Using Field Sets

The Common Conditions Editor provides access to all available Field Sets you created. You can specify fields with particular values as part of conditions statements. See also Creating a Field Set.

You can select a particular field set, which limits the fields shown to a subset of all available field sets. If you cannot find a field, click the "Clear field set" button to clear the field set selection and show the complete list of field sets. This clears the field set selection and shows the complete list of field sets. A common problem is having the common conditions editor (CCE) field display limited to a field set that does not include some fields you want to use in the condition.

For example, suppose you define a condition to look for two matching events; one in which Event Name contains "swipe" and another in which Event Name contains "login". You can set this condition with the "Standard" field set shown above because it includes the Event Name field in the list of available fields from which to choose. But if you wanted to add conditions based on an Event field for "Correlated Event Count" or Threat field for "Model Confidence," you would clear the Field Set and view all fields to get access to these fields.

Tip: Fields shown in italics are derived from data in other fields. Derived fields show up in various places on the Console UI including on the Field Set editor, and the Common Conditions Editor (CCE) aggregation tabs (for example, Rules, Filters, and so forth).

Micro Focus Security Community
All Documentation
Support
Education
Send Us Feedback

Close

We welcome your comments!

You can either:

Open an email window.

Or copy the information below to an email client and send the email to Documentation-Feedback@microfocus.com.

Help Topic ID:

Product:

Topic Title:

Feedback: