This topic describes the features for creating and managing application rules in the Services Config view > App Rules tab.
The App Rules tab enables you to manage application rules. Security Analytics applies application rules at the session level.
The toolbar on the App Rules tab is common to all types of rules. Services Config View - Rules Tabs provides information on the common rules toolbar and actions.
To access the App Rules tab:
- In the Security Analytics menu, select Administration > Services.
- Select a Decoder or a Log Decoder service and >View > Config.
The Config view for the selected service is displayed.
- Click the App Rules tab.
The following figure shows an App Rules tab.
Application Rules Tab Columns
Rule Editor Dialog
The following figure shows the Rule Editor dialog for an application rule.
The Rule Editor dialog provides the fields and options needed to define an application rule.
|Rule Name||The descriptive name that identifies the rule.|
|Condition||The definition of the condition that triggers an action when matched. You can type directly in the field or build the condition in this field using meta from the Intellisense window actions. As you build the rule definition, Intellisense displays syntax errors and warnings.|
All string literals and time stamps must be quoted. Do not quote number values and IP addresses. Rule and Query Guidelines provides additional details.
The following table describes the Session Data actions and options.
|Stop Rule Processing||If checked, further rule evaluation ends if the rule is matched, and the session is saved in accordance with the session action. If not checked, rule evaluation continues until all rules are evaluated.|
|Keep||The packet payload and associated metadata are saved when they match the rule.|
|Filter||The packet is not saved when it matches the rule.|
|Truncate||The packet payload is not saved when it matches the rule, but packet headers and associated metadata are retained.|
|Alert and Alert On||If Alert is checked, the packet generates a custom alert when metadata matches the rule. You can select the name of the alert in the Alert On field.|
|Forward||Enables the performance of syslog forwarding when the log matches the rule.|
|Transient||Prevents the alert metadata that is created from being written to the disk.|
The following table describes Rule Editor dialog actions.
|Reset||Resets the contents of the dialog to their values before editing; changes are discarded.|
|Cancel||Cancels any edits and closes the Rule Editor dialog.|
|OK||Saves the new rule or edited rule, and adds it to the rules grid. The Rule Editor dialog closes.|
|Save||(Rules with deprecated syntax only) Applies a corrected rule individually to the Decoder service. See Fix Rules with Deprecated Syntax.|