Key Value Pair Variables in InsightIDR

Hello Everyone
I want to creates Key Value Pair Variables in InsightIDR and use key and respective value in query.
So I can use this logic to create custom detection rule.
Example : user_name (Key) : regex (value) → working_hrs
where(username = ${working_hrs.key} and time = ${working_hrs.value}

Please can anyone tell me that above thing is possible in Rapid7 Insight IDR.
If Yes then what should be proper way and syntax for this.

Hi! @vvivek.halpatrao

I dont think is possible to create the variable you mention.

Here is the doc on how to use the variables in queries. [Use Variables in Queries | InsightIDR Documentation]

There are 2 types of variables: single value variable and list variable. I think you can use a list variable with the usernames and a single value variable for the workings_hrs.

where(username ICONTAINS-ANY [${usernames}] AND time = ${working_hrs}) groupby(username)

This query will check if any username in the list has the value of the variable “working_hrs”.

Hope it helps!

Thanks @rascarza for the response.
But I have different time for each user. So can I achieve this by any alternative way

You can use the regex capture group method to extract values (see Components for Building a Query | InsightIDR Documentation) on the fly and use key comparison to compare them Components for Building a Query | InsightIDR Documentation
Screenshot 2024-04-18 at 6.29.52 PM

However if you want to use a key/value in a custom detection rule you would need to apply a custom parsing rule and have that key written to the log for use. Create Custom Parsing Rules | InsightIDR Documentation

In simply language, what are you trying to determine with your detection rule? If someone exceeds their allotment of working hours by some degree? What exactly would the condition/trigger be?

Hi @david_smith

  1. We have fix working hours for every user group which are located in different country / Timezone and we want to generate alert when any user access system out of the allocated time to him.
    If I create regex expression then it will only validate one time slot at a time and I will have to create different rules for each time slot.
    So I want to know is there any way to achieve this in dynamic way where my time slot will match as per user ?

  2. And one more question can we convert raw log from string to other datatypes like date, timestamp, etc. ?

  3. Can we search regex expression in specific key in our logs instead of searching in whole log because it always take first match and didn’t return me value that I wanted as it is position is not at 1st match ?


theres no way to achieve what you are describing within the product currently, that is to say you can’t automatically associate a list of users with some dynamic property such as associated working hours. However, you could technically automate the process of searching and building queries and alerts using the log search and detection rule API.

For example if you had a group of users and you used that timezone to set the start and end times you could say source_user in group and from time > x and to time is < y then alert if there is a success.

Then for the next group of users create an alert where the from and to times are different.

  1. All values are treated as strings or numbers, theres no type conversion

  2. You can, you need to anchor your regex on the proceeding text to place yourself at the right location, if you’ve an example I can help

Hi @david_smith and @rascarza
Thanks for your response.

I have capture groups using regex in my query. Can I use that group in group by as a key while creating custom detection rule.

@vvivek.halpatrao no, but what you can do is apply those capture groups using a custom parsing rule, and then you can build a detection using the newly created keys which the custom parser adds