Writing Detections

Many detections and benchmarks are available in mods on the Powerpipe Hub. However, if these don't meet your needs, Tailpipe makes it easy to create your own detections and benchmarks to tailor solutions to your organization.

This guide introduces the core concepts for creating detections and benchmarks.

What are Detections?

Detections in Tailpipe serve as queries that analyze logs or other data sources to identify patterns, anomalies, or issues of interest. Detections return all selected columns as context for filter-enabled analyis in Powerpipe.

Example Detection

Let's build a simple detection for monitoring AWS CloudTrail logs, and wrap it in a benchmark.

Prerequisites

  1. Tailpipe
  2. A configuration for CloudTrail logs

Create a Detection

  1. Create a Mod
    Tailpipe resources are packaged into mods. First, create a mod for benchmark and the detections it wraps.

  2. Define a detection

Create a new file in your mod folder called cloudtrail.pp and add the following code:

To run the detection in the Powerpipe CLI:

To view the mod:

Then open localhost:9033 in a browser.

Wrap the detection in a benchmark

The benchmark block enables you to group detections.

Add a detection

Let's add another detection to the benchmark.

This guide is a starting point. Explore the Powerpipe Hub for more examples and best practices to maximize your use of detections and benchmarks.