Guidelines for SQL Alerts Rules / Events Rules / Scheduled Queries

Guidelines for SQL Alerts Rules / Events Rules / Scheduled Queries

  • Consider time it takes for events / data shows up in the back-end. On Uptycs portal, data should be visible on the backend in less than 6 minutes. 

             Note : 6 min delay is already coded in for :from and :to variables.

           upt_server_time BETWEEN :from AND :to

  • Include upt_day as part of the query where clause to limit data extraction to partition(s) for better performance

           upt_day >= CAST(date_format((:from - INTERVAL '10' MINUTE), '%Y%m%d') AS INTEGER)

  • For non event table based queries, use the following clause

           upt_counter > 0

  • For SQL events / alerts (SQL event rules are redundant), following are the mandatory columns (** Note : case sensitive ) required for an Event Rule / Alert Rule
    • severity            - Low / Medium / High **
    • description
    • asset            (this is asset_id value - Required to get asset reference. Otherwise optional)
    • time
    • key
    • value                - Note : value should be varchar. CAST the column to varchar if needed

    • Related Articles

    • How To Limit Endpoint Resource Utilization

      Introduction The Uptycs osquery agent is designed for low resource utilization on your endpoints, however there may still be some cases where you need to limit resource utilization, this article describes how.  Watchdog  'Configuration -> Flag ...

    • osqueryd Flags and command line guide

      $ sudo osqueryd --help Password: osquery 3.3.2.45-Uptycs, your OS as a high-performance relational database Usage: osqueryd [OPTION]...  osquery command line flags: --flagfile PATH Line-delimited file of additional flags --D Run as a daemon process ...

    • Auto tagging using global query

      This article provides details on how to create auto tag rules using a global query. Currently, auto tagging using a global query can be achieved using API only. GUI based solution will be available in release 77. Global query based auto tag rules can ...

    • Tips for designing Investigate query parameters

      Query parameters allow users to create variables to be used in an individual query and can be referenced multiple times within the query. This feature facilitates writing queries that often refer to changing values the user would otherwise have to ...

    • Default permissions assigned to a role

      Following permissions are minimal permissions and are assigned to a role by default even if they are not provisioned. ALERT_RULE:READ ALERT:READ API_KEY:READ ASSET:READ ASSET_CLOUD_INSTANCES:READ ASSET_GROUP_RULE:READ ATC_QUERY:READ AUDIT_RULE:READ ...