Build Rule View

The Build Rule view explains the actions and associated procedures that you can perform under Rules.

Workflow

This workflow shows the procedure to create or deploy a rule.

netwitness_confrule_workflow.png

What do you want to do?

Role I want to ... Show me how
Administrator / Analyst

Configure Reporting Engine

For more information, see "Step 3: Configure Reporting Engine Data Sources" topic in the Reporting Engine Configuration Guide

Administrator / Analyst Create a List or List Group/Create or Deploy a Rule/Test a Rule* Configure a Rule

Administrator / Analyst

Create and Schedule a Report

Create and Schedule a Report

Administrator / Analyst View a report or list of all reports View a Report
Administrator / Analyst Investigate a Report Investigate a Report
Administrator / Analyst Manage/Access Control for lists, Rules or Reports Manage Lists, Rules or Reports

*You can complete these tasks here.

Related Topics

Quick View

122_build_rule_view_1222.png

To access the Build Rule view:

  1. Go to Reports.
    The Manage tab is displayed.
  2. In the Rules toolbar, click netwitness_110_add_button.png > NetWitness Platform DB.
    The Build Rule view tab is displayed

Features

The Build Rule view includes the following panels.

1 Rule panel
2 Meta panel
3

Lists panel

Rule Panel

The Rule panel allows you to create a rule for the selected database type.

The following figure shows the Rule panel.
netwitness_110_build_rule_view1.png

The following table describes the features in the Rule panel.

Feature Description
Rule Type A drop-down list of supported database types for which you can create rules. The options are: NetWitness DB and Warehouse DB.
Name The name of the rule that you are creating or editing.
Summarize A drop-down list of summarize options. The options are: None, Event Count, Packet Count, Session Count and Custom.
Select The meta key for which you need the aggregate values; for example, ip.dest.
Where A Where clause that defines the conditions that trigger the rule execution; for example, ip.dest = 127.0.0.1.
Group By The grouping method for the results. For example, specifying ip.dest produces a report in which like ip.dest values are grouped.
Then A Then clause that defines the rule actions for additional processing on the output.
Order By The sequencing method used to show results. For example, specifying Order By the value in the Total column, Ascending, produces a report in which the results are sorted in ascending order based on the value in the Total column.
Session Threshold A selection list for the session threshold, which specifies maximum number of sessions that should be processed for aggregate functions.
Limit A selection list for the maximum number of result rows to be fetched.
Use Clicking Use enables you to use the Rule to generate a Report, Alert of Chart.
Save Clicking Save saves the rule that you are editing and the Build Rule panel remains open. Before testing a rule, you must save it if you want to keep your changes.
Reset Clicking Reset clears all the field information .
Test Rule

Clicking test rule opens the Test Rule dialog.

Test Rule Dialog

To access the Test Rule view:

  1. Go to Reports.

    The Manage tab is displayed.

  2. In the Rules panel, do one of the following:

    • Select a rule and click netwitness_110_edit_button.png in the Rules toolbar.
    • Click netwitness_110_star_a.png > Edit.

      The Build Rule view tab is displayed.

  3. Click Test Rule.

    The Test Rule view is displayed.

    netwitness_110_test_rule_page.png

The following table describes the features in the Test Rule Dialog.

Feature Description
Data Source A drop-down list of data sources for the type of rule you are testing. Possible data sources are: Concentrator, Broker, Decoder or Log Decoder.
Format A drop-down list of the formats for displaying results for the rule. Possible formats are: Tabular, Area, Bar, Bubble, Column, Line, Pie, Step Line, Step Area, Spline Area, and Spline.
Time Range

A drop-down list of time range specification methods.

  • Selecting Past allows you to specify a number of years, months, days, weeks, or hours. For example, Hours, Days, Weeks, Months, or Years.
  • Selecting Range allows you to specify a date range and time period. For example, start date to end date.

In the user interface, the date or time displayed depends on the time zone profile selected by the user.

Use relative time calculation Selecting this option calculates the time range relative to the current time.
X Axis

X-Axis and Y-Axis specify the metadata to be plotted in charts.
In the X-Axis drop-down list, the meta types for the Group by setting in the rule are listed. You can select multiple meta types when the rule has a single Group by setting.
For Custom Rules with multiple Group by values, you can select only the first meta type for the X-Axis.

Y Axis

In the Y-Axis drop-down list, the aggregate functions used in the rule are listed. Sum, Count, Countdistinct and Average are the supported aggregate functions for rules.
You can select one or more aggregate functions.

Run Test Clicking Run Test executes a test of the rule last saved in the Rule Builder dialog. When the test is complete, the rule data (if any) for the selected time range is displayed.

Meta Panel

The Meta panel provides a list of available meta types that you can use to build the rule. You can use the meta types in the Select, Where, and Then clauses. The Reporting Engine maintains an active list of the available meta names by continuously synchronizing with the data source to which it is connected.

The following figure displays the Meta panel.
netwitness_110_meta.png
The following table describes the features in the Meta panel.

Operation Description
Choose Based on the rule type that you have selected, the available data sources are displayed in the drop-down list of the Meta panel. Select the required data source. The available meta types for the data source are displayed. Select a meta.
Filter Filter the meta for a specific meta value.

Lists Panel

A List is a placeholder for a set of values that you can use in a meta or a variable. For example, you can define a list with all the whitelisted event source IP addresses. Once the List is defined then you can use the List name in the rule. This provides the flexibility of adding, modifying, and deleting the list values.

The Lists panel is a collection of Lists. The Reporting Engine maintains an active list of the available list names by continuously synchronizing with the collection to which it is connected.

The following figure displays the Lists panel.

netwitness_110_list_pane.png

The following table describes the features in the Lists panel.

Operation Description
netwitness_110_part_of_list_pane.png Import or Export a list.
netwitness_110_refresh_button.png Refresh the Lists.
netwitness_110_insert_lists_pane.png If you select the NetWitness DB rule type, the options Where and Then are displayed. Insert the list in the Where or Then clause in the rule.
netwitness_110_warehouse_option.png If you select the Warehouse DB rule type, the option Where is displayed. Insert the list in the Where clause in the rule.