Reporting: Warehouse DB Simple Rules

Document created by RSA Information Design and Development on Mar 23, 2017
Version 1Show Document
  • View in full screen mode
  

This topic provides examples of Warehouse Data source rules. You can define Warehouse DB rules using HIVE queries. You can define simple and advanced rules for the Warehouse Data source using the following modes:

  • Default Mode 
  • Expert Mode

In the Default mode, simple rules are defined using clauses like Select, Where, Group by, and Having to query the data source. By default, you can create rules to query sessions or raw logs.

The following examples illustrate simple rules in the default mode:

  • All Event Categories Report
  • Attacks Event Categories Report
  • Source: China Event Categories Report
  • IP Source and Destination Event Categories Report
  • by Time Threat Categories Report
  • Array Query Report
  • Raw Log Query Report

All Event Categories Report

This rule fetches all event categories, source country, and destination country from the sessions table by defining alias names (temporary column names) for each of the fields to be fetched from the table, that is, country_src for the source country, and country_dst for the destination country.

103-SP3_All_ event categories.png

The following figure shows the result set of the All Event Categories rule.

103-SP3_All_ event categories_output.JPG

Attacks Event Categories Report

This rule fetches the event categories, source country, and destination country from the sessions table by defining alias names (temporary column names) for each of the fields to be fetched from the table and selecting only those columns whose event category name like 'Attacks.%'.  

103-SP3_Attacks_ event categories.png

The following figure shows the result set of the Attacks Event Categories rule.

103-SP3_Attacks_ event categories_output.JPG

Source: China Event Categories Report

This rule fetches the event categories, source country, and destination country from the sessions table by defining alias names (temporary column names) for each of the fields to be fetched from the table and selecting only those columns whose source country is 'China'. 

103-SP3_Source_China_Event_Categories.png

The following figure shows the result set of the Source: China Event Categories rule.

104_Source_China_Event_Categories_output.png

IP Source and Destination Event Categories Report

This rule fetches the IP address of source and destination country from the sessions table by defining alias names (temporary column names) for each of the fields to be fetched from the table and selecting only those columns whose destination country is NOT NULL. 

103-SP3_Destination Country by Source IP.JPG

The following figure shows the result set of the IP Source and Destination Event Categories rule.

103-SP3_Destination Country by Source IP_output.JPG

by Time Threat Categories Report

This rule fetches the threat category events, the time the log or event was ingested into Log Decoder/Decoder, and the source IP addresses from the sessionstable by defining alias names (temporary column names) for each of these fields to be fetched from the table. 

103-SP3_by Time_Threat Categories.png

The following figure shows the result set of the by Time Threat Categories rule. The time displayed in the time field is the UNIX time (For example, 1388743446). 

Note: In the “Select” clause the syntax would be “UNIX time” to convert to UTC time in report. For example, you can use the Epoch time converter tool to convert UNIX time (1388743446) to UTC (Coordinated Universal Time) (1/3/2014 3:34:06 PM). 

103-SP3_by Time_Threat Categories_output.JPG

Array Query Report

This rule fetches an array of alias host names from the sessionstable which contains the value 'www.google.com'. 

103-SP3_Array_Contains_Query.JPG

The following figure shows the result set for querying an array from sessions.

103-SP3_Array_Contains_output.JPG

Raw Log Query Report

Raw logs can be queried either from the logs or sessions table.

This rule uses raw_log as a meta for querying raw log from logs whose packet ID is NOT NULL.

103-SP3_Raw_Query.png

The following figure shows the result set for querying raw logs from logs.

104_raw__log_from_logs_output.png

This rule uses ${raw_log} as a meta for querying raw log from sessions whose source IP address is NOT NULL.

103-SP3_Raw_Logs_from_Sessions.png

The following figure shows the result set for querying raw logs from sessions.

104_raw_ log from sessions_output.png

Next Topic:Build Rule View
You are here
Table of Contents > Reporting Module References > Rule References > Warehouse Database Rule Definition Modes > Warehouse DB Simple Rules

Attachments

    Outcomes