This topic provides instructions to define a rule to fetch data or events from an IPDB data source.
Make sure that you:
- Understand which rule type needs to be used in the rule. For more information on rule types, see Rule Types.
- Understand the IPDB rule syntax. For more information, see IPDB Rule Syntax.
- Understand the Rule view components. For more information, see Rule View.
- Understand the Build Rule view components. For more information, see Build Rule View.
Perform the following steps to define a rule to fetch data or events from an IPDB data source:
In the Security Analytics menu, click Administration > Reports.
The Manage tab is displayed.
The Build Rule view is displayed.
- In the Rule Type field, IPDB is selected by default.
- In the Name field, enter a name that is used to Identify or label the rule in alerts and reports.
- In the Select field, enter a meta or select a meta from the list of available meta types provided in the Meta Panel. For more information, see the topic Meta Panel in Build Rule View.
- In the Event Source field, you can configure the Event Source Specification to assign devices dynamically to the same rule. For more information, see IPDB Event Source Specification. You can also insert a list in this field by selecting a list and navigating to Insert > Event Source in the Lists Panel.
- In the Where field, enter a meta or select a meta from the list of available meta types provided in the Meta Panel. The Where clause provides the base query criteria for the rule. You can also insert a list in this field by selecting a list and navigating to Insert > Where in the Lists Panel.
- In the Group By field, enter the meta selected in the Select clause, so that the result set is grouped based on the meta.
In the Order By field, perform the following:
- In the Column Name column, enter the name of the columns by which you want to group the results.
In the Sort by column, select one of the following ways to sort the results:
- Ascending Order
- Descending Order
- In theLimitfield, enter the limit to be put on the query while fetching data from the database. If a result set is sorted by session count, packet count, or session size, the limit represents the top (or bottom) N values to be returned. If the result set is not sorted, the first N values are returned.
- Click Save.
You can test the correctness of the rule created by clicking Test Rule. For instructions, see Test a Rule.