SIEM Query for Alert

Hi Rapid7.

I’m after a query that searches for the key words ‘exception’ AND ‘uat’ (case insensitive) and only display results if its 10 or more from 60min ago to now. Intention is for a SIEM alert to be triggered when exceptions for the secure service exceed a certain level.

Any examples on how to do this?

Thanks Legends!

Not sure what keys your logsets have, so adjust the groupby to fit your requirements for keys.
Process start activity logs used as an example
You could probably use something like:

where(/exception/i AND /uat/i)groupby(hostname,process.name)having(count>10)limit(10000)

or if you don’t want to use regex and instead want to use specific keys in your where statement

where(“process.name” icontains-any [“exception”,“uat”])groupby(hostname,process.name)having(count>10)limit(10000)

Replace “process.name” with the key that you want to target.
Second method is better when you know the keys you want to search, first is just all inclusive of every key in the log entry so might be slower or have a lower index factor.

I recommend reviewing:
Log Search | InsightIDR Documentation

Search Your Logs | InsightIDR Documentation

Components for Building a Query | InsightIDR Documentation

From there, I would suggest using a Basic Detection Rule and setting it up for a threshold that meets your needs.

1 Like

Many thanks Rio - your effort has me in the right direction :slight_smile: