IDR Custom Alerts now support the latest LEQL features used in log search queries!! Prior to this regex was needed in order to create more advanced custom alerts…well not anymore! With the LEQL operators, you can now easily create those custom alerts without having to re-write your regex!!
Example Query Before Change:
where(signature=/.*brute force.*/i AND (source_ip!=/0\..*|10\..*|127\..*|172\..*|192\.168\..*/))
This would work in log search and custom alerting as its regex based.
where(signature contains "brute force" and (source_ip not starts-with-any [0, 10, 127, 172, 192, 168]))
Instead of relying on regex, the equivalent above query can be represented using LEQL operators. Check out the updated documentation below:
I just noticed this yesterday!
Thank you - it’s a wonderful improvement to the custom alert process.
Any chance we could see
ENDS-WITH/IENDS-WITH/IENDS-WITH-ANY operators in the future?
Oh, this is great! Thanks for a nice improvement!
I’ll ask the team for you, as this would be a nice addition to the growing LEQL operators! I’ll keep you posted.
@richard_davidsson no worries, glad you like the enhancement! It definitely will help make the transition from log search queries to custom pattern detections much easier! Let us know if you have any additional feedback or questions surrounding this!!