Skip to main content
Skip table of contents

Query with Mistwatcher

  1. Log in to the LogRhythm NDR UI.
  2. Click the Settings tab. In the drop-down menu, click Policy Management and then Mistwatcher.
    The Mistwatcher page appears.

  3. To add/update the mistwatcher, complete the input fields of the mistwatcher entry according to the following instructions.

    • Query Name: Enter the name of the mistwatcher entry. (Choose the name carefully, as it cannot be edited later.)
    • Active: If Active is enabled, your query is active to be executed. If not, it is inactive for execution.
    • Schedule: You can schedule how often this query needs to be executed (for example, @every 1h, @every5m...).
    • Index: Choose the Index to run your query. By clicking the drop-down menu, it will show the available indices (for example, raw_logs*, raw_events*).
    • Profile: Choose the profile based on your query and requirement. Select the drop-down icon, which displays a list of available profiles.
    • Query String: Click on the Query String check box. This displays a text box prompting Enter Query String. Type your query here.
    • Sigma Rules: If Query String is not chosen, Sigma Rules can be selected from the Sigma Rules drop-down menu. Select a rule as needed.

    You can either write a query or select Sigma rule. Only one option can be selected.

    • Time: Choose the time range for your query.
    • Email Notify: If you want to get notified through email, click Every Run option.
    • Slack Notify: If you want to get notified through Slack, click Every Run option.
    • Slack: Give the Slack Channel name in which you need to receive notifications.
    • Event Notify: If you need to generate mistwatcher events using your query, choose Every Run from the drop-down menu.
    • Never: Leave it as is.
    • Email: Available emails are on the left side and selected emails are on the right side. If you click the email on the left side, and select the add email button, your selected email will be shown in the Selected Email box.

  4. After completing all the required fields, click Add and refresh the page.
    The list of mistwatcher queries displays, allowing you to edit the existing queries (except for the query name, which can't be changed). You can also search for query in the Search field.

  5. Select the query name. 
    A window for editing your query appears. 

  6. After updating the query, click Update.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close