Replace a Sensor with Events Queries

You are here:
< Back

Events Queries as a Sensor

In version 5.3.0 we introduce the Events Queries, the new mechanism to search events and produce alerts. (see this section).
In this article we explain how to replace a sensor with an events query, in order to have more flexibility and use less SGBox resources.

Requirements:

  • SGBox version 5.3.0
  • Pattern must belong to specific class.

Scenario:

  • You detect a suspicious events has been repeated lot of time and you want send an alert

On From field: select the class and the event.

write in the Select field the following string:
$PARAM:[SourceIP] as SourceIP, count() as count

write in the Finally field the following string:
group by SourceIP having count() >= 5

A the end you can Test your query.

 

After configured your query you can choose the TimeInterval  and the Actions

  • TimeInterval: the period of time (in minutes) where the events occur. If we choose 1 the in the previous example it means: 5 unix logon fail in 1 minutes
  • Action: What the system do if this query is verified: send an email, generate an event, add a parameter to a list

Send an email

Generate an event
Remember that you need to map the SQL variables with a specific SGBox parameter.

Add parameter to a list
Remember that you need to specify a list and the parameter you want to add to the list.