Search Language Tutorial: Configure Event Search, Alert Rules, and Suppressions

Follow

In order to facilitate the process of searching for information and creating alerts around that information, Threat Stack has created its own search language.  Utilizing this standardized language will ensure that the same information is targeted time and time again.  

To access the Search Language Tutorial, click on the magnifying glass at the top of the Events page.  

 

 

A window will appear that contains the search language keys and operators as well as an example of how to use them.

 

 

 

The Threat Stack user can now create custom searches such as IP=”0.0.0.0.0”, user=”root”, etc. There are additional comparison operators available - for instance, you can use "starts_with" and "ends_with" on many fields. For instance, to find IP addresses, use: event_type="network" and src_ip starts_with "10.1.242".

Alerts are created around an event, using the same search language.  However, instead of crafting the alert from scratch, the user can generate the proper information right from the events screen.

When an event is found that is of interest, click on the “Notifications” button which will appear to the right of the metadata.

A “New Alert Rule” Box will appear.  Note that the alert filter is automatically set with the necessary information utilizing the TS search language.  The user need only title the alert and assign a severity before creating the alert rule.

 

 

Additionally, an alert can be created to look for the same event across ALL agents. Following the steps outlined above, the user need only delete the agent id and rule id to widen the scope of the alert.

 

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

1 comment
  • I created this cloudtrail rule successfully but I don't see an alert when creating an instance in frankfurt which is not in my whitelist.

    ( (eventName = "RunInstances") or ( eventName = "RequestSpotInstances" )) and ( (awsRegion != "us-west-1") and (awsRegion != "us-west-2") and (awsRegion != "us-east-1") and (awsRegion != "eu-west-1"))

     

    Note that I am seeing alerts in other regions.
    And i receive one for the instance i created in frankfurt

    12:26:31

Article is closed for comments.