Finally Rapid7 introduces the “having” new clauses, so you can get a sort of threshold in Log search. E.g: where(query_blocked=“true”) groupby(user) having(count>10)
Well it’s a pity that if you can not use the same query in a custom alert because the tool removes everything except the where clause. So what is the utility? I’m looking for a custom alert with a threshold, has anyone found a solution?
HI @valentina13 ,
we have been working on building a new feature which is currently in Early Access called Custom Detection Rules which will allow you to build thresholded rules such as alert me if any user has 10 or more blocked requests in 10 minutes.
Our PM @sean_obrien has been leading the charge on this work 
David
Hi Valentina - watch out for an email later today with more details about how your org can access this capability.
@sean_obrien Could you please update now we can create a custom alert to detect if any user account getting locked out more than 5 times in one hour? with the below query ?
where(action=“ACCOUNT_LOCKED”) groupby(target_account) having(count>=5) timeslice(1h)
Hi @ceberiel this functionality is currently in early access, our PM @sean_obrien should be able to get this enabled for your Org soon. We do have plans to do a wider release of this functionality in the near future.
David
1 Like
Is there any way to get early access?
Thanks David
Got the functionality today and our alert is working well. Thanks!