From NetWitness Platform version 12.4 or later, administrators and analysts can create search pattern rules from the ConfigureIcon.png Configure > Policies > Content Library page to find sensitive data on their networks. These rules use keywords to identify patterns and they are matched based on an exact keyword string. Once a pattern is applied to a matched policy with services (Decoders), it searches for that pattern in the network traffic. Upon successful detection of a match, two important metadata will be generated (found and match).

  • found: If a match (a keyword) is identified in a stream, the name of the search pattern rule will be added as the found metadata.

  • match: If a keyword is detected as a match, the specific keyword that is identified will be added as a match meta.

Analysts can use this metadata to investigate further and determine if the sensitive data is being used maliciously. Additionally, analysts can gain real-time visibility into their network traffic, proactively monitoring it for potential threats.

12.4_search_pattern_rule_0124.png

Here is an example of search pattern that can be used to find sensitive data in networks:

Keywords: Keywords are words or phrases that are often associated with sensitive data. For example, the keyword credit card could be used to find network traffic that contains credit card numbers.

IMPORTANT:  The custom search patterns you created using the search.ini file in version 12.3.1 or earlier will not be migrated to the new search.xml file format used in version 12.4 and later. As a result, those custom search patterns will not be available from the Content Library > More > Search Pattern Rule tab after you upgrade to version 12.4 or later. 

For example, in an environment, if you have four Decoders with CCM enabled and published to the policy. However, only three of these decoders have the search parser enabled, while one decoder doesn't have it enabled. As a result, only the three decoders with enabled search parser will generate found and match meta keys.

In addition, administrators can perform other operations on the search pattern rule, such as editing, cloning, deleting, and filtering a rule.

Note: You can also view the search pattern rules inside a Policy Details view and allows you to enable or disable those rules. For more information, see Manage Policies.

124_search_pattern_rule_policy_detailsview_1.png

You must create a policy with the Search Pattern Rule type and associate the policy with the group having a Decoder service, and then publish the policy.

For more information on adding the search pattern rule content to a policy, see Create and Publish Policies.

For more information on groups, see Manage Groups.

You can perform following operations for Search Pattern Rule:

View Search Pattern Rule Details

This topic describes the steps to view the search pattern rule details.

To view the Search Pattern Rule details

  1. Go to ConfigureIcon.png (CONFIGURE) > Policies.

  2. In the policies panel, click Content.

  3. In the left panel, click Content Library.

  4. Click More > Search Pattern Rule.

    The Search Pattern Rule tab is displayed.

    124_search_pattern_rule_view_2212.png

  5. Click a row to view details about the selected search pattern rule in the right panel.

    The various details of the search pattern rule are displayed.

    124_search_pattern_rule_view_2212_1.png

     

Create a Search Pattern Rule

This topic describes the steps to create the search pattern rules.

Prerequisites

  • By default, only administrators are allowed to create search patterns. To enable access for analysts, they must contact their administrators.

  • To generate the meta keys found and match, you need to enable the Search Parser (found and match), which is disabled by default. To do this, navigate to AdminIcon.png (Admin)> Services > select Decoder service > actions_button.png> Config > General > under Parser Configuration section, enable the Search Parser.

Note: Creating a generic search pattern rule will cause performance issues.

Note: An administrator must enable source-server.centralpolicy.manage permission on the source server and rules.manage permission on the core devices to allow analysts to create the search pattern rules. For more information, see the "Role Permissions" topic in the System Security and User Management Guide.

To create a Search Pattern Rule

  1. Go to ConfigureIcon.png (CONFIGURE) > Policies.

  2. In the policies panel, click Content.

  3. In the left panel, click Content Library.

  4. Click More > Search Pattern Rule.

    The Search Pattern Rule tab is displayed.

  5. Click + Create Rule.

    The Create New Rule dialog is displayed.

    create_new_search_pattern_rule_12.4.png

  6. Enter the pattern name to identify them. The name must be unique and can contain a maximum of 256 characters. Use only letters, and numbers.

    Note: Search Pattern names cannot contain spaces.

  7. Enter one or more keywords in the Keywords text box. Keywords are matched based on an exact string only. Regular expressions (Regex) are not supported.

    Use semicolons (;) to separate multiple keywords. For example, CreditCard;VISA;US. Keywords are case-sensitive. You can enter one or more keywords to improve the chances of detecting an exact string match.

    Note: Non-ASCII characters (for example, é, €, ★, etc.) are not supported. Enter only ASCII characters when creating a search pattern.

  8. Enter one or more port numbers in the Service Port field. Use semicolons (;) to separate multiple port numbers. For example, 20;21;23.

    Note: The port numbers must be between 1 and 65535.

  9. Click Save to create the search pattern rule.

  10. Click Reset to reset the fields.

Edit a Search Pattern Rule

When you edit the search pattern rule, follow these guidelines:

  • The search pattern rule name cannot be edited if the rule is assigned to a policy.

  • If the rule assigned to a policy is edited, then the administrator must republish the policy for the changes to take effect in the service.

  • While editing the rule name, if the name of that search pattern rule is the same as an existing rule, an error message is displayed.

To edit a Search Pattern Rule

  1. Go to ConfigureIcon.png (CONFIGURE) > Policies.

  2. In the policies panel, click Content.

  3. In the left panel, click Content Library.

  4. Click More > Search Pattern Rule.

    The Search Pattern Rule tab is displayed.

  5. Click a row of the search pattern rule to be modified.

  6. Click Edit Rule to modify the search pattern rule.

    The Edit Rule dialog is displayed.

    Edit_Serach_Pattern_Rule_12.4.png

  7. In the Edit Rule panel, do the following:

    1. Enter a unique rule name. The name must be unique and can contain a maximum of 256 characters. Use only letters, and numbers.

      Note: Search Pattern names cannot contain spaces. If the name of that search pattern rule is the same as an existing rule, an error message is displayed.

    2. Enter one or more keywords in the Keywords field. Keywords are matched based on an exact string only. Regular expressions (Regex) are not supported.

      Use semicolons (;) to separate multiple keywords. For example, CreditCard;VISA;US. Keywords are case-sensitive. You can enter one or more keywords to improve the chances of detecting an exact string match.

    3. Enter one or more port numbers in the Service Port field. Use semicolons (;) to separate multiple port numbers. For example, 20;21;23,

      Note: The port numbers must be between 1 and 65535.

    4. Click Save to save the search pattern rule details.

    5. Click Reset to reset the fields.

    6. Click Cancel to cancel the operation.

Clone a Search Pattern Rule

This topic describes the steps to clone a Search Pattern rule.

Note:
• Cloning will create a search pattern rule and will not be associated with any existing policy.
• You can clone existing search pattern rules to generate new ones with different rule names but with the same parameters.
• You can clone only one search pattern rule at a time.

To Clone a Search Pattern Rule

  1. Go to (CONFIGURE) > Policies.

  2. In the policies panel, click Content.

  3. In the left panel, click Content Library.

  4. Click More > Search Pattern Rule.

    The Search Pattern Rule tab is displayed.

  5. Select a search pattern rule and click Clone Rule.

    The Clone Rule dialog is displayed.

    Clone_Search_Pattern_Rule_12.4.png

  6. In the Clone Rule panel, do the following:

    1. Enter a unique name for the search pattern rule clone. The name can contain a maximum of 256 characters. Use only letters, and numbers.

      Note: Rule names are always appended with a number. For example, if the rule has the name SearchPatternRuletest3, its name will be changed to SearchPatternRuletest31 after the cloning.

    2. Enter one or more keywords in the Keywords text box. Keywords are matched based on an exact string only. Regular expressions (Regex) are not supported.

      Use semicolons (;) to separate multiple keywords. For example, CreditCard;VISA;US. Keywords are case-sensitive. You can enter one or more keywords to improve the chances of detecting an exact string match.

    3. Enter one or more port numbers in the Service Port field. Use semicolons (;) to separate multiple port numbers. For example, 20;21;23,

      Note: The port numbers must be between 1 and 65535.

    4. Click Clone to clone the search pattern rule details.

    5. Click Cancel to cancel the operation.

Delete a Search Pattern Rule

When you delete the search pattern rule, follow these guidelines:

  • You cannot delete the search pattern rule if it is associated with a policy. You should first disassociate the search pattern rule from the policy and then delete it.

  • If you select a search pattern rule that is associated with a policy and another that is not associated with a policy, the delete button will be disabled.

To delete a Search Pattern Rule

  1. Go to ConfigureIcon.png (CONFIGURE) > Policies.

  2. In the policies panel, click Content.

  3. In the left panel, click Content Library.

  4. Click More > Search Pattern Rule.

    The Search Pattern Rule tab is displayed.

  5. Select one or more search pattern rules and click Delete.

    A confirmation pop-up is displayed.

  6. Click Delete to permanently delete the selected search pattern rules.

Filter Search Pattern Rules

The Filters panel allows you to filter the list of search pattern rules under the content library based on the name, keywords, ports, last updated date, and source type.

To filter the search pattern rules

  1. Go to ConfigureIcon.png (CONFIGURE) > Policies.

  2. In the policies panel, click Content.

  3. In the left panel, click Content Library.

  4. Click More > Search Pattern Rule.

    The Search Pattern Rule tab is displayed.

  5. By default, the filters panel is hidden. Click the  DisplayFilter.png (Filters) icon in the toolbar to expand the filters panel.

    Filter_Search_Pattern_Rule_12.4.png

  6. To search by name:

    • Set the filter option to Contains operator from the drop-down list and start typing the name of the search pattern rule. Type one character, and a list of search pattern rules that contain that character is displayed, as you continue to type, the list is filtered to match.

    • Set the filter option to Equals operator from the drop-down list and enter the full name. The particular rule will be displayed.

  7. To search by keywords, select one or more keywords that are listed in the Keywords drop-down list. The filter is an AND operator when searching for multiple keywords, such as Visa and MasterCard. In this case, the filter results will display all matches that contain both Visa and MasterCard.

  8. To search by ports, select one or more port numbers that are listed in the Ports drop-down list. The filter is an AND operator when searching for multiple port numbers, such as 25 and 34. In this case, the filter results will display all matches that contain both 25 and 34.

  9. To filter by date range, under the Last Update Date, select the start date and end date from the date fields.

    For example, to filter search pattern rules that were updated between May 1 and May 31, you select May 1 as the start date and May 31 as the end date. You must enter dates in mm/dd/yyyy format, or you can click and pick dates from a calendar.

  10. To filter by source type, select one or more sources from the Source Type drop-down list. The options are listed below:

    • Custom

    • Live

  11. To hide, click the  HideFilter.png icon at the top-right of the panel.

    The search pattern rules are displayed in the right panel according to the filter you selected. Click Reset to clear the existing filter results.

Filter Search Pattern Rules from Policy Details View

The Filters panel allows you to filter the list of displayed search pattern rules in the policy details view based on the name, keywords, ports, source type, enabled/disabled status, subscription status, resource-created date, and last updated date.

To filter the search pattern rules

  1. Go to ConfigureIcon.png (CONFIGURE) > Policies.

  2. In the policies panel, click Content.

  3. Click Policies. The available policies are displayed.

  4. Do one of the following:

    • Click a policy name.

    • Click a row to view details about the selected policy and click View Details.

    The policy details view is displayed.

  5. Click the Search Pattern Rule tab.

  6. By default, the filters panel is hidden. Click the DisplayFilter.png (Filters) icon in the toolbar to expand the filters panel.

    Filter_Search_Pattern_Rule_Policy_Details_view_12.4.png

  7. To search by name:

    • Set the filter option to Contains operator from the drop-down list and start typing the name of the search pattern rule. Type one character, and a list of search pattern rules that contain that character is displayed, as you continue to type, the list is filtered to match.

    • Set the filter option to Equals operator from the drop-down list and enter the full name. The particular rule will be displayed.

  8. To search by keywords, select one or more keywords that are listed in the Keywords drop-down list. The filter is an AND operator when searching for multiple keywords, such as Visa and MasterCard. In this case, the filter results will display all matches that contain both Visa and MasterCard.

  9. To search by ports, select one or more port numbers that are listed in the Ports drop-down list. The filter is an AND operator when searching for multiple port numbers, such as 25 and 34. In this case, the filter results will display all matches that contain both 25 and 34.

  10. To filter by source type, select one or more sources from the Source Type drop-down list. The options are listed below:

    • Custom

    • Live

  11. To filter by enabled/disabled status, select one or more statuses from the Enabled/Disabled Status drop-down list. The options are listed below:

    • Enabled

    • Disabled

  12. To filter by subscription status, select one or more statuses from the Subscription drop-down list. The options are listed below:

    • Subscribed

    • Unsubscribed

  13. To filter by a resource created date range, under the Resource Created Date, select the start date and end date from the date fields.

    For example, to filter contents that were created between July 1 and July 30, you select July 1 as the start date and July 30 as the end date. You must enter dates in mm/dd/yyyy format or you click and pick dates from a calendar.

  14. To filter by date range, under the Last Update Date, select the start date and end date from the date fields.

    For example, to filter search pattern rules that were updated between May 1 and May 31, you select May 1 as the start date and May 31 as the end date. You must enter dates in mm/dd/yyyy format, or you can click and pick dates from a calendar.

  15. To hide, click the HideFilter.png icon at the top-right of the panel.

    The search pattern rules are displayed in the right panel according to the filter you selected. Click Reset to clear the existing filter results.  

                                                                Previous Page                                                      Next Page