Basic Trix Queries
Query | Explanation |
---|---|
* in log.audit | trix trix.uniqueIds.fields = (user) | user column as a unique key - mandatory |
* in log.audit | trix trix.uniqueIds.fields = (user, pid) | user or pid columns as a unique key - mandatory |
* in log.audit | trix trix.uniqueIds.fields = (user+pid) | combination of user and pid columns as a unique key - mandatory |
* in log.audit | trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields = (pid) | pid column as an optional unique key |
* in log.audit | trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields = (pid) cep.name=(session id) | The name for each complex event will be determined by the session id value |
* in log.audit | trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields = (pid) cep.name=(session id) cep.groups=(session id) | groups list will be determined by the session id values |
* in log.audit | trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields = (pid) cep.name=(session id) cep.groups=(session id) type=(thread) | types list will be determined by the thread values |
Time Statistics Trix Queries
Query | Explanation |
---|---|
* in log.audit | trix trix.uniqueIds.fields = (user) | where cep.time < 10000 | Trix events that took more than 10 seconds (time is in milliseconds) |
* in log.audit | trix trix.uniqueIds.fields = (user) | avg cep.time as Average, min cep.time as Min, max cep.time as Max | display Average in time format, Min in time format, Max in time format | Average, Minimum and Maximum time of the Trix events |
* in log.audit | trix trix.uniqueIds.fields = (user) cepNode.timeframe.limit = (5 seconds) | The complex event will be closed after limit-Time has expired |
* in log.audit | trix trix.uniqueIds.fields = (user) cepNode.event.timeframe.limitFromStart = (10 minutes) | Only events which are less than limitTimeFromStart from the first event will be added to the transaction. |
Data-filtered Trix Queries
Query | Explanation |
---|---|
* in log.audit | trix trix.uniqueIds.fields = (user) cepNode.maxEventLimit=3 | Max number of events for each complex event |
* in log.audit | trix trix.uniqueIds.fields = (user) startRule = (Event Description contains session has started) endRule = (Event Description contains was terminated) | where cep.startEvent = true AND cep.endEvent = true | Start and End conditions. To filter only the ceps which stand by the start and end conditions, add the following: | |
where cep.startEvent = true = true and cep.endEvent = true |
* in log.audit | trix trix.uniqueIds.fields = (user) |
cep.groups = (Thread) enrichments.message.all = (message) | where cep.message contains exception or error | Filter of CE flows that contains in their message column ‘error’ or ‘exception’. enrichment = recommended when there are columns that their contents may contain values to be filtered (errors, exceptions, etc.) |
* in log.audit | trix trix.uniqueIds.fields = (user) cep.groups = (priority) | where cep.groups = ERROR or FATAL | Filter of CE flows that their priority column equals ‘ERROR’ or ‘FATAL’. enrichment = recommended when there are columns that their contents may contain values to be filtered (errors, exceptions, etc.) |
* in log.secure | trix trix.uniqueIds.fields = (user+pid) |
endRule = (message contains Connection closed by invalid user OR Disconnecting invalid user OR Disconnected from invalid) cep. |
name = User | where cep.endEvent = true | Linux CEPs - Failed Logins |
* in log.security | trix trix.uniqueIds.fields = (account name) |
cep.groups = (event) | |
where cep. |
groups = |
4625 | Windows events CEPs - Failed Logon Attempts |
Complex Trix Queries
Advanced usage of the Trix function, using multiple limitations:
Code Block |
---|
not "CRYPTO_KEY_USER" IN log.audit | trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields =(pid) startRule = (Event Description contains User logged) endRule = (Event Description contains terminated) cepNode.maxEventLimit = 50 cepNodecep.timeframe.limit = (5 minutes) cep.name = (user) cep.groups = (type) cep.type = (category) |
...
A query with custom columns added to the cep by the user:
Extra Fields | Explanation |
---|---|
enrichments.pid.first = (pid) enrichments. |
context.all = (context) |
|
Code Block |
---|
* IN log.audit | trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields =(pid) startRule = (Event Description contains User logged) endRule = (Event Description contains terminated) cepNode.maxEventLimit = 50 cepNode.timeframe.limit = (5 minutes) cep.name = (user) cep.groups = (type) cep.type = (category) enrichments.pid.all = (pid) enrichments.context.all = (context) | count | group by cep.pid, cep.context |
...