Reporting: Build Rule View

Document created by RSA Information Design and Development on Sep 14, 2017Last modified by RSA Information Design and Development on Oct 15, 2017
Version 9Show Document
  • View in full screen mode

The Build Rule view explains the actions and associated procedures that you can perform under Rules.

Workflow

This workflow shows the procedure to create or deploy a rule.

This workflow shows the procedure to create or deploy a rule

What do you want to do?

                                              
Role I want to ...Show me how
Administrator / Analyst

Configure Reporting Engine

For more information, see "Step 3: Configure Reporting Engine Data Sources" topic in the Reporting Engine Configuration Guide

Administrator / AnalystCreate a List or List Group/Create or Deploy a Rule/Test a Rule* Configure a Rule

Administrator / Analyst

Create and Schedule a Report

Create and Schedule a Report

Administrator / Analyst View a report or list of all reports View a Report
Administrator / AnalystInvestigate a ReportInvestigate a Report
Administrator / AnalystManage/Access Control for lists, Rules or ReportsManage Lists, Rules or Reports

*You can complete these tasks here.

Related Topics

Quick View

Build rule view

To access the Build Rule view:

  1. Select MONITOR > Reports.
    The Manage tab is displayed.
  2. In the Rule toolbar, click Add Icon > NetWitnessDB.
    The Build Rule view tab is displayed

Features 

The Build Rule view includes the following panels.

                 
1Rule panel
2Meta panel
3

Lists panel

Rule Panel

The Rule panel allows you to create a rule for the selected database type.

The following figure shows the Rule panel.
Buile rule panel

The following table describes the features in the Rule panel.

                                               
FeatureDescription
Rule TypeA drop-down list of supported database types for which you can create rules. The options are: Netwitness DB, IPDB, and Warehouse DB.
NameThe name of the rule that you are creating or editing.
SummarizeA drop-down list of summarize options. The options are: None, Event Count, Packet Count, Session Count and Custom.
SelectThe meta key for which you need the aggregate values; for example, ip.dest.
WhereA Where clause that defines the conditions that trigger the rule execution; for example, ip.dest = 127.0.0.1.
Group ByThe grouping method for the results. For example, specifying ip.dest produces a report in which like ip.dest values are grouped.
ThenA Then clause that defines the rule actions for additional processing on the output.
Order ByThe sequencing method used to show results. For example, specifying Order By the value in the Total column, Ascending, produces a report in which the results are sorted in ascending order based on the value in the Total column.
Session ThresholdA selection list for the session threshold, which specifies maximum number of sessions that should be processed for aggregate functions.
LimitA selection list for the maximum number of result rows to be fetched.
UseClicking Use enables you to use the Rule to generate a Report, Alert of Chart.
SaveClicking Save saves the rule that you are editing and the Build Rule panel remains open. Before testing a rule, you must save it if you want to keep your changes.
ResetClicking Reset clears all the field information .
Test Rule

Clicking test rule opens the Test Rule dialog.

Test Rule Dialog

To access the Test Rule view:

  1. Select MONITOR > Reports.
    The Manage tab is displayed.
  2. In the Rule List panel, do one of the following:
    • Select a rule and click edit icon in the Rules toolbar.
    • Click Actions drop-down menu > Edit.
      The Build Rule view tab is displayed.
  3. Click Test Rule.
    The Test Rule view is displayed.
    The test rule view is displayed

The following table describes the features in the Test Rule Dialog.

                          
FeatureDescription
Data SourceA drop-down list of data sources for the type of rule you are testing. Possible data sources are: Concentrator, Broker, Decoder or Log Decoder.
FormatA drop-down list of the formats for displaying results for the rule. Possible formats are: Tabular, Area, Bar, Bubble, Column, Line, Pie, Step Line, Step Area, Spline Area, and Spline.
Time Range

A drop-down list of time range specification methods.

  • Selecting Past allows you to specify a number of years, months, days, weeks, or hours. For example,  Hours, Days, Weeks, Months, or Years.
  • Selecting Range allows you to specify a date range and time period. For example, start date to end date.

In the user interface, the date or time displayed depends on the time zone profile selected by the user.

Use relative time calculationSelecting this option calculates the time range relative to the current time.
X Axis

X-Axis and Y-Axis specify the metadata to be plotted in charts.
In the X-Axis drop-down list, the meta types for the Group by setting in the rule are listed. You can select multiple meta types when the rule has a single Group by setting.
For Custom Rules with multiple Group by values, you can select only the first meta type for the  X-Axis.

Y Axis

In the Y-Axis drop-down list, the aggregate functions used in the rule are listed. Sum, Count, Countdistinct and Average are the supported aggregate functions for rules.
You can select one or more aggregate functions.

Run TestClicking Run Test executes a test of the rule last saved in the Rule Builder dialog. When the test is complete, the rule data (if any) for the selected time range is displayed.

Meta Panel

The Meta panel provides a list of available meta types that you can use to build the rule. You can use the meta types in the Select, Where, and Then clauses. The Reporting Engine maintains an active list of the available meta names by continuously synchronizing with the data source to which it is connected.

The following figure displays the Meta panel.
Meta panel
The following table describes the features in the Meta panel.

           
OperationDescription
ChooseBased on the rule type that you have selected, the available data sources are displayed in the drop-down list of the Meta panel. Select the required data source. The available meta types for the data source are displayed. Select a meta.
FilterFilter the meta for a specific meta value.

Lists Panel

A List is a placeholder for a set of values that you can use in a meta or a variable. For example, you can define a list with all the whitelisted event source IP addresses. Once the List is defined then you can use the List name in the rule. This provides the flexibility of adding, modifying, and deleting the list values.

The Lists panel is a collection of Lists. The Reporting Engine maintains an active list of the available list names by continuously synchronizing with the collection to which it is connected.

The following figure displays the Lists panel.
lists panel

The following table describes the features in the Lists panel.

               
OperationDescription
Import or export a list iconImport or Export a list.
Refresh IconRefresh the Lists.
Insert drop-down menuIf you select the NetWitness DB rule type, the options Where and Then are displayed. Insert the list in the Where or Then clause in the rule.
Insert drop-down menuIf you select the Warehouse DB rule type, the option Where is displayed. Insert the list in the Where clause in the rule.
Previous Topic:Build Report View
You are here
Table of Contents > Reporting References > Build Rule View

Attachments

    Outcomes