Search another article?
Events Queries as a Sensor
In version 5.3.0 we introduce the Events Queries, the new mechanism to search events and produce alerts. (see this section).
In this article we explain how to replace a sensor with an events query, in order to have more flexibility and use less SGBox resources.
Requirements:
- SGBox version 5.3.0
- Pattern must belong to specific class.
Scenario:
- You detect a suspicious events has been repeated lot of time and you want send an alert
On From field: select the class and the event.
write in the Select field the following string:$PARAM:[SourceIP] as SourceIP, count() as count
write in the Finally field the following string:group by SourceIP having count() >= 5
A the end you can Test your query.
After configured your query you can choose the TimeInterval and the Actions
- TimeInterval: the period of time (in minutes) where the events occur. If we choose 1 the in the previous example it means: 5 unix logon fail in 1 minutes
- Action: What the system do if this query is verified: send an email, generate an event, add a parameter to a list
Send an email
Generate an event
Remember that you need to map the SQL variables with a specific SGBox parameter. 
Add parameter to a list
Remember that you need to specify a list and the parameter you want to add to the list.