Create and Manage Basic Detection Rules

Custom Alerts have been renamed to Basic Detection Rules

Starting in May 2023, we will begin rolling out detection terminology changes to better reflect the functions of the Custom Alerts feature:

  • Custom Alerts are now called Basic Detection Rules
  • Pattern Detection Alerts are now called Log Pattern Detection Rules
  • Inactivity Detection Alerts are now called Log Inactivity Detection Rules
  • Change Detection Alerts are now called Log Change Detection Rules

The functions of these features remains the same. These terminology changes will be implemented throughout the documentation and in InsightIDR.

With InsightIDR, you have the option of creating basic detection rules when built-in detection rules do not suit your needs.

There are three kinds of basic detection rules:

You can also specify more granular information in the basic detection rule details, and manage your basic detection rules.

Log Inactivity Detection Rules

Also known as "Up Down Monitoring," inactivity detection rules can be used to notify you when an entire log, log group, or particular pattern becomes inactive for a given time period.

Inactivity detection is useful for system assets that must be running constantly (such as a critical server). The ability to set the time window of inactivity gives you control over your data, your environment, and your assets, and allows for damage control and prevention of data loss.

Inactivity detection behavior

Inactivity detection will monitor each log individually. For example, if the rule is monitoring a specific event across two logs and the event occurs in the first log but not the second log in the given timeframe, the rule will be triggered for the second log. Once inactivity is detected and one alert is triggered, you will only get a single alert if that pattern or log remains inactive. Activity will need to resume to restart the monitoring.

Configure a Log Inactivity Detection Rule

To configure a log inactivity detection rule:

  1. From the InsightIDR left menu, select the Log Search page.
  2. Select the log or log sets you want to include in your rule, and run a search query.
  3. Click the Query Actions button (•••) > Create Basic Detection Rule, and select Log Inactivity Detection Rule. The Create a Basic Detection Rule panel appears, with applicable steps already pre-populated.
  4. Name your rule and optionally add a description. Click Next.
  5. Confirm the logs that this alert will be associated with and click Next.
  6. Set a default priority to apply to all investigations generated by this rule.
  7. In the Create a Trigger section, choose a saved query or create a new query using LEQL operators, keywords or regex. To match an exact string using LEQL operators and keywords, place double quotes around your search criteria.
  8. Click Skip to Alert Notification if you don’t want to create a trigger.
  9. In the Alert Notification section, define how you will receive notifications. Read more about Notification Settings.
  10. Define a notification throttle to control how long the log or log sets are inactive before receiving a notification, and to control the quantity of notifications you will receive. Read more about Alert Throttling.
  11. Click Create.

Log Pattern Detection Rules

In order for a rule to trigger, a log must match the exact pattern you enter as a search term.

Alerting on patterns can be useful in situations such as monitoring server errors, critical exceptions, and general performance, and allows you to only monitor events that are important to you.

Configure a Log Pattern Detection Rule

To configure a log pattern detection rule:

  1. From the InsightIDR left menu, select the Log Search page.
  2. Select the log or log sets you want to include in your rule, and run a search query.
  3. Click the Query Actions button (•••) > Create Basic Detection Rule, and select Log Pattern Detection Rule. The Create a Basic Detection Rule panel appears, with applicable steps already pre-populated.
  4. Name your rule and optionally add a description. Click Next.
  5. Confirm the logs that this alert will be associated with and click Next.
  6. Set a default priority to apply to all investigations generated by this rule.
  7. In the Create a Trigger section, choose a saved query or create a new query using LEQL operators, keywords or regex. To match an exact string using LEQL operators and keywords, place double quotes around your search criteria.
  8. Click Skip to Alert Notification if you don’t want to create a trigger.
  9. In the Alert Notification section, define how you will receive notifications, or choose to display a label. Read more about Notification Settings.
  10. Define a notification throttle to control how many notifications you receive in a specific window of time.
  11. Click Create.

Log Change Detection Rules

Log change detection rules will notify you when a condition changes, such as HTTP 500 errors in your web access logs. They are based on calculations that you apply to log(s) or logset(s).

Change detections will help you stay on top of critical conditions when something is broken and must be immediately addressed, or occurring errors that must be escalated. This alert will minimize your time to investigate and resolve any errors.

Configure a Log Change Detection Rule

To configure a log change detection rule:

  1. From the InsightIDR left menu, select the Log Search page.
  2. Select the log or log sets you want to include in your rule, and run a search query.
  3. Click the Query Actions button (•••) > Create Basic Detection Rule, and select Log Pattern Detection Rule. The Create a Basic Detection Rule panel appears, with applicable steps already pre-populated.
  4. Name your rule and optionally add a description. Click Next.
  5. Confirm the logs that this alert will be associated with and click Next.
  6. Set a default priority to apply to all investigations generated by this rule.
  7. In the Create a Trigger section, choose a saved query or create a new query using LEQL operators, keywords or regex. To match an exact string using LEQL operators and keywords, place double quotes around your search criteria.
  8. Choose a calculation. New queries require that you specify a calculation to use. If you choose to enter a key to perform the calculation on, any changes to the key based on the calculation will trigger a detection.
  9. In the Alert Notification section, define how you will receive notifications. Read more about Notification Settings.
  10. Define a notification throttle to control how many notifications you receive in a specific window of time.
  11. Click Create.

Manage Basic Detection Rules

To edit existing basic detection rules:

  1. From the InsightIDR left menu, select Detection Rules > Basic Detection Rules.
  2. On the right of a rule, click the Pencil icon to make edits.
  3. If applicable, select the check box to enable alerting.

To delete existing basic detection rules:

  1. From the InsightIDR left menu, select Detection Rules > Basic Detection Rules.
  2. Select the rule.
  3. Click the Trashcan icon to delete the rule.

To bulk action existing basic detection rules:

  1. From the InsightIDR left menu, select Detection Rules > Basic Detection Rules.
  2. Click the checkbox at the top of the table to select all rules.
  3. Select a Radio button to choose a bulk action to apply to all of the basic detection rules, and then click Apply.