How to create a rule that will capture if a search is running longer than 9 minutes?
if someone is running a search query that is taking much time i want an alert created.
Your best bet is to not use a rule, but instead in QRadar 7.2.8 we introduced a feature called "Resource Restriction". I believe that this created an audit event, which could then be keyed off of, but I will have to run a quick test to verify that happen when a restriction is put in to effect.
Resource restriction allows you to specify users, roles, or tenants and then apply a resource restriction against individuals, groups, or tenants to ensure things like new users don't run 6 month searches that take days to run.
You have the option to define the following:
1. Records - Events/Flows query would be automatically stopped after the it reaches the assigned number of records.
2. Time range - Events/Flows query would be limited to the assigned time range. i.e. 3 days would allow a search to run 3 days backwards from the current time.
3. Execution time - Events/Flows query would be automatically stopped after the assigned period of time.
You are probably better off just assigning an execution time to that user, then you don't have to worry about a rule; however, if you wanted a metric to track there might be an audit event generated..I would have to test this as mentioned above.
currently we are running 7.2.7 patch 4, some of our users may run long searches bogging down the system, i want to be alerted when that happens but i am not the correct way to go about it. Thanks.
Might not be the answer you are looking for but why not set Resource Restrictions for execution time?
I agree with Jonathan on using the “Resource Restriction” in 7.2.8. Having said that if you aren’t intending to upgrade soon, you can achieve expensive search notification by monitoring the "/store/transient/ariel.ariel_proxy_server/data" directory. This directory holds the search related information and the search results as well. We can start by identifying the search results(*.data) file with huge size, for example we can set the benchmark size as 5 GB.
In 7.2.6, To create an automated solution, we developed a script which will monitor this folder for say every 5 mins to see if any data file size is more than 5 GB, if any file is found with size bigger than 5 GB, the script can get into the alias file(Contains the user details of who initiated the search) associated with the data file to identify the user details and can notify. I’m not sure how the structure is in 7.2.7, you may want to check the same. Incase you need further details, you can PM me.
Examples of data and alias files
Data file: "4d479eb2-511a-4d5e-81a9-33002391adb4.data"
Alias File: "4d479eb2-511a-4d5e-81a9-33002391adb4~4d479eb2-511a-4d5e-81a9-33002391adb4.alias"