ESM: Create/Edit Group Form

Document created by RSA Information Design and Development on Jul 15, 2016Last modified by RSA Information Design and Development on Feb 27, 2017
Version 5Show Document
  • View in full screen mode
  

This Create Event Source Group form is displayed when you are creating or editing an Event Source Group.

Procedures related to this form are described in Create Event Source Groups and Edit or Delete Event Source Groups.

Parameters

The following table describes the fields on the Create/Edit an Event Group form.

                             
FieldDescription
Group Name

This field is required, and appears throughout the Security Analytics UI as the identifier for the group.

Description

An optional description to help describe the purpose or details for the group.

Tools

esm_grpRules.png

The following items are available on the toolbar:

  • Add (+): clicking the Add displays a menu where you can choose to add a condition or a group.
  • Remove (-): removes the selected rule or group of rules from the list.

When you add a new group, that has the effect of creating nested levels of conditions.

Conditions

Described below, in the Rule Criteria table.

Cancel / Save

Cancel and Save options are available in the form.

Rule Criteria

The rules that you specify determine the event sources that will become part of this event source group. A rule consists of the following:

  • Grouping: how the rule interacts with other rules
  • Attribute: which attribute the rule is matching against
  • Operator: how the rule matches the attribute
  • Value: the attribute value used for the rule

The following table provides details on these rule constructors.

                         
Rule ConstructorDetails
Grouping

You can group conditions, in order to create complex rules for an event source group. The following choices are available when grouping your rules:

  • All of these: logically equivalent to AND
  • Any of these: logically equivalent to OR
  • None of these: logically equivalent to NOT

If you are creating a simple group, and specifying a single condition, you can leave the default value (All of these) selected.

Attribute

This contains a drop-down list, consisting of all event source attributes. The attributes are displayed by the section to which they belong. For example, all of the Identification attributes are displayed first, followed by the Properties, Importance, and so on.

Operator

Choose from the following options:

  • Equals: matches the provided value

  • Not equals: returns event sources whose specified attribute not equal to the provided value

  • In: provide a list of values in comma separated format, and event sources that match any of the provided values are included. For example:

    Where IP in 10.25.50.146, 10.25.50.248

    This condition returns event sources that have either 10.25.50.146 or 10.25.50.248 as their IP attribute.

  • Not in: similar to In, except that it matches items whose attribute is not equal to any of the listed values.

  • Like: matches items that begin with the provided string. For example:

    Where Event Source Type Like Apache

    This condition returns event sources whose Event Source Type begins with Apache.

  • Not like: similar to Like, except that it matches items whose attribute does not begin with the provided string.

  • Greater than: matches items whose attribute is greater than the provided value. For example, if you specify Priority Greater than 5, the condition would match any item with a priority of 6 or higher.

  • Less than: similar to Greater than. Matches items whose attribute is less than the provided value.

Value

Enter a value or group of values. The value type depends on the attribute for the condition. For example, for IPv6, you need to specify a value in IPv6 format.

Next Topic:Settings Tab
You are here
Table of Contents > Reference > Create/Edit Group Form

Attachments

    Outcomes