Use Case Explorer filters

Use these filters in the example script to download a Use Case Explorer report in CSV format.

Rule tests

Log source

{"name":"DeviceID_Test","type":"TEST","recursive":true,"matchCriteria":"PARTIAL","values":["1","2"],"attributeName":"","valueType":"COMMON"}]

Log source type

{"name":"DeviceTypeID_Test","type":"TEST","recursive":true,"matchCriteria":"PARTIAL","values":["1","2"],"attributeName":"","valueType":"COMMON"}]

Log source group

{"name":"DeviceGroupID_Test","type":"TEST","recursive":true,"matchCriteria":"PARTIAL","values":["1","2"],"attributeName":"","valueType":"COMMON"}]

Other tests: Ariel search

{"name":"LST_ALL","type":"TEST","recursive":true,"matchCriteria":"IGNORE","values":[],"attributeName":"LST_ALL","valueType":"TEST"}

Other tests: Domain

{"name":"DOMAIN_ALL","type":"TEST","recursive":true,"matchCriteria":"IGNORE","values":[],"attributeName":"DOMAIN_ALL","valueType":"TEST"}

Rule attributes

Rule name

{"name":"name","type":"ATTRIBUTE","recursive":true,"matchCriteria":"PARTIAL","values":["Test"],"attributeName":"","valueType":"UNIQUE"}

Rule enabled: True

Rule Enabled: True
{"name":"enabled","type":"ATTRIBUTE","recursive":true,"matchCriteria":"PARTIAL","values":[true],"attributeName":"","valueType":"EXCLUSIVE_COMMON"}

Rule

{"name":"rule","type":"ATTRIBUTE","recursive":true,"matchCriteria":"PARTIAL","values":[true],"attributeName":"","valueType":"EXCLUSIVE_COMMON"}

Type: Events

{"name":"type","type":"ATTRIBUTE","recursive":true,"matchCriteria":"PARTIAL","values":["EVENT"],"attributeName":"","valueType":"COMMON"}

Origin: System

{"name":"rule_orig","type":"ATTRIBUTE","recursive":true,"matchCriteria":"PARTIAL","values":["SYSTEM"],"attributeName":"","valueType":"COMMON"}

Rule category: Custom rule

{"name":"rule_cat","type":"ATTRIBUTE","recursive":true,"matchCriteria":"PARTIAL","values":["Custom Rule"],"attributeName":"","valueType":"COMMON"}

Group: Amazon AWS

{"name":"group","type":"ATTRIBUTE","recursive":true,"matchCriteria":"PARTIAL","values":["Amazon AWS"],"attributeName":"","valueType":"COMMON"}

Group: Botnet, Category Definitions (Multiple filter selection)

{"name":"group","type":"ATTRIBUTE","recursive":true,"matchCriteria":"PARTIAL","values":["Botnet","Category Definitions"],"attributeName":"","valueType":"COMMON"}

Action: Event is part of an offense

{"name":"action","type":"ATTRIBUTE","recursive":true,"matchCriteria":"PARTIAL","values":["offense"],"attributeName":"","valueType":"COMMON"}

Response: Email

{"name":"response","type":"ATTRIBUTE","recursive":true,"matchCriteria":"PARTIAL","values":["email"],"attributeName":"","valueType":"COMMON"}

MITRE ATT&CK

Tactic: Collection

{"name":"tactic","type":"ATTCK","recursive":true,"matchCriteria":"PARTIAL","values":["TA0009"],"attributeName":"","valueType":"EXCLUSIVE_COMMON"}

Technique: Data Obfuscation

{"name":"technique","type":"ATTCK","recursive":true,"matchCriteria":"PARTIAL","values":["T1001"],"attributeName":"","valueType":"EXCLUSIVE_COMMON"}

Mapping confidence: High

{"name":"mapping_confidence","type":"ATTCK","recursive":true,"matchCriteria":"PARTIAL","values":["high"],"attributeName":"","valueType":"COMMON"}

Mapping enabled: True

{"name":"mapping_enabled","type":"ATTCK","recursive":true,"matchCriteria":"PARTIAL","values":[true],"attributeName":"","valueType":"EXCLUSIVE_COMMON"}

Tactic: Initial Access, Impact (Multiple filter selection)

{"name":"tactic","type":"ATTCK","recursive":true,"matchCriteria":"PARTIAL","values":["TA0001","TA0040"],"attributeName":"","valueType":"EXCLUSIVE_COMMON"}