Create and Manage Basic Detection Rules

Custom Alerts have been renamed to Basic Detection Rules

Starting in May 2023, we will begin rolling out detection terminology changes to better reflect the functions of the Custom Alerts feature:

  • Custom Alerts are now called Basic Detection Rules
  • Pattern Detection Alerts are now called Log Pattern Detection Rules
  • Inactivity Detection Alerts are now called Log Inactivity Detection Rules
  • Change Detection Alerts are now called Log Change Detection Rules

The functions of these features remains the same. These terminology changes will be implemented throughout the documentation and in InsightIDR.

With InsightIDR, you have the option of creating basic detection rules when built-in detection rules do not suit your needs.

There are three kinds of basic detection rules:

You can also specify more granular information in the basic detection rule details, and manage your basic detection rules.

Log Inactivity Detection Rules

Also known as "Up Down Monitoring," inactivity detection rules can be used to notify you when an entire log, log group, or particular pattern becomes inactive for a given time period.

Inactivity detection is useful for system assets that must be running constantly (such as a critical server). The ability to set the time window of inactivity gives you control over your data, your environment, and your assets, and allows for damage control and prevention of data loss.

Inactivity detection behavior

Inactivity detection will monitor each log individually. For example, if the rule is monitoring a specific event across two logs and the event occurs in the first log but not the second log in the given timeframe, the rule will be triggered for the second log. Once inactivity is detected and one alert is triggered, you will only get a single alert if that pattern or log remains inactive. Activity will need to resume to restart the monitoring.

On the Log Search page, you can create log inactivity detection rules in two different ways:

You can always switch to a different alert type during configuration.

Auto-Populate a Log Inactivity Detection Rule

To auto-populate a log inactivity detectiion rule:

  1. From the InsightIDR left menu, select the Log Search page.
  2. Select the log or log sets you want in the rule, or use a search query to look for a specific set of logs.
  3. Click the Detection Rules button and choose a detection type based on the selected logs. The “Create a Basic Detection Rule" panel appears, with applicable steps already pre-populated.
  4. Name your rule and optionally add a description. Click Next.
  5. Set a default priority, this will apply to all investigations generated by this rule.
  6. In the “Trigger” section, choose a saved query or create a new query using LEQL operators, keywords or regex. To match an exact string using LEQL operators and keywords, place double quotes around your search criteria.
  7. Click Skip to Alert Notification if you don’t want to create a trigger.
  8. In the “Alert Notification” section, define how you will receive notifications. Read more about Notification Settings.
  9. Define a notification throttle to control how long the log or log sets are inactive before receiving an alert, and to control the quantity of alert notifications you will receive. Read more about Alert Throttling.
  10. Click Create.

Manually Configure a Log Inactivity Detection Rule

To configure a log inactivity detection rule:

  1. From the InsightIDR left menu, select the Log Search page.
  2. Click the Detection Rules button and select Log Inactivity Detection Rule. The “Create a Basic Detection Rule" panel appears, with applicable steps already pre-populated.
  3. Name your rule and optionally add a description. Click Next.
  4. Select one or more logs or the log sets you want to use in the rule. Click Next.
  5. Set a default priority, this will apply to all investigations generated by this rule.
  6. In the “Trigger” section, choose a saved query or create a new query using LEQL operators, keywords or regex. To match an exact string using LEQL operators and keywords, place double quotes around your search criteria.
    • If you do not add a trigger or pattern, the rule will automatically use the logs to detect inactivity.
  7. In “Trigger Settings,” customize the amount of time a log or pattern must be inactive before it triggers an alert. By default, an inactivity period of five days will trigger an alert. Click Next.
  8. In the “Alert Notification” section, define how you will receive notifications. Read more about Notification Settings.
  9. Define a notification throttle to control how long the log or log sets are inactive before receiving an alert, and for the quantity of alert notifications you will receive. Read more about Alert Throttling.
  10. Click Create.

Log Pattern Detection Rules

In order for a rule to trigger, a log must match the exact pattern you enter as a search term.

Alerting on patterns can be useful in situations such as monitoring server errors, critical exceptions, and general performance, and allows you to only monitor events that are important to you.

On the Log Search page, you can create Log Pattern Detection Rules in two different ways:

Auto-Populate a Log Pattern Detection Rule

To auto-populate a log pattern detection rule:

  1. From the InsightIDR left menu, select the Log Search page.
  2. Select the log or log sets you want in the rule, or use a search query to look for a specific set of logs.
  3. Click the Detection Rules button and choose a rule type based on the selected logs. The “Create a Basic Detection Rule" panel appears, with applicable steps already pre-populated.
  4. Name your rule and optionally add a description. Click Next to set a default priority.
  5. Set a default priority, this will apply to all investigations generated by this rule.
  6. In the “Trigger” section, choose a saved query or create a new query using LEQL operators, keywords or regex. To match an exact string using LEQL operators and keywords, place double quotes around your search criteria.
  7. In the “Alert Notification” section, choose whether you want to apply labels to the pattern or receive alerts from email or other integrations. If you choose the latter, you can define the log information you'd like included. See Notification Settings for more information.
  8. Define a notification throttle to control how long the log or log sets are inactive before receiving an alert, and to control the number of alert notifications you will receive. Read more about Alert Throttling.
  9. Click Create.

Manually Create a Log Pattern Detection Rules

To configure a log pattern detection rule:

  1. From the InsightIDR left menu, select the Log Search page.
  2. Click the Detection Rules button and select Log Pattern Detection Rule. The “Create a Basic Detection Rule" panel appears: if you have selected logs, log sets, or defined a query, these fields are pre-populated.
  3. Name your rule and optionally add a description. Click Next.
  4. Select one or more logs or the log sets you want to use in the rule. Click Next.
  5. Set a default priority, this will apply to all investigations generated by this rule.
  6. In the “Trigger” section, choose a saved query or create a new query using LEQL operators, keywords or regex. To match an exact string using LEQL operators and keywords, place double quotes around your search criteria.
  7. In the “Alert Notification” section, choose whether you want to apply labels to the pattern or receive alerts from email or other integrations. If you choose the latter, you can define the log information you'd like included. See Notification Settings for more information.
  8. Under the “Notification” tab choose which notification trigger setting you want. You will not receive alerts outside of this specific alert.
  9. Define a notification throttle to control how long the log or log sets are inactive before receiving an alert, and for the number of alert notifications you will receive. Read more about Alert Throttling.
  10. Click Create.

Log Change Detection Rules

Log change detection rules will notify you when a condition changes, such as HTTP 500 errors in your web access logs. They are based off of calculations that you apply to log(s) or logset(s).

Change detections will help you stay on top of critical conditions when something is broken and must be immediately addressed, or occurring errors that must be escalated. This alert will minimize your time to investigate and resolve any errors.

On the Log Search page, you can create log change detection rules in two different ways:

Auto-Populate a Log Change Detection Rule

To auto-populate a log change detection rule:

  1. From the InsightIDR left menu, select the Log Search page.
  2. Select the log or log sets you want in the rule, or use a search query to look for a specific set of logs.
  3. Click the Detection Rules button and choose a rule type based on the selected logs. The “Create a Basic Detection Rule" panel appears, with applicable steps already pre-populated.
  4. Name your rule and optionally add a description. Click Next.
  5. Set a default priority, this will apply to all investigations generated by this rule.
  6. In the “Trigger” section, choose a saved query or create a new query using LEQL operators, keywords or regex. To match an exact string using LEQL operators and keywords, place double quotes around your search criteria.
  7. Choose a calculation. New queries require that you specify a calculation to use, adding a key to apply the calculation is optional. Any changes of the key based off of the calculation will trigger an alert.
  8. In the “Alert Notification” section, define how you will receive notifications. Read more about Notification Settings.
  9. Define a notification throttle to control how many alerts you receive in a specific window of time.
  10. Click Create.

Manually Configure a Log Change Detection Rule

To configure a log change detection rule:

  1. From the InsightIDR left menu, select the Log Search page.
  2. Click the Detection Rules button, and click Log Change Detection Rule.
  3. Name your rule and optionally add a description. Click Next.
  4. In the Logs section, select one or more logs or the log sets you want to use in the rule.
  5. Set a default priority, this will apply to all investigations generated by this rule.
  6. In the “Trigger” section, choose a saved query or create a new query using LEQL operators, keywords or regex. To match an exact string using LEQL operators and keywords, place double quotes around your search criteria.
  7. Choose a calculation. New queries require that you specify a calculation to use, adding a key to apply the calculation is optional. Any changes of the key based off of the calculation will trigger an alert.
  8. Optionally customize the notification settings to define how severe the change is before triggering an alert.
  9. In the “Alert Notification” section, define how you will receive notifications. Read more about Notification Settings.
  10. Define a notification throttle to control how many alerts you receive in a specific window of time.
  11. Click Create.

Manage Basic Detection Rules

To edit existing basic detection rules:

  1. From the InsightIDR left menu, select Detection Rules > Basic Detection Rules.
  2. On the right of a rule, click the Pencil icon to make edits.
  3. If applicable, select the check box to enable alerting.

To delete existing basic detection rules:

  1. From the InsightIDR left menu, select Detection Rules > Basic Detection Rules.
  2. Select the rule.
  3. Click the Trashcan icon to delete the rule.

To bulk action existing basic detection rules:

  1. From the InsightIDR left menu, select Detection Rules > Basic Detection Rules.
  2. Click the checkbox at the top of the table to select all rules.
  3. Select a Radio button to choose a bulk action to apply to all of the basic detection rules, and then click Apply.