Reporting: Build Rule View

Document created by RSA Information Design and Development on Nov 23, 2016Last modified by RSA Information Design and Development on Feb 10, 2017
Version 5Show Document
  • View in full screen mode
  

This topic describes the features of the Build Rule view and the actions that you can perform. Associated procedures are provided under Rules.

You can perform the following actions using the Rule panel:

  • Define and save a rule.
  • Reset the values of the rule.
  • Test the correctness of the rule.
  • Add the rule to a report.
  • Add the rule to the alert queue.
  • Add the rule to a chart.

To access the Build Rule view:

  1. In the Security Analytics menu, select Reports.
    The Manage tab is displayed.
  2. In the Rule toolbar, click add_rule_button.png > NetWitnessDB.
    The Build Rule view tab is displayed

The following figure is an example of the Build Rule view.
106_build_rule_view.png

Features 

The Build Rule view includes the following panels:

  • Rule panel
  • Meta panel
  • Lists panel

Rule Panel

The Rule panel allows you to create a rule for the selected database type.

The following figure shows the Rule panel.
105_build_rule_view1.png

The following table describes the features in the Rule panel.

                                               
FeatureDescription
Rule TypeA drop-down list of supported database types for which you can create rules. The options are: Netwitness DB, IPDB, Warehouse DB and IMDB.
NameThe name of the rule that you are creating or editing.
SummarizeA drop-down list of summarize options. The options are: None, Event Count, Packet Count, Session Count and Custom.
SelectThe meta key for which you need the aggregate values; for example, ip.dest.
WhereA Where clause that defines the conditions that trigger the rule execution; for example, ip.dest = 127.0.0.1.
Group ByThe grouping method for the results. For example, specifying ip.dest produces a report in which like ip.dest values are grouped.
ThenA Then clause that defines the rule actions for additional processing on the output.
Order ByThe sequencing method used to show results. For example, specifying Order By the value in the Total column, Ascending, produces a report in which the results are sorted in ascending order based on the value in the Total column.
Session ThresholdA selection list for the session threshold, which specifies maximum number of sessions that should be processed for aggregate functions.
LimitA selection list for the maximum number of result rows to be fetched.
UseClicking Use enables you to use the Rule to generate a Report, Alert of Chart.
SaveClicking Save saves the rule that you are editing and the Build Rule panel remains open. Before testing a rule, you must save it if you want to keep your changes.
ResetClicking Reset clears all the field information .
Test Rule

Clicking test rule opens the Test Rule dialog.

Test Rule Dialog

To access the Test Rule view:

  1. In the Security Analytics menu, select Reports.
    The Manage tab is displayed.
  2. In the Rule List panel, do one of the following:
    • Select a rule and click edit_button.png in the Rules toolbar.
    • Click  > Edit.
      The Build Rule view tab is displayed.
  3. Click Test Rule.
    The Test Rule view is displayed.
    Test_rule_page.png

The following table describes the features in the Test Rule Dialog.

                          
FeatureDescription
Data SourceA drop-down list of data sources for the type of rule you are testing. Possible data sources are: Concentrator, Broker, Decoder or Log Decoder.
FormatA drop-down list of the formats for displaying results for the rule. Possible formats are: Tabular, Area, Bar, Bubble, Column, Line, Pie, Step Line, Step Area, Spline Area, and Spline.
Time Range

A drop-down list of time range specification methods.

  • Selecting Past allows you to specify a number of years, months, days, weeks, or hours. For example,  Hours, Days, Weeks, Months, or Years.
  • Selecting Range allows you to specify a date range and time period. For example, start date to end date.

In the user interface, the date or time displayed depends on the time zone profile selected by the user.

Use relative time calculationSelecting this option calculates the time range relative to the current time.
X Axis

X-Axis and Y-Axis specify the metadata to be plotted in charts.
In the X-Axis drop-down list, the meta types for the Group by setting in the rule are listed. You can select multiple meta types when the rule has a single Group by setting.
For Custom Rules with multiple Group by values, you can select only the first meta type for the  X-Axis.

Y Axis

In the Y-Axis drop-down list, the aggregate functions used in the rule are listed. Sum, Count, Countdistinct and Average are the supported aggregate functions for rules.
You can select one or more aggregate functions.

Run TestClicking Run Test executes a test of the rule last saved in the Rule Builder dialog. When the test is complete, the rule data (if any) for the selected time range is displayed.

Meta Panel

The Meta panel provides a list of available meta types that you can use to build the rule. You can use the meta types in the Select, Where, and Then clauses. The Reporting Engine maintains an active list of the available meta names by continuously synchronizing with the data source to which it is connected.

The following figure displays the Meta panel.
104_build_rule_panel.png
The following table describes the features in the Meta panel.

           
OperationDescription
ChooseBased on the rule type that you have selected, the available data sources are displayed in the drop-down list of the Meta panel. Select the required data source. The available meta types for the data source are displayed. Select a meta.
FilterFilter the meta for a specific meta value.

Lists Panel

A List is a placeholder for a set of values that you can use in a meta or a variable. For example, you can define a list with all the whitelisted event source IP addresses. Once the List is defined then you can use the List name in the rule. This provides the flexibility of adding, modifying, and deleting the list values.

The Lists panel is a collection of Lists. The Reporting Engine maintains an active list of the available list names by continuously synchronizing with the collection to which it is connected.

The following figure displays the Lists panel.
104_list_pane.png

The following table describes the features in the Lists panel.

                 
OperationDescription
part_of_list_pane.pngImport or Export a list.
part_of_list_pane.pngIf you select the NetWitness DB rule type, the options Where and Then are displayed. Insert the list in the Where or Then clause in the rule.
part_of_list_pane.pngIf you select the IPDB rule type, the options Where and Event Source are displayed. Insert the list in the Where or Event Source clause in the rule.
part_of_list_pane.pngIf you select the Warehouse DB rule type, the option Where is displayed. Insert the list in the Where clause in the rule.

part_of_list_pane.png

If you select the IMDB rule type, the option Where is displayed. Insert the list in the Where clause in the rule.

Next Topic:Query Aggregates
You are here
Table of Contents > Reporting Module References > Rule References > Build Rule View

Attachments

    Outcomes