Search Language Tutorial: Configure Search, Alert Rules, and Suppressions

In order to facilitate the process of searching for information and creating alerts around that information, Threat Stack has created its own search language.  Utilizing this standardized language will ensure that the same information is targeted time and time again.  

To access the Search Language Tutorial, click on the magnifying glass at the top of any page.  

 

 

A window will appear that contains the search language keys and operators as well as an example of how to use them.

 

 

 

The Threat Stack user can now create custom searches such as IP=”0.0.0.0.0”, user=”root”, etc. There are additional comparison operators available - for instance, you can use "starts_with" and "ends_with" on many fields. For instance, to find IP addresses, use: event_type="network" and src_ip starts_with "10.1.242".

Alerts are created around an event, using the same search language.  However, instead of crafting the alert from scratch, the user can generate the proper information right from the events screen.

When an event is found that is of interest, click on the “Notifications” button which will appear to the right of the metadata.

A “New Alert Rule” Box will appear.  Note that the alert filter is automatically set with the necessary information utilizing the TS search language.  The user need only title the alert and assign a severity before creating the alert rule.

 

 

Additionally, an alert can be created to look for the same event across ALL agents. Following the steps outlined above, the user need only delete the agent id and rule id to widen the scope of the alert.

 

 

 

Have more questions? Submit a request

1 Comments

  • 0
    Avatar
    Kesten Broughton

    I created this cloudtrail rule successfully but I don't see an alert when creating an instance in frankfurt which is not in my whitelist.

    ( (eventName = "RunInstances") or ( eventName = "RequestSpotInstances" )) and ( (awsRegion != "us-west-1") and (awsRegion != "us-west-2") and (awsRegion != "us-east-1") and (awsRegion != "eu-west-1"))

     

    Note that I am seeing alerts in other regions.
    And i receive one for the instance i created in frankfurt

    12:26:31
Please sign in to leave a comment.