Reporting: Rule Overview

Document created by RSA Information Design and Development on Nov 23, 2016Last modified by RSA Information Design and Development on Feb 10, 2017
Version 5Show Document
  • View in full screen mode
  

This topic provides a brief description about a rule. A rule is the basic and essential building block in the Reporting module. You must create a rule which can be used in a Report, Chart or Alert.

Building Blocks of a Rule

A rule represents a unique query that detects and summarizes the requested information within a collection of network data. For example, you can write a rule to view the top 20 web addresses your users visit daily or a rule to detect the presence of clear text authentication to their high valued assets.

The rule syntax is very similar to that of Standard Query Language (SQL) where you can use the SELECT clause, WHERE clause, sort and group options and limits for the result set. A rule consists of the following:

                                           
PropertyDescriptionExample
NameThe name of the rule.Windows System Account Activity
SelectList of meta types that are returned in the result set. The list of meta types is provided in the Meta Library. Meta Library in the Rule Builder is continually synchronized with the index configuration of the Security Analytics host to which {SA}} is connected. The number of meta types that this property can represent depends on how the rule is to be sorted. If the Sort by property is 'None' or non-aggregate, a rule can have more than one select field, for example, for each match, include the ip.src, ip.dst, size, time in the rule result. If a rule is set to be sorted, either by session count, session size, or packet size, then there can only be one field on which to select. 
WhereA clause that is the base query for the rule.alert='cleartext_ftp_passwords'
Then (Rule Actions)A series of functions that manipulate the original result set of a rule in order to make the output in a report more meaningful or add additional functionality other than querying and displaying data. lookup_and_add ('username','ip.src',10);

Sort By

Determines how the data in the result set is sorted. The various possibilities are:

  • Total
  • Value

Total

LimitDesignates how large a result set can be for the given rule. Users must note that if a result set is sorted by count or size, the limit represents the top (or bottom) N values to be returned. If the result set is not sorted, the first N values are returned.20

Note: In the User Interface (UI), the date or time displayed depends on the time zone selected by the user.

Previous Topic:Troubleshooting
Next Topic:IPDB Rule Syntax
You are here
Table of Contents > Working with Reporting Rules > Rule Overview

Attachments

    Outcomes