Build a Statement Dialog

The Build a Statement dialog allows you to construct a condition statement when creating a new Rule Builder rule.

What do you want to do?

Role I want to ... Show me how
Content Expert Configure a rule statement. Step 2. Build a Rule Statement
Content Expert Add conditions to the rule. Step 3. Add Conditions to a Rule Statement

Related Topics

Quick Look

To access the Build a Statement dialog:

  1. Go to netwitness_configureicon_24x21.png (Configure) > ESA Rules.

    The Configure ESA Rules view is displayed with the Rules tab open.

  2. In the Rule Library toolbar, select netwitness_ic-addlist.png > Rule Builder.

    A New Rule tab is displayed..

  3. In the Conditions section, click netwitness_ic-add.png.

    The Build a Statement dialog is displayed.

netwitness_bldstmntsimple_672x325.png

The following table describes the parameters in the Build a Statement dialog.

Parameter Description
Name Purpose of the statement.
Select Conditions the rule requires. There are two options:
  • If all conditions are met
  • If any of these conditions are met
Key Key for ESA to check in the rule statement.
Operator Relationship between the meta key and value for the key:
  • is
  • is not
  • is not null
  • is greater than (>)
  • is greater than or equal to (>=)
  • is less than (<)
  • is less than or equal to (<=)
  • is one of (For array type meta)
  • is not one of (For array type meta)
  • contains
  • not contains
  • begins with
  • ends with
Value Value for ESA to look for in the key.
Ignore Case? This field is designed for use with string and array of string values. By choosing the Ignore Case field, the query will treat all string text as a lowercase value. This ensures that a rule that searches for the user named Johnson would trigger if the event contains "johnson," "JOHNSON," or "JoHnSoN."
Array? Choice to indicate if contents of Value field represent one value or multiple values:
  • Select the box to indicate multiple values.
  • Clear the box to indicate one value.
netwitness_ic-add.png Add a statement. You can add a meta condition, whitelist condition, or blacklist condition.
netwitness_ic-delete.png Delete selected statement.
Save Add statement to the Conditions section of the Rule Builder tab.

The following table shows the operators you can use in the Rule Builder:

Operator Required Value Usage Example Meaning
is Singular string value The meta key is equal to the value field. user_dst is John Doe. user_dst is equal to the string "John Doe".
is Array string value The meta key is equal to one of the elements of the value field. user_dst is John, Doe, Smith. user_dst is equal either to the string "John" or to the string "Doe" or to the string "Smith" (Note, the spaces are stripped.).
is not Singular string value The meta key is not equal to the value field. size is not 200. size is not equal to the number 200 (size is a numeric value).
is not Array string value The meta key is not equal to any of the elements of the value field. size is not 200, 300, 400. size is equal neither to 200 nor to 300 nor to 400.
is not null N/A (looks for any value) The meta key value is not null. user_dst is not null. user_dst is a meta that contains a value.
is greater than (>) Number The numeric value of the meta key is greater than the number in the value field. payload is greater than 7000. payload is a numeric value that is greater than 7000.
is greater than or equal to (>=) Number The numeric value of the meta key is greater than or equal to the number in the value field. payload is greater than or equal to 7000. payload is a numeric value that is greater than or equal to 7000.
is less than (<) Number The numeric value of the meta key is less than the number in the value field. ip_dstport is less than 1024.
 ip_dstport is a numeric value that is less than the numeric value 1024.
is less than or equal to (<=) Number The numeric value of the meta key is less than or equal to the number in the value field. ip_dstport is less than or equal to 1024. ip_dstport is a numeric value that is less than or equal to numeric value 1024.
is one of Array string value The meta key is one of the array string values in the value field. alias_host is one of Facebook, UTube, Instagram. alias_host is one of the array string values Facebook, UTube, Instagram.
is not one of Array string value The meta key is not one of the array string values in the value field. alias_host is not one of Facebook, UTube, Instagram. alias_host is not one of the array string values Facebook, UTube, Instagram.
contains String The value field is a substring of the meta key. (This operator is only available for a string-valued meta key). ec_outcome contains failure. ec_outcome is a string that contains the substring "failure".
not contains String The value field is not a substring of the meta key (This operator is only available for a string-valued meta key). ec_outcome not contains failure. ec_outcome is a string that does not contain the substring"failure".
begins with String The value field is the beginning of the meta key (This operator is only available for a string-valued meta key). ip_dst begins with 127.0. ip_dst is a string that starts with "127.0".
ends with String The value field is the end of the meta key (This operator is only available for a string-valued meta key). user_dst ends with son. user_dst is a string that ends in"son".

Note: Terms in bold italics are Meta that may not exist in all customer environments.