Create Detection Rules¶

Go to Security Monitoring > Security Incident Management > Create to start creating.

Basic Settings¶

Detection Frequency¶

The rule will run once according to the time interval set here (such as every 5 minutes, every 1 hour). It includes the last 1 minute, the last 5 minutes, the last 15 minutes, the last 30 minutes, the last 1 hour, the last 6 hours, the last 12 hours, and the last 24 hours.

In addition to the specific options provided by the system above, you can also enter custom crontab tasks, configuring scheduled task execution based on minutes, hours, days, months, weeks, etc.

Detection Interval¶

This indicates the time range for data queries each time the task is executed. Affected by the detection frequency, the selectable detection intervals may vary.

Detection Frequency	Detection Interval (Dropdown Options)
1m	1m/5m/15m/30m/1h/3h
5m	5m/15m/30m/1h/3h
15m	15m/30m/1h/3h/6h
30m	30m/1h/3h/6h
1h	1h/3h/6h/12h/24h
6h	6h/12h/24h
12h	12h/24h
24h	24h

Define Detection Rule¶

When defining security detection logic, you can use DQL in the script to query data and set signal trigger logic by defining conditional expressions (e.g., field matching, threshold judgment, etc.).

When writing your own rules, you can:

Set text to automatically wrap or overflow content;
Use shortcuts to format the content;
Copy with one click;
Write script content directly in the content box;
Select fx functions.

Example:

# data1,ok = dql("T::re(`.*`):(avg(duration), service, span_id, status) by host limit 1")
# #data2 = dql("T::re(`.*`):(max(duration), service, span_id, status) by host limit 2")


# #result:Detection result, required, type basic type (string, integer, float)
# #result = data1.avg(duration)

# #dimension_tags:Detection object, optional, type map
# #dimension_tags = {"host":data1['series'][0][0]['tags']['host']}

# #status:Level, optional, type enumeration, if defined here has higher priority than level defined on user page
# #Possible values: critical, high, medium, low, info
# status = "high"

# #extra_data:Additional attributes, optional, type map
# #related_data = {"service":"wwwww"}
# #related_data = {"service":data1['series'][0][0]['columns']['service'],
#                # "span_id":data1['series'][0][0]['columns']['span_id'],
#                # "status":data1['series'][0][0]['columns']['status']}


# #fn trigger(result: int|float|bool|str, level: str = "", dim_tags: map = {}, related_data: map = {})
# #trigger(data1,status,dimension_tags,related_data)
# host = dql_series_get(data1,"host")
# service = dql_series_get(data1,"service")
# status = dql_series_get(data1,"status")
# trigger(data1,status,dimension_tags={"host":host},related_data={"service":service,"status":status})



data1 = dql("T::re(`.*`):(avg(duration), service, span_id, status) by host limit 1")
status = "high"
host = dql_series_get(data1,"host")
#printf("%v", {"host": host_o})
#host_info = dql_series_get(host_o,"host")
#printf("%v", {"host": host_info})
service = dql_series_get(data1,"service")
span_id = dql_series_get(data1,"span_id")

trigger(data1,status,dimension_tags={"host":host[0][0]},related_data={"service":service,"span_id":span_id})

In the above script example, it is mainly divided into three parts:

Data Query: Through DQL querying all metrics (re(.*)), calculating the average value of the duration field grouped by each host, while returning the service, span_id, and status fields. limit 1 means only return 1 result;

Data Processing:

host = dql_series_get(data1,"host")  # Extract the `host` field from the query results
service = dql_series_get(data1,"service") # Extract the `service` field
span_id = dql_series_get(data1,"span_id") # Extract the `span_id` field

3. Alarm Trigger:

trigger(data1,status,dimension_tags={"host":host[0][0]},related_data={"service":service,"span_id":span_id})

This triggers an alarm with a priority of high, where dimension_tags identifies the detection object (here using host as the dimension tag), and related_data adds associated data (service and span_id).

Note

Only after adding the dimension_tags and related_data fields during the script editing process will relevant information appear in the final generated event.

Security Level¶

Select the security level for the current monitoring rule:

Level	`df_status` Value
Severe	critical
High	high
Medium	medium
Low	low
Information	info

Note

If the security level is customized through conditional judgment in the detection rule (e.g., status=high), the system will prioritize the security level defined in the rule, at which point the global security level configuration will no longer take effect.

Configure Rule Description¶

When adding a detection rule, input the detection conclusion and remediation recommendations. This content will be sent out as the title and description of the alert notification.

Define the rule title;
Input rule description.
Choose to add global labels for the current rule.

Alert Configuration¶

Select an existing alert strategy within the current workspace for association. After the rule is enabled, alert notifications will be triggered according to the selected alert strategy.

Permissions¶

Set viewing permissions for security monitoring data to enhance data security.

UnrestrictedCustom

Members with "Security Monitoring" management permissions in the workspace can operate this rule.

Only specified members can operate this rule. You can select members, roles, and teams within the workspace.