Timeframe in custom detection rule

Hello Team,
Please can anyone confirm below points:

  1. Do Timeframe in custom detection rule uses ingestion time for calculation and if yes does this mean ideally we should have realtime logs in Rapid7 then only it will check query logic in required timeframe. Otherwise in batch files it will consider all logs same as they will be ingested almost at a same time.
  2. Is there any way to use time field from logs in timeframe while creating custom detection rule ?
  1. We don’t use the ingestion time for the rule itself, we rely on the timestamp within the log. However, log events are checked against the detection engine at ingestion time, meaning there will typically be some delay, usually 5-7 minutes between an action occurring and the Investigation being created.

  2. You can use the time field, but its considered a string, so you would likely need to use regex to perform comparison operations. What did you have in mind?


Thanks @david_smith for your response.

I want to create alert if any user login more than 5 times with invalid credentials within 30 mins. The logs we are getting are not real time, yesterdays all logs are ingested today in a batch.

This is the current setup we have:

Query logic : where( “POSTSTATE.0.REASON.0” = “Invalid Username and/or Password”)

Screenshot 2024-05-07 at 11.46.24 AM

  1. Please can you tell me that this is achievable in the way (Batch files) we are ingesting logs in Rapid7 ?
  2. How can I use time field (string - Datetime) from logs in timeframe ?

Hi @vvivek.halpatrao I think it would be best to look at this over a support case so that we can look at some real examples. You can reference this discussion when you open one.