Alerting: Build a Statement Dialog

Document created by RSA Information Design and Development on Mar 23, 2017Last modified by RSA Information Design and Development on Apr 26, 2017
Version 4Show Document
  • View in full screen mode
  

The Build a Statement dialog allows you to construct a condition statement when creating a new Rule Builder rule.

To access the Build a Statement dialog:

  1. In the Security Analytics menu, select Alerts > Configure.

    The Configure view is displayed with the Rules tab open.

  2. In the Rule Library toolbar, select Add drop-down > Rule Builder.

    A New Rule tab is displayed in Security Analytics.

  3. In the Conditions section, click Add icon.

    The Build a Statement dialog is displayed.

BldStmntSimple.png

Features

The following table describes the parameters in the Build a Statement dialog.

                                                 
ParameterDescription
NamePurpose of the statement.
Select

Conditions the rule requires. There are two options:

  • If all conditions are met
  • If any of these conditions are met
Key Key for ESA to check in the rule statement.
Evaluation Type

Relationship between the meta key and value for the key:

  • is
  • is not
  • is not null
  • is greater than (>)
  • is greater than or equal to (>=)
  • is less than (<)
  • is less than or equal to (<=)
  • contains
  • not contains
  • begins with
  • ends with
ValueValue for ESA to look for in the key.
Ignore Case?

 

This field is designed for use with string and array of string values. By choosing the Ignore Case field, the query will treat all string text as a lowercase value.  This ensures that a rule that searches for the user named Johnson would trigger if the event contains "johnson," "JOHNSON," or "JoHnSoN."

 Array?

Choice to indicate if contents of Value field represent one value or multiple values:

  • Select the box to  indicate multiple values.
  • Clear the box to indicate one value.
Add icon Add a statement. You can add a meta condition, whitelist condition, or blacklist condition. 
Delete selected statement.
SaveAdd statement to the Conditions section of the Rule Builder tab.

The following table shows the operators you can use in the Rule Builder:

                                                                                                               
OperatorRequired ValueUsageExampleMeaning
isSingular  string value The meta key is equal to the value field. user_dst is John Doe. user_dst is equal to the string "John Doe".
isArray string value The meta key is equal to one of the elements of the value field. user_dst is John, Doe, Smith.

user_dst  is equal either to the string "John" or to the string "Doe" or to the string "Smith" (Note, the spaces are stripped.).

is notSingular string  value The meta key is not equal to the value field. size is not 200. size is not equal to the number 200 (size is a numeric value).
is notArray string value The meta key is not equal to any of the elements of the value field. size is not 200, 300, 400. size is equal neither to 200 nor to 300 nor to 400.
is not nullN/A (looks for any value) The meta key value is not null. user_dst is not null. user_dst is a meta that contains a value. 
is greater than (>)Number The numeric value of the meta key is greater than the number in the value field. payload is greater than 7000. payload is a numeric value that is greater than 7000.
is greater than or equal to (>=)Number The numeric value of the meta key is greater than or equal to the number in the value field. payload is greater than or equal to 7000. payload is a numeric value that is greater than or equal to 7000.
is less than (<)Number The numeric value of the meta key is less than the number in the value field. ip_dstport is less than 1024.
ip_dstport is a numeric value that is less than the numeric value 1024.
is less than or equal to (<=)Number The numeric value of the meta key is less than or equal to the number in the value field. ip_dstport is less than or equal to 1024. ip_dstport is a numeric value that is less than or equal to numeric value 1024.
containsString

The value field is a substring of the meta key (This operator is only available for a string-valued meta key).

ec_outcome contains failure. ec_outcome is a string that contains the substring "failure".
not containsString

The value field is not a substring of the meta key (This operator is only available for a string-valued meta key).

ec_outcome not contains failure. ec_outcome is a string that does not contain the substring"failure".
begins withString

The value field is the beginning of the meta key (This operator is only available for a string-valued meta key).

ip_dst begins with 127.0. ip_dst is a string that starts with "127.0".
ends withString

The value field is the end of the meta key (This operator is only available for a string-valued meta key).

user_dst ends with son. user_dst is a string that ends in"son".
Note: Terms in bold italic are Meta that may not exist in all customer enviroments.
Previous Topic:Alerts Summary View
You are here
Table of Contents > References > Build a Statement Dialog

Attachments

    Outcomes