Rule Examples

The following table shows examples of rule conditions. You can use rule conditions for log retention collections in an Archiver and for application, network, and correlation rules on a Decoder, Log Decoder, or Concentrator. Rule conditions are also used in all WHERE clauses in all Core database queries.

For detailed information on rule syntax in NetWitness Platform, see WHERE Clauses in the Queries .

Rule Name Condition
ComplianceDevices'PCI Devices' ||'HIPPA Devices'
HighValueWindows'Windows Compliance'
MediumValueWindows device.type='winevent_nic' &&'security_4624_security'
LowValueWinLogs device.type='winevent_nic' &&'security_4648_security'
LowValueProxyLogs device.class='proxy' &&'antivirus_license_expired'
GeneralWindows device.type='winevent_nic'

Correcting invalid rules

Since version 11.0, NetWitness Platform has been using a parser for rules and queries that strictly defines valid syntax. When a Core service encounters invalid syntax, it writes a warning in the NetWitness Platform logs indicating the error.

NetWitness Platform 11.0 and later do not support parsing of legacy syntax rules (as Security Analytics 10.6 did).

After you update to NetWitness Platform 11.0 (or later), rules with invalid syntax are highlighted in the user interface. The Rule Editor provides additional tooltips. After you fix the rules, the highlights disappear. See "Fix Rules with Invalid Syntax" in the Decoder and Log Decoder Configuration Guide .

The /decoder/config/rules/rule.errors and /concentrator/config/rules/rule.errors stats, introduced in 10.6, contain the count of rules with errors. If rule.errors is nonzero, NetWitness Platform generates a Health and Wellness alert to indicate that you need to fix the rules.

Valid Syntax with the Modern Parser

  • All text types must quote literal values. Example: username = 'user1'
  • Quotes can use single or double quotes; but they must match. (You cannot start with a single quote and finish with a double quote.)
  • If the literal value has a quote, you can escape it (using a backslash) or use a different starting quote character. Both of the following examples are valid: username = "User's" , username = 'User\'s'

The following are valid syntax rules using the modern parser:

  • To use a backslash in a literal string, escape it using an extra backslash: \\`
  • All time types should use quotes for dates in this form: time = 'YYYY-MM-DD HH:MM:SS'
  • All time types that are the number of seconds since EPOCH (Jan 1, 1970), should not be quoted. Example: time = 1448034064
  • Everything else is unquoted: IP addresses, MAC addresses, numerics, and so on. Example: service = 80 && ip.src =