Reporting: Define a Rule Using Warehouse Data Source

Document created by RSA Information Design and Development on Jul 28, 2016
Version 1Show Document
  • View in full screen mode
 

This topic provides instructions on how to define a rule to fetch data or events from a Warehouse event source. You can define the rules in two modes:

  • Default Mode
  • Expert Mode

For more information on the modes, see Warehouse Database Rule Definition Modes.

Prerequisites

Make sure that you:

  • Understand which rule type needs to be used in the rule. For more information on rule types, see Rule Types.
  • Understand the Rule view components. For more information, see Rule View.
  • Understand the Build Rule view components. For more information, see Build Rule View.
  • Understand how custom meta keys are created using custom feeds. For more information, see Create Custom Meta Keys usong Custom Feed topic in Host and Services Configuration Guide.

Procedure

Perform the following steps to define a rule to fetch data or events from a Warehouse data source:

  1. In the Security Analytics menu, click Administration > Reports.

    The Manage tab is displayed.

  2. In the Rule toolbar, click add_rule_button.png > Warehouse DB.
  3. The Build Rule view tab is displayed.
  4. In the Rule Type field, Warehouse DB is selected by default.

    If you are defining the rule in Default mode, perform the following:

    1. In the Name field, enter a name that is used to Identify or label the rule in alerts and reports.
    2. In the Select field, enter a meta or select the meta from the drop-down or select a meta from the list of available meta types provided in the Meta Panel. For more information, see the topic Meta Panel in Build Rule View. 
    3. In the From drop-down menu, Select one of the following:

      • Session
      • Logs
    4. In the Alias field, enter the alias name for columns used in the Select clause.
    5. In the Where field, enter a meta or select a meta from the list of available meta types provided in the Meta Panel. The Where clause provides the base query criteria for the rule.
    6. In the Group By field, enter the meta selected in the Select clause, so that the result set is grouped based on the meta.
    7. In the Having field, enter the criteria to filter the result set for aggregated queries.
    8. In the Order By field, perform the following:

      1. In the Column Name column, enter the name of the columns by which you want to group the results.
      2. In the Sort by column, select one of the following ways to sort the results:

        • Ascending Order 
        • Descending Order
    9. In the Limit field, enter the limit to be put on the query while fetching data from the database. If a result set is sorted by session count, packet count, or session size, the limit represents the top (or bottom) N values to be returned. If the result set is not sorted, the first N values are returned.
    10. Click Save.
  5. If you are defining the rule in Expert mode, select the Expert Mode checkbox and perform the following:

    1. In the Name field, enter a name that is used to Identify or label the rule in alerts and reports.
    2. In the Query field, enter the Hive query statement to query the data source.
    3. In the Alias field, enter the alias name for columns used in the Select clause.
    4. Click Save.

Next steps 

You can test the correctness of the rule created by clicking Test Rule. For instructions, see Test a Rule.

You are here: Working with Reporting Rules > Define Rule Groups and Rules > Define a Rule Using Warehouse Data Source

Attachments

    Outcomes