Warehouse DB Simple Rules Syntax

The section explains the simple rules query syntax and examples.

The following examples illustrate simple rules in the default mode:

  • All Event Categories Report
  • Attacks Event Categories Report
  • Source: China Event Categories Report
  • IP Source and Destination Event Categories Report
  • Time Threat Categories Report
  • Array Query Report
  • Raw Log Query Report

All Event Categories Report

This rule fetches all event categories, source country, and destination country from the sessions table by defining alias names (temporary column names) for each of the fields to be fetched from the table, that is, country_src for the source country, and country_dst for the destination country.

netwitness_110_all_event_categories.png

The following figure shows the result set of the All Event Categories rule.

netwitness_110_all_event_categories_output.png

Attacks Event Categories Report

This rule fetches the event categories, source country, and destination country from the sessions table by defining alias names (temporary column names) for each of the fields to be fetched from the table and selecting only those columns whose event category name like 'Attacks.%'.

netwitness_110_attacks_event_categories.png

The following figure shows the result set of the Attacks Event Categories rule.

110_Attacks__event_categories_output.png

Source: China Event Categories Report

This rule fetches the event categories, source country, and destination country from the sessions table by defining alias names (temporary column names) for each of the fields to be fetched from the table and selecting only those columns whose source country is 'China'.

netwitness_110_source_china_event_categories.png

The following figure shows the result set of the Source: China Event Categories rule.

source_China_Event_Categories.png

IP Source and Destination Event Categories Report

This rule fetches the IP address of source and destination country from the sessions table by defining alias names (temporary column names) for each of the fields to be fetched from the table and selecting only those columns whose destination country is NOT NULL.

netwitness_110_destination_country_by_source_ip.png

The following figure shows the result set of the IP Source and Destination Event Categories rule.

110_Destination_Country_by_Source_IP_output.png

Time Threat Categories Report

This rule fetches the threat category events, the time the log or event was ingested into Log Decoder/Decoder, and the source IP addresses from the sessionstable by defining alias names (temporary column names) for each of these fields to be fetched from the table.

netwitness_110_by_time_threat_categories.png

The following figure shows the result set of the by Time Threat Categories rule. The time displayed in the time field is the UNIX time (For example, 1388743446).

Note: In the “Select” clause the syntax would be “UNIX time” to convert to UTC time in report. For example, you can use the Epoch time converter tool to convert UNIX time (1388743446) to UTC (Coordinated Universal Time) (1/3/2014 3:34:06 PM).

110_by_Time_Threat_Categories_output.png

Array Query Report

This rule fetches an array of alias host names from the sessions table which contains the value 'www.google.com'.

netwitness_110_array_contains_query.png

The following figure shows the result set for querying an array from sessions.

110_Array_Contains_output.png

Raw Log Query Report

Raw logs can be queried either from the logs or sessions table.

This rule uses raw_log as a meta for querying raw log from logs whose packet ID is NOT NULL.

netwitness_110_raw_query.png

The following figure shows the result set for querying raw logs from logs.

110_raw__log_from_logs_output.png

This rule uses ${raw_log} as a meta for querying raw log from sessions whose source IP address is NOT NULL.

netwitness_110_raw_logs_from_sessions.png

The following figure shows the result set for querying raw logs from sessions.

110_raw__log_from_sessions_output.png