Reporting: Build Rule View

Document created by RSA Information Design and Development on Jul 29, 2016
Version 1Show Document
  • View in full screen mode
 

This topic describes the features of the Build Rule view and the actions that you can perform. Associated procedures are provided under Working with Reporting Rules

You can perform the following actions using the Rule panel:

  • Define and save a rule.
  • Reset the values of the rule.
  • Test the correctness of the rule.
  • Add the rule to a report.
  • Add the rule to the alert queue.
  • Add the rule to a chart.

Features 

The Build Rule view includes the following panels:

  • Rule panel
  • Meta panel
  • Lists panel

The following figure shows the various panels of the Build Rule view.

105_build_rule_view.png

Rule Panel

The Rule panel allows you to create a rule for the selected database type. The supported rule types are:

  • Netwitness DB
  • IPDB
  • Warehouse DB

The following figure displays the Rule panel.

105_build_rule_view1.png

Meta Panel

The Meta panel provides a list of available meta types that you can use to build the rule. You can use the meta types in the Select, Where, and Then clauses. The Reporting Engine maintains an active list of the available meta names by continuously synchronizing with the data source to which it is connected.

The following figure displays the Meta panel.

104_build_rule_panel.png
The following table describes the operations that you can perform in the Meta panel.

             
OperationDescription
ChooseBased on the rule type that you have selected, the available data sources are displayed in the drop-down list of the Meta panel. Select the required data source. The available metas for the data source are displayed. Select a meta.
FilterFilter the meta for a specific meta value.

Note: If a meta is written in two different formats into the Security Analytics Warehouse (SAW). Reporting Engine discards such meta and they are not displayed in the Warehouse Rule Builder. Also, existing Warehouse Report or Rule referring to this Meta fails.

Lists Panel

A List is a placeholder for a set of values that you can use in a meta or a variable. For example, you can define a list with all the whitelisted event source IP addresses. Once the List is defined then you can use the List name in the rule. This provides the flexibility of adding, modifying, and deleting the list values.

The Lists panel is a collection of Lists. The Reporting Engine maintains an active list of the available list names by continuously synchronizing with the collection to which it is connected.

The following figure displays the Lists panel.
104_list_pane.png

The following table describes the operations that you can perform in the Lists panel.

                   
OperationDescription
part_of_list_pane.pngImport or Export a list.
part_of_list_pane.pngIf you select the NetWitness DB rule type, the options Where and Then are displayed. Insert the list in the Where or Then clause in the rule.
part_of_list_pane.pngIf you select the IPDB rule type, the options Where and Event Source are displayed. Insert the list in the Where or Event Source clause in the rule.
part_of_list_pane.pngIf you select the Warehouse DB rule type, the option Where is displayed. Insert the list in the Where clause in the rule.
You are here: Reporting Module References > Rule References > Build Rule View

Attachments

    Outcomes