Quickly Adding a Log Alarm Model

Prerequisites

Data access has been completed. For details, see Data Integration.

Procedure

1. Log in to the management console.
2. Click in the upper left corner of the page and choose Security > SecMaster.
3. In the navigation pane, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
   Figure 1 Management
   

4. In the navigation pane on the left, choose Threat Operations > Security Analysis. The security analysis page is displayed.
   Figure 2 Accessing the Security Analysis tab page
   

5. In the data space navigation tree on the left, click a data space name to show the pipeline list. Click a pipeline name. On the displayed page, you can search the pipeline data.
   Figure 3 Pipeline data page
   

6. Enter the query analysis statement, set the time range, and click Query/Analyze. The query analysis result is displayed.

   For details, see Querying and Analyzing Data.

7. Click Add Alarm in the upper right corner of the page. The Create Alarm Model page is displayed.
   Figure 4 Add Alarm
   

8. Configure basic alarm information by referring to Table 1.
   Figure 5 Basic configuration
   

   Table 1 Basic parameters of an alarm model

   Parameter	Description
   Pipeline Name	The pipeline where the alert model is executed, which is generated by the system by default.
   Model Name	Name of the alarm model.
   Severity	Severity of alarms reported by the alarm model. You can set the severity to Critical, High, Medium Low, or Informative.
   Alarm Type	Alarm type displayed after the alarm model is triggered.
   Model Type	The default value is Rule model.
   Description	Enter the description of the alarm model.
   Status	The alarm model status. : indicates that the model is enabled. This is the default status. : indicates that the model is disabled. You can change the alarm model status after the model is configured.

9. After the setting is complete, click Next in the lower right corner of the page. The page for setting the model logic is displayed.
10. Set the model logic. For details about the parameters, see Table 2.

    Table 2 Configure Model Logic

    Parameter	Description
    Query Rule	Set alert query rules. After the setting is complete, click Run and view the running result.
    Query Plan	Set an alert query plan. Running query interval: xx minutes/hour/day. If the running query interval is minute, set this parameter to a value ranging from 5 to 59 minutes. If the running query interval is hour, set this parameter to a value ranging from 1 to 23 hours. If the running query interval is day, set this parameter to a value ranging from 1 to 14 days. Time window: xx minutes/hour/day. If the time window is minute, the value ranges from 5 minutes to 59 minutes. If the time window is hour, the value ranges from 1 hour to 23 hours. If the time window is day, the value ranges from 1 day to 14 days. Execution Delay: xx minutes. The value ranges from 0 to 5 minutes.
    Advanced Alarm Settings	Custom Information: Customize extended alert information. Click Add, and set the key and value information. Alarm Details: Enter the alarm name, description, and handling suggestions.
    Trigger Condition	Sets alert triggering conditions. The value can be greater than, equal to, not equal to, or less than xx. If there are multiple triggers, click Add.
    Alarm Trigger	The way to trigger alerts for queried results. The options are as follows: One alert for all query results One alert for each query result
    Debugging	Sets whether to generate debugging alarms.
    Suppression	Specifies whether to stop the query after an alert is generated. : indicates that the query stops after an alert is generated. : indicates that the query is not stopped after an alert is generated.

11. After the setting is complete, click Next in the lower right corner of the page. The model details preview page is displayed.
12. After confirming that the preview is correct, click OK in the lower right corner of the page to confirm the configuration.