Query by timerange with groupby

diiluz · June 2, 2023, 1:34pm

Hello, I’ve asked a similar question before, but maybe I wasn’t clear because no one told me it won’t work.
This is my query:
where(connection_status=DENY AND (direction!=INTERNAL OR direction!=OUTBOUND)) groupby(source_address) having(count>1000) timeslice(3m)

My end goal is to create a custom rule that will alert me if there are more than 1000 DENY request in 3 minutes from the same source_address when the direction is not INTERNAL or OUTBOUND.

I guess timeslice is not the solution here. Is there a way to do so? Getting alerted only if the threshold happens during a specific time period?

Kind Regards,
Dvir

john_hartman · June 2, 2023, 6:35pm

The threshold for an alert would be created in the alert threshold settings instead of in a timeslice manner

diiluz · June 2, 2023, 6:48pm

I don’t see a threshold setting, can you guide me? or provide me with a document?

john_hartman · June 2, 2023, 8:59pm

When setting up the alert the query is really only looking at the where statement.

When you get to the Alert Notification portion of the custom alert, hop over to the Notification tab and on the Investigation tab use custom match settings.

Screenshot 2023-06-02 at 4.57.46 PM

diiluz · June 4, 2023, 5:14am

Oh, perfect, thank you.
I totally missed it.