Editor Features

The CCE has two tabs; Edit and Summary. In the Edit tab, logical operators are represented in a tree form.

In the Summary tab, conditions are presented in an easily readable, summary view. Resource references in the Summary tab are hyperlinked. From the Summary tab, click a resource link to open its definition in a resource editor in the Inspect/Edit panel.

Conditions are editable only on the Edit tab. Wherever the CCE appears, you use these features to build or change conditional expressions.

• The condition tree shows the complete set of expressions you are building or changing.

• The root of the tree indicates whether the expression concerns Filters (Filter By), Correlation (Correlate), or Reports (Report On), as you see in the Filters Editor, Rules Editor, or Report Editor, respectively.

• From the root, there are branches for one or more events. For each event branch, there are sub-branches for one or more condition statements.

• To add an event for a rule, select the root and click the New Event Definition button (see below) or right-click the root and choose the same command. Note that only rules can add events because filters and reports do not need additional events for correlation.

• To act on a specific event or Conditional Statements, select it in the tree. Once selected, you can use several features to modify it, as described here and below.

• Use the new event, Logical Operators, and resource selector buttons above the tree to add events, operators, or resource-based constraints to condition statements, if applicable.

• Use the right-click menus that are available for any selected branch of the condition tree to choose commands that are applicable to that statement in that context.

• When you use the right-click Edit command to edit a selected statement directly in the tree (rather than through the event fields table), you can use the Enter key to update the condition without having to click Apply or OK.

• Do use single- or multiple-selection copying and pasting of statements for efficiency. You can use the right-click menu commands or Ctrl+C for copy, Ctrl+X for cut, and Ctrl+V for paste.

• Use the Field Sets selector to choose an appropriate group of event fields when an event-related statement is selected in the condition tree.

• To undo/redo an action, right-click in the Edit panel and choose either Undo or Redo, depending upon the action you want to use. For example, if you decide to delete a node, a message asks you to confirm. If you want to undo this delete, right-click in the Edit panel and choose Undo Delete. (You can also use the standard keyboard commands Ctrl+Z for undo and Ctrl+Y for redo.)

• To Search for a resource, simply click in the field column (on the left side of the list) and start typing. A Search popup is displayed when you start typing, and shows the term as you type it. The search is "predictive" in that it navigates to and select matching fields as you type. Click Enter to select this resource. For details see Searching for Fields in Event Inspector, Resource Editors, or CCE.

  Note: Both tabs provide syntax and error highlighting. As an example of error highlighting, if a condition uses resources that are later removed, references to the missing resources are highlighted as errors in the condition statements in the CCE.