Warehouse DB Simple Rules Syntax
The section explains the simple rules query syntax and examples.
The following examples illustrate simple rules in the default mode:
- All Event Categories Report
- Attacks Event Categories Report
- Source: China Event Categories Report
- IP Source and Destination Event Categories Report
- Time Threat Categories Report
- Array Query Report
- Raw Log Query Report
All Event Categories Report
This rule fetches all event categories, source country, and destination country from the sessions table by defining alias names (temporary column names) for each of the fields to be fetched from the table, that is, country_src for the source country, and country_dst for the destination country.
The following figure shows the result set of the All Event Categories rule.
Attacks Event Categories Report
This rule fetches the event categories, source country, and destination country from the sessions table by defining alias names (temporary column names) for each of the fields to be fetched from the table and selecting only those columns whose event category name like 'Attacks.%'.
The following figure shows the result set of the Attacks Event Categories rule.
Source: China Event Categories Report
This rule fetches the event categories, source country, and destination country from the sessions table by defining alias names (temporary column names) for each of the fields to be fetched from the table and selecting only those columns whose source country is 'China'.
The following figure shows the result set of the Source: China Event Categories rule.
IP Source and Destination Event Categories Report
This rule fetches the IP address of source and destination country from the sessions table by defining alias names (temporary column names) for each of the fields to be fetched from the table and selecting only those columns whose destination country is NOT NULL.
The following figure shows the result set of the IP Source and Destination Event Categories rule.
Time Threat Categories Report
This rule fetches the threat category events, the time the log or event was ingested into Log Decoder/Decoder, and the source IP addresses from the sessionstable by defining alias names (temporary column names) for each of these fields to be fetched from the table.
The following figure shows the result set of the by Time Threat Categories rule. The time displayed in the time field is the UNIX time (For example, 1388743446).
Note: In the “Select” clause the syntax would be “UNIX time” to convert to UTC time in report. For example, you can use the Epoch time converter tool to convert UNIX time (1388743446) to UTC (Coordinated Universal Time) (1/3/2014 3:34:06 PM).
Array Query Report
This rule fetches an array of alias host names from the sessions table which contains the value 'www.google.com'.
The following figure shows the result set for querying an array from sessions.
Raw Log Query Report
Raw logs can be queried either from the logs or sessions table.
This rule uses raw_log as a meta for querying raw log from logs whose packet ID is NOT NULL.
The following figure shows the result set for querying raw logs from logs.
This rule uses ${raw_log} as a meta for querying raw log from sessions whose source IP address is NOT NULL.
The following figure shows the result set for querying raw logs from sessions.