Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

Basic Trix Queries

Query

Explanation

* in log.audit |

 trix trix.uniqueIds.fields = (thread)thread column as a unique id

 trix trix.uniqueIds.fields = (user)

user column as a unique key - mandatory

* in log.audit | 

trix trix.uniqueIds.fields = (user, pid)

user or pid columns as a unique key - mandatory

* in log.audit | 

trix trix.uniqueIds.fields = (user+pid)

combination of user and pid columns as a unique key - mandatory

* in log.audit | trix trix.uniqueIds.fields = (

thread) 

user) trix.uniqueSubIds.fields = (pid)

pid column as an optional unique key

* in log.audit | trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields = (pid) cep.name=(session id)

The name for each

transaction is

complex event will be determined by the session id value

* in log.audit | trix trix.uniqueIds.fields = (

thread) cep

user) trix.uniqueSubIds.fields = (pid) cep.name=(session id) cep.groups=(session id)

groups list will be determined by the session id values

* in log.audit | trix trix.uniqueIds.fields = 

(thread) cep

(user) trix.uniqueSubIds.fields = (pid) cep.name=(session id) cep.groups=(session idtype=(thread)

types list will be determined by the thread values

Time Statistics Trix Queries

Query

Explanation

* in log.audit 

| trix trix.uniqueIds.fields = (user| where cep.time < 10000

Trix events that took more than 10 seconds (time is in milliseconds)

* in log.audit 

| trix trix.uniqueIds.fields = (user) | avg cep.time as Average, min cep.time as Min, max cep.time as Max | display Average in time format, Min in time format, Max in time format

Average, Minimum and Maximum time of the Trix events

* in log.audit | 

trix trix.uniqueIds.fields = (user) cepNode.timeframe.limit = (5 seconds)

The complex event will be closed after limit-Time has expired

* in log.audit | 

trix trix.uniqueIds.fields = (user) cepNode.event.timeframe.limitFromStart = (10 minutes)

Only events which are less than limitTimeFromStart from the first event will be added to the transaction.

Data-filtered Trix Queries

...

Query

Explanation

* in log.audit | trix trix.uniqueIds.fields = (user) cepNode.maxEventLimit=3

Set a limit for

Max number of events

in

for each

transaction

complex event

* in log.audit | trix trix.uniqueIds.fields = (

thread) cep.name=(session id) cep.groups=(session id) maxEventLimit=3 type=(thread)

types list will be determined by the thread values

Time-filtered Trix Queries

Data-filtered Trix Queries

user) startRule = (Event Description contains session has started) endRule = (Event Description contains was terminated)  | where cep.startEvent = true AND cep.endEvent = true

Start and End conditions.

To filter only the ceps which stand by the start and end conditions, add the following:

 | where cep.startEvent = true = true and cep.endEvent = true

* in log.audit 

| trix trix.uniqueIds.fields = (user) cep.groups = (Thread) enrichments.message.all = (message) | where cep.message contains exception or error

Filter of CE flows that contains in their message column ‘error’ or ‘exception’.
groups = recommended for columns with short contents that may be used for display of the CE flow (user_name, action, etc.)

enrichment = recommended when there are columns that their contents may contain values to be filtered (errors, exceptions, etc.)

* in log.audit 

| trix trix.uniqueIds.fields = (user) cep.groups = (priority) | where cep.groups = ERROR or FATAL

Filter of CE flows that their priority column equals ‘ERROR’ or ‘FATAL’.

groups = recommended for columns with short contents that may be used for display of the CE flow (user_name, action, etc.)

enrichment = recommended when there are columns that their contents may contain values to be filtered (errors, exceptions, etc.)

* in log.secure 

| trix trix.uniqueIds.fields = (user+pid) endRule = (message contains Connection closed by invalid user OR Disconnecting invalid user OR Disconnected from invalid) cep.name = User

| where cep.endEvent = true

Linux CEPs - Failed Logins

* in log.security 

| trix trix.uniqueIds.fields = (account name) cep.groups = (event) | where cep.groups = 4625

Windows events CEPs - Failed Logon Attempts

Complex Trix Queries

Advanced usage of the Trix function, using multiple limitations:

Code Block
not "CRYPTO_KEY_USER" IN log.audit | trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields =(pid) startRule = (Event Description contains User logged) endRule = (Event Description contains terminated) cepNode.maxEventLimit = 50  cep.timeframe.limit = (5 minutes) cep.name = (user) cep.groups = (type) cep.type = (category)

Complex table as an output, which relies on Trix values:

Code Block
* IN log.audit | trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields =(pid) startRule = (Event Description contains User logged) endRule = (Event Description contains terminated) cepNode.maxEventLimit = 50  cepNode.timeframe.limit = (5 minutes) cep.name = (user) cep.groups = (type) cep.type = (category) |  list cep.id as nodeId, cep.starttime as starttime in date format , cep.endtime as endtime in date  format , cep.eventscount as events count, cep.fullstate as state,cep.startEvent as startevent, cep.endEvent as endevent, cep.key as key | order by nodeid desc

A query with custom columns added to the cep by the user:

Extra Fields

Explanation

enrichments.pid.first = (pid)

enrichments.context.all = (context)

enrichments.<name>.<type> - allows adding additional columns to the meta of the cep.

name - the name of the output column to use.

type - the type of the extraction, currently can be ‘first’ (extracts the first value it encounters) or ‘all’ (extracts all values) - optional

Code Block
* IN log.audit | trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields =(pid) startRule = (Event Description contains User logged) endRule = (Event Description contains terminated) cepNode.maxEventLimit = 50 cepNode.timeframe.limit = (5 minutes) cep.name = (user) cep.groups = (type) cep.type = (category) enrichments.pid.all = (pid) enrichments.context.all = (context) | count | group by cep.pid, cep.context