Alerts
In the Search Anywhere Framework it is possible to create scheduled jobs to search for events. The Job Scheduler module allows you to configure a search query for a selected time interval, launch frequency, and configure throttling.
To create a new job in Job Scheduler you need to go to Main menu - Job Scheduler - Jobs List - New Job.
Example. How to create a new job.
- Enter the name and description of new job.
Required items are marked with a red "*" in the upper right corner of the item name.
Job is based on the search query and its settings::
- Search - request in language
Search Anywhere Framework Language - Time interval - event search interval.
- Time field - contains a time parameter in the original event.
- **Duration of the lock (in seconds) ** - The period of time during which repeated requests will not occur if the previous request has not yet completed (timeout).
source sysmon_operational-*
| search event.code="1" AND rule_name_technique_id="T1124"
| rename rule_name_technique_id as mitre_technique_id
| table @timestamp, mitre_technique_id, event.action, host.name, host.ip, user, original_file_name, image, parent_image
The Schedule block allows you to configure the frequency and suppression for the search job:
- Frequency of execution - setting up a schedule for run a job. Setting is done using Cron Expression or setting the time interval.
- Schedule delay - the time when this job will run again, relative to the current time.
- Suppression of execution - the time during which search results will be suppressed after the search has found the first result.
To use the same parameters for different Actions in Jobs, there is a Global Params setting.
Once a global parameter is created, it will be available as a global token (For more information about tokens, see here).
An example of using a global parameter: Incident Action.