Threshold on custom alert

Finally Rapid7 introduces the “having” new clauses, so you can get a sort of threshold in Log search. E.g: where(query_blocked=“true”) groupby(user) having(count>10)
Well it’s a pity that if you can not use the same query in a custom alert because the tool removes everything except the where clause. So what is the utility? I’m looking for a custom alert with a threshold, has anyone found a solution?

HI @valentina13 ,

we have been working on building a new feature which is currently in Early Access called Custom Detection Rules which will allow you to build thresholded rules such as alert me if any user has 10 or more blocked requests in 10 minutes.

Our PM @sean_obrien has been leading the charge on this work :slight_smile:


Thank you @david_smith, do you know when this feature will be available?

Hi Valentina - watch out for an email later today with more details about how your org can access this capability.

Thank you @sean_obrien :+1:

@sean_obrien Could you please update now we can create a custom alert to detect if any user account getting locked out more than 5 times in one hour? with the below query ?

where(action=“ACCOUNT_LOCKED”) groupby(target_account) having(count>=5) timeslice(1h)

@sean_obrien - can you provide these details or post them here? Would be helpful.

Hi @ceberiel this functionality is currently in early access, our PM @sean_obrien should be able to get this enabled for your Org soon. We do have plans to do a wider release of this functionality in the near future.


1 Like

Is there any way to get early access?

Thanks David

Got the functionality today and our alert is working well. Thanks!