Reporting: Warehouse DB Simple Rules

Document created by RSA Information Design and Development on Sep 14, 2017Last modified by RSA Information Design and Development on Oct 15, 2017
Version 9Show Document
  • View in full screen mode

The section explains the simple rules query syntax and examples.

The following examples illustrate simple rules in the default mode:

  • All Event Categories Report
  • Attacks Event Categories Report
  • Source: China Event Categories Report
  • IP Source and Destination Event Categories Report
  • by Time Threat Categories Report
  • Array Query Report
  • Raw Log Query Report

All Event Categories Report

This rule fetches all event categories, source country, and destination country from the sessions table by defining alias names (temporary column names) for each of the fields to be fetched from the table, that is, country_src for the source country, and country_dst for the destination country.

Rule to fetch all event categories

The following figure shows the result set of the All Event Categories rule.

Result set of the All Event Categories rule

Attacks Event Categories Report

This rule fetches the event categories, source country, and destination country from the sessions table by defining alias names (temporary column names) for each of the fields to be fetched from the table and selecting only those columns whose event category name like 'Attacks.%'.  

Attacks Event Categories rule

The following figure shows the result set of the Attacks Event Categories rule.

Result set of Attacks Event Categories rule

Source: China Event Categories Report

This rule fetches the event categories, source country, and destination country from the sessions table by defining alias names (temporary column names) for each of the fields to be fetched from the table and selecting only those columns whose source country is 'China'. 

China Event Categories rule

The following figure shows the result set of the Source: China Event Categories rule.

Result set of China Event Categories rule

IP Source and Destination Event Categories Report

This rule fetches the IP address of source and destination country from the sessions table by defining alias names (temporary column names) for each of the fields to be fetched from the table and selecting only those columns whose destination country is NOT NULL. 

IP Source and Destination Event Categories rule

The following figure shows the result set of the IP Source and Destination Event Categories rule.

Result set of IP Source and Destination Event Categories

by Time Threat Categories Report

This rule fetches the threat category events, the time the log or event was ingested into Log Decoder/Decoder, and the source IP addresses from the sessionstable by defining alias names (temporary column names) for each of these fields to be fetched from the table. 

Rule to fetch the threat category events

The following figure shows the result set of the by Time Threat Categories rule. The time displayed in the time field is the UNIX time (For example, 1388743446). 

Note: In the “Select” clause the syntax would be “UNIX time” to convert to UTC time in report. For example, you can use the Epoch time converter tool to convert UNIX time (1388743446) to UTC (Coordinated Universal Time) (1/3/2014 3:34:06 PM). 

Result set of threat category events

Array Query Report

This rule fetches an array of alias host names from the sessions table which contains the value 'www.google.com'. 

Rule to query an array from sessions

The following figure shows the result set for querying an array from sessions.

Result set for querying an array from sessions

Raw Log Query Report

Raw logs can be queried either from the logs or sessions table.

This rule uses raw_log as a meta for querying raw log from logs whose packet ID is NOT NULL.

Rule to query Raw Log

The following figure shows the result set for querying raw logs from logs.

Result set for querying raw logs

This rule uses ${raw_log} as a meta for querying raw log from sessions whose source IP address is NOT NULL.

Querying raw log from sessions whose source IP address is NOT NULL

The following figure shows the result set for querying raw logs from sessions.

Result set for querying raw logs from sessions

Previous Topic:Rule Syntax
You are here
Table of Contents > Appendix > Warehouse DB Simple Rules

Attachments

    Outcomes