SIEM and TAG

SIEM and TAG rules are Log2Metric rules that can be used to tag data for any interesting events. Apica Ascent Log2Metrics is a powerful feature that helps you convert your log data into a real-time metric. Using Log2Metrics, you can visualize your log data, plot distributions, create a custom index, and create alerts for events.

This is useful for identifying the interesting events that may occur in logs in real-time. For example track, user login failures, track load balancer or ingress status codes, etc... See the section about Log2Metrics for additional information.

Apica Ascent has hundreds of inbuilt SIEM rules which can be accessed on the "Explore -> Pipeline -> Rules" tab .

Rules List

Creating SIEM and TAG Rules

Follow these steps to create a SIEM or TAG rule in your pipeline:

1. Go to Your Pipeline

  • Open the desired pipeline.

  • Click Configure Pipeline from the pipeline’s action menu.

Pipelines List

2. Add a New Rule

  • Hover over the+ Add Rule.

  • From the rule type dropdown, select SIEM/TAG.

  • A setup modal will appear with several tabs.

Choose Rule
SIEM Rule

Step-by-Step Rule Configuration

3. Fill in Rule Details

A. Details Tab

Configure the basic rule properties:

  • Name:

    Enter a unique and descriptive name for the SIEM rule (e.g., 404 Login Attempt - User Not Found).

  • Level:

    hoose the severity (Low, Medium, High, Critical).

  • Group:

    Assign the rule to an existing group or create a new one (e.g., Login Access).

  • Description:

    Explain the rule’s purpose (e.g., “Detects login attempts with 404 errors when the username doesn’t exist”).

  • Add Conditions (+ Add More Parameters):

    Set filters to define what this rule should detect. Example condition: event_type == login_attempt && status_code == 404

B. Metric Labels Tab

This tab allows you to tag logs with structured labels for visualization, analysis, and metric generation.

Note: Please choose the data flow, namespace and application to auto-populate the available field labels.

  • Labels:

    Choose fields (e.g., event type, username, status code) to label logs under the _event structure. These labelled events can later be used to generate metrics or reports.

  • Default Label for Visualization:

    Select the main label field to group results in visualizations and PromQL queries (e.g., group by status_code, username, etc.).

C. Dashboard tab

This section is for visualizing rule outputs via dashboards.

  • Select dashboard for visualization:

    Choose or create a dashboard to show data from this rule (e.g., 404 Login Attempts).

  • Select Values below to plot:

    Choose which field(s) from the logs you want to visualize (status_code, port).

  • Plot Types:

    • Occurrences: View average occurrences over time.

    • Distributions: View percentile metrics (50th, 90th, 99th) and average duration over the last 5 minutes.

D. Alerts tab

This tab allows you to configure alerts for your SIEM rule based on the metrics or log queries you've defined. To enable alerting, switch "Enable Alert" to active. Then, specify the threshold value and comparison operator (e.g., > 5) to determine when the alert should trigger based on the rule’s output.

Next, choose your alert destination channel (such as email, Slack, or webhook) to receive notifications. This option becomes available once the alert is activated.

You can also fine-tune alert behaviour by configuring parameters such as:

  • Rearm: Controls how frequently the alert can be re-triggered after it has already fired.

  • Refresh Interval: Defines how often the query is evaluated to check if the alert condition is met.

Example: Detect Login Attempts with 404 Errors

Enter the following details:

  • Name: login attempt with 404 user not found

  • Level: Low

  • Group: Login Access

  • Description: Detects login attempts with HTTP 404 status (user not found)

  • Add Condition: event_type == login_attempt && status_code == 404

Rule Details

Add condition

Metric Labels:

  • Labels: username

  • Default Label for Visualization: username

Select Metric Labels

Dashboard Settings:

  • Create or select: login attempt 404 dashboard

  • Plot Values: status_code

  • Plot Metrics: Choose the plot type based on the requirements.

    • Plot occurances: status_code, this will plot a time series graph of the occurrence of variable average over the time during ingest. It will not be a exact per event graph but will be an overview of what is happening.

    • Plot distribution: status_code, this will plot the following graphs:

      • Average duration of each observation over the last 5 mins

      • Observation mapped into 50th, 90th and 99th percentile bucket

Dashboard and Plot Metrics

Alerts:

  • Enable alerts

  • Change the desired value and operator for the alert evaluation.

  • Send to: Slack/email/webhook

  • Rearm & Refresh Interval: Configure based on alerting needs

Enable Alert Rule Metric
Enable Alert for the field metric
Destination and Config Parameters

After saving and applying the pipeline to the data flow, wait a few minutes and then verify that the rule-based dashboards and alerts are functioning correctly.

Configured Dashboard
Configured alerts
PreviousEXTRACTNextREWRITE

Last updated

Was this helpful?