...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
Basic Trix Queries
Query | Explanation |
---|---|
* in log.audit | trix trix.uniqueIds.fields = (user) | user column as a unique key - mandatory |
* in log.audit | trix trix.uniqueIds. |
fields = (user, pid) | user or pid columns as a unique key - mandatory |
* in log.audit | trix trix.uniqueIds.fields = ( |
user+pid) |
combination of user and pid columns as a unique |
key - mandatory |
* in log.audit | trix trix.uniqueIds.fields = ( |
user) trix.uniqueSubIds.fields = ( |
pid) |
pid column as an optional unique key |
* in log.audit | trix trix.uniqueIds.fields = ( |
user) trix.uniqueSubIds.fields = ( |
pid) cep.name=(session id) | The name for each |
complex event will be determined by the session id value |
* in log.audit | trix trix.uniqueIds.fields = ( |
user) trix.uniqueSubIds.fields = ( |
pid) cep.name=(session id) cep.groups=(session id) | groups list will be determined by the session id values |
* in log.audit | trix trix.uniqueIds.fields = ( |
user) trix.uniqueSubIds.fields = ( |
pid) cep.name=(session id) cep.groups=(session id) type=(thread) | types list will be determined by the thread values |
...
Time Statistics Trix Queries
Query | Explanation |
---|---|
* in log.audit | trix trix.uniqueIds.fields = ( |
user) | where cep.time < 10000 | Trix events that took more than 10 seconds (time is in milliseconds) |
* in log.audit | trix trix.uniqueIds.fields = ( |
user) |
| avg cep.time as Average, min cep.time as Min, max cep.time as Max | display Average in time format, Min in time format, Max in time format | Average, Minimum and Maximum time of the Trix events |
* in log.audit | trix trix.uniqueIds.fields = ( |
user) cepNode.timeframe. |
limit = (5 seconds) | The |
complex event will be closed after limit-Time has expired |
* in log.audit | trix trix.uniqueIds.fields = ( |
user) cepNode.event.timeframe. |
limitFromStart = (10 minutes) | Only events which are less than limitTimeFromStart from the first event will be added to the transaction. |
Data-filtered Trix Queries
Query | Explanation |
---|---|
* in log.audit | trix trix.uniqueIds.fields = (user) cepNode.maxEventLimit=3 | Max number of events for each complex event |
* in log.audit | trix trix.uniqueIds.fields = (user) startRule = (Event Description contains session has started) endRule = (Event Description contains was terminated) | where cep.startEvent = true AND cep.endEvent = true | Start and End conditions. To filter only the ceps which stand by the start and end conditions, add the following: | where cep.startEvent = true = true and cep.endEvent = true |
* in log.audit | trix trix.uniqueIds.fields = (user) cep.groups = (Thread) enrichments.message.all = (message) | where cep.message contains exception or error | Filter of CE flows that contains in their message column ‘error’ or ‘exception’. enrichment = recommended when there are columns that their contents may contain values to be filtered (errors, exceptions, etc.) |
* in log.audit | trix trix.uniqueIds.fields = (user) cep.groups = (priority) | where cep.groups = ERROR or FATAL | Filter of CE flows that their priority column equals ‘ERROR’ or ‘FATAL’. enrichment = recommended when there are columns that their contents may contain values to be filtered (errors, exceptions, etc.) |
* in log.secure | trix trix.uniqueIds.fields = (user+pid) endRule = (message contains Connection closed by invalid user OR Disconnecting invalid user OR Disconnected from invalid) cep.name = User | where cep.endEvent = true | Linux CEPs - Failed Logins |
* in log.security | trix trix.uniqueIds.fields = (account name) cep.groups = (event) | where cep.groups = 4625 | Windows events CEPs - Failed Logon Attempts |
Complex Trix Queries
Advanced usage of the Trix function, using multiple limitations:
Code Block |
---|
not "CRYPTO_KEY_USER" IN log.audit | trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields =(pid) startRule = (Event Description contains User logged) endRule = (Event Description contains terminated) cepNode.maxEventLimit = 50 cep.timeframe.limit = (5 minutes) cep.name = (user) cep.groups = (type) cep.type = (category) |
Complex table as an output, which relies on Trix values:
Code Block |
---|
* IN log.audit | trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields =(pid) startRule = (Event Description contains User logged) endRule = (Event Description contains terminated) cepNode.maxEventLimit = 50 cepNode.timeframe.limit = (5 minutes) cep.name = (user) cep.groups = (type) cep.type = (category) | list cep.id as nodeId, cep.starttime as starttime in date format , cep.endtime as endtime in date format , cep.eventscount as events count, cep.fullstate as state,cep.startEvent as startevent, cep.endEvent as endevent, cep.key as key | order by nodeid desc |
A query with custom columns added to the cep by the user:
Extra Fields | Explanation |
---|---|
enrichments.pid.first = (pid) enrichments.context.all = (context) |
|
Code Block |
---|
* IN log.audit | trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields =(pid) startRule = (Event Description contains User logged) endRule = (Event Description contains terminated) cepNode.maxEventLimit = 50 cepNode.timeframe.limit = (5 minutes) cep.name = (user) cep.groups = (type) cep.type = (category) enrichments.pid.all = (pid) enrichments.context.all = (context) | count | group by cep.pid, cep.context |