1,"host")  # Extract the `host` field from the query result
service = dql_series_get(data1,"service") # Extract the `service` field
span_id = dql_series_get(data1,"span_id") # Extract the `span_id` field
    3. Alert Trigger:

trigger(data1,status,dimension_tags={"host":host[0][0]},related_data={"service":service,"span_id":span_id})
Triggers an alert with a priority of high, dimension_tags identifies the detection object (here host is used as the dimension tag), and related_data attaches associated data (service and span_id).

Note

During script editing, only after adding the dimension_tags and related_data fields will the relevant information appear in the final event.

Security Level

Select the security level for the current monitoring rule:

Level df_status Value
Critical critical
High high
Medium medium
Low low
Info info
Note

If the security level is customized via conditional judgment in the detection rule (e.g., status=high), the system will prioritize the security level defined in the rule, and the global security level configuration will no longer take effect.

Configure Rule Description

When adding a detection rule, input the detection conclusion and remediation suggestions. These will be sent as the title and description of the alert notification.

  1. Define the rule title;
  2. Input the rule description.
  3. Choose to add global tags to the current rule.

Alert Configuration

Select an existing alert strategy in the current workspace to associate. Once the rule is enabled, alert notifications will be triggered based on the selected alert strategy.

Permissions

Set viewing permissions for security monitoring data to enhance data security.

In the workspace, members with "Security Monitoring" management permissions can operate this rule.

Only specified members can operate this rule, and you can select members, roles, and teams within the workspace.