Reporting: Define a Rule Using Incident Management Data Source

Document created by RSA Information Design and Development on Mar 23, 2017
Version 1Show Document
  • View in full screen mode
  

This topic provides instructions to define a rule to generate incidents or alerts from an Incident Management data source.

Prerequisites

Make sure that you:

  • You add the Incident Management service in the Services Config View of the Reporting Engine. For more information, see Step 1. Add Incident Management Service topic in Host and Services Configuration Guide.

  • Understand which rule type needs to be used in the rule. For more information on rule types, see Rule Types.
  • Understand the IMDB rule syntax. For more information, see IMDB Rule Syntax
  • Understand the Rule view components. For more information, see Rule View.
  • Understand the Build Rule view components. For more information, see Build Rule View.
  • Understand how custom meta keys are created using custom feeds. For more information, see Create Custom Meta Keys using Custom Feed topic in Host and Services Configuration Guide.  
  • Ensure Reporting Engine service is up and running.
  • Ensure the Incident Management service is up and running. For more information, see Step 2. Configure a Database for the Incident Management Service topic in Host and Services Configuration Guide.
  • (Optional) Ensure the ESA service is up and running. For more information, see Step 3. Configure Advanced Settings for an ESA Service topic in Host and Services Configuration Guide.
  • (Optional) Ensure the Malware Analysis service is up and running. For more information, see (Optional) Configure Auditing on Malware Analysis Host topic in Host and Services Configuration Guide

Note: You need to configure any one of the services (ESA,Reporting Engine, Malware Analysis, or ECAT) based on the type of alerts or incidents you want to generate.

Procedure

Perform the following steps to define a rule to fetch data or events from a Incident Management Data Source:

  1. In the Security Analytics menu, click Administration> Reports.

    The Manage tab is displayed.

  2. In the Rule toolbar, click >IMDB.

    The Build Rule view tab is displayed.

  3. In the Rule Type field, IMDB is selected by default.
  4. In the Name field, enter a name that is used to identify or label the rule in alerts and incident reports.
  5. The Summarize field determines the type of summarization or aggregation for the rule. Based on the type of rule to be defined, you must select one of the following:
    • To define a Non-Aggregate rule without any grouping, select None
    • To define an Aggregate rule with meta values and custom aggregates select Custom

      If you select 'Custom' in the Summarize field you can define aggregate function of your choice in the Select clause based on the report type you have selected.

      For more detailed information about Aggregate and Non-aggregate rule, see IMDB Rule Syntax.

  6. In the From field, based on the type of report output to be displayed, you must select one of the following:
    • Alert
    • Incident
  7. In the Select field, enter a meta or select a meta from the list of available meta types provided in the Meta Library. For more information, see the topic Meta Panel in Build Rule View. Metas cannot be used in the Where field. Multiple aggregate functions are supported for Custom aggregate rule in the Select field.

    For example, the supported aggregate functions for alert are:

    • alert_host_summary
    • alert.name
    • alert.numEvents
    • alert.severity
    • alert.source
    • alert.timestamp
    • incidentCreated
    • incidentId
    • receivedTime

    For example, the supported aggregate functions for incident are:

    • categories
    • created
    • priority
    • riskScore
    • sealed
    • status

    For more detailed information about Aggregate and Non-aggregate rule, see IMDB Rule Syntax.

  8. In the Where field, enter a meta or select a meta from the list of available meta types and use the operators to construct the Where clause for the base query criteria.
  9. The Group By field is a read-only field which gets populated with meta that are defined in the Select clause. For a Non-Aggregate function, this field is not visible. A maximum of six meta are supported in the Group By field.

  10. In the Order By field, perform the following:

    1. In the Column Name column, enter the name of the columns by which you want to sort the results. By default, the value is empty.

    2. In the Sort by column, select one of the following ways to sort the results:

      • Ascending Order
      • Descending Order
  11. In the Limit field, enter the limit to be put on the query while fetching data from the database. If a result set is sorted by the limit represents the top (or bottom) N values to be returned. If the result set is not sorted, the first N values are returned.
  12. Click Save.

Next steps 

You can test the correctness of the rule created by clicking Test Rule. For instructions, see Test a Rule.

Next Topic:Test a Rule
You are here
Table of Contents > Working with Reporting Rules > Define Rule Groups and Rules > Define a Rule > Define a Rule Using Incident Management Data Source

Attachments

    Outcomes