Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

Basic Trix Queries

Query

Explanation

* in log.audit | trix trix.uniqueIds.

...

fields = (user)

user column as a unique key - mandatory

* in log.audit | 

trix trix.uniqueIds.fields = (user, pid)

user or pid columns as a unique key - mandatory

* in log.audit | 

trix trix.uniqueIds.fields = (user+pid)

combination of user

...

and pid columns as a unique key - mandatory

* in log.audit | trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields = (pid)

pid column as an optional unique key

* in log.audit | trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields = (pid) cep.name=(session id)

The name for each complex event will be determined by the session id value

* in log.audit | trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields = (pid) cep.name=(session id) cep.groups=(session id)

groups list will be determined by the session id values

* in log.audit | trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields = (pid) cep.name=(session id) cep.groups=(session id) type=(thread)

types list will be determined by the thread values

Time Statistics Trix Queries

Query

Explanation

* in log.audit 

| trix trix.uniqueIds.fields = (user) | where cep.time < 10000

Trix events that took more than 10 seconds (time is in milliseconds)

* in log.audit 

| trix trix.uniqueIds.fields = (user) | avg cep.time as Average, min cep.time as Min, max cep.time as Max | display Average in time format, Min in time format, Max in time format

Average, Minimum and Maximum time of the Trix events

* in log.audit | 

trix trix.uniqueIds.fields = (user) cepNode.timeframe.limit = (5 seconds)

The complex event will be closed after limit-Time has expired

* in log.audit | 

trix trix.uniqueIds.fields = (user) cepNode.event.timeframe.limitFromStart = (10 minutes)

Only events which are less than limitTimeFromStart from the first event will be added to the transaction.

Data-filtered Trix Queries

Query

Explanation

* in log.audit | trix trix.uniqueIds.fields = (user) cepNode.maxEventLimit=3

Max number of events for each complex event

* in log.audit | trix trix.uniqueIds.fields = (user) startRule = (Event Description contains session has started) endRule = (Event Description contains was terminated)  | where cep.startEvent = true AND cep.endEvent = true

Start and End conditions.

To filter only the ceps which stand by the start and end conditions, add the following:

 |

...

 where cep.startEvent = true = true and cep.endEvent = true

* in log.audit 

|

...

 trix trix.uniqueIds.fields = (user) 

...

cep.groups = (Thread) enrichments.message.all = (message) | where cep.message contains exception or error

Filter of CE flows that contains in their message column ‘error’ or ‘exception’.
groups = recommended for columns with short contents that may be used for display of the CE flow (user_name, action, etc.)

enrichment = recommended when there are columns that their contents may contain values to be filtered (errors, exceptions, etc.)

* in log.audit 

|

...

 trix trix.uniqueIds.fields = (user) cep.groups = (priority) | where cep.groups = ERROR or FATAL

Filter of CE flows that their priority column equals ‘ERROR’ or ‘FATAL’.

groups = recommended for columns with short contents that may be used for display of the CE flow (user_name, action, etc.)

enrichment = recommended when there are columns that their contents may contain values to be filtered (errors, exceptions, etc.)

* in log.secure 

| trix trix.uniqueIds.fields = (user+pid)

...

 endRule = (message contains Connection closed by invalid user OR Disconnecting invalid user OR Disconnected from invalid) cep.name = User

| where cep.endEvent = true

Linux CEPs - Failed Logins

* in log.security 

| trix trix.uniqueIds.fields = (account name) cep.groups = (event) | where cep.groups = 4625

Windows events CEPs - Failed Logon Attempts

Complex Trix Queries

Advanced usage of the Trix function, using multiple limitations:

Code Block
not "CRYPTO_KEY_USER" IN log.audit | trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields =(pid) startRule = (Event Description contains User logged) endRule = (Event Description contains terminated) cepNode.maxEventLimit = 50  

...

cep.timeframe.limit = (5 minutes) cep.name = (user) cep.groups = (type) cep.type = (category)

Complex table as an output, which relies on Trix values:

Code Block
* IN log.audit | trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields =(pid) startRule = (Event Description contains User logged) endRule = (Event Description contains terminated) cepNode.maxEventLimit = 50  cepNode.timeframe.limit = (5 minutes) cep.name = (user) cep.groups = (type) cep.type = (category) |  list cep.id as nodeId, cep.starttime as starttime in date format , cep.endtime as endtime in date  format , cep.eventscount as events count, cep.fullstate as state,cep.startEvent as startevent, cep.endEvent as endevent, cep.key as key | order by nodeid desc

A query with custom columns added to the cep by the user:

Extra Fields

Explanation

enrichments.pid.first = (pid)

enrichments.

...

context.all = (context)

enrichments.<name>.<type> - allows adding additional columns to the meta of the cep.

name - the name of the output column to use.

type - the type of the extraction, currently can be ‘first’ (extracts the first value it encounters) or ‘all’ (extracts all values) - optional

Code Block
* IN log.audit | trix trix.uniqueIds.fields = (user) trix.uniqueSubIds.fields =(pid) startRule = (Event Description contains User logged) endRule = (Event Description contains terminated) cepNode.maxEventLimit = 50 cepNode.timeframe.limit = (5 minutes) cep.name = (user) cep.groups = (type) cep.type = (category) enrichments.pid.all = (pid) enrichments.context.all = (context) | count | group by cep.pid, cep.context