Validating pattern matches

Create validations to improve the accuracy of rule performance and to reduce the number of false positive results on the data that rules target. Validate rules to ensure that pattern matches are accurate and consistent in the targeted data. By validating rules, you can focus any analysis of data on results that have been confirmed or rejected as relevant pattern matches.

Validations apply to pattern matches in the context of a rule where the text appears exactly as it does in the validation. New validations display in a pending state, and are only visible to the user who created them. Pending validations automatically apply to snippet results, but do not affect rule hit counts until they are published.

Create a validation

  1. From the Reveal menu, click Rules.
  2. Under Results, select the checkbox next to an endpoint that has one or more files that match patterns. Click Connect.
  3. After the connection establishes, click the computer name.
  4. Select a file that contains one or more pattern matches.
  5. View the snippets that show where a pattern matches. Confirmed and unverified snippets are shown by default. To limit which results display, click Filter Results to view or hide unverified, confirmed, rejected, and excluded snippets.

    Excluded snippets are unverified snippets that do not match patterns exactly. This includes matches to pattern groups outside the proximity range. You can confirm or reject an excluded snippet.

  6. For each snippet, highlight the relevant text. Validations are tracked relative to the beginning of the match.
  7. Select Confirm or Reject. Rejected snippets are filtered from future results.

    Keyboard shortcuts include (c) for Confirm and (r) for Reject. If you do not want to add a name and description for the validation, press (cc) for Confirm and Save, or (rr) for Reject and Save; these two shortcuts skip the next two steps.

  8. Provide a name and description for the validation. Reveal displays a preview of the text you have validated and reports the number of pattern matches that the validation affects in the current file, the rule that the validation affects, and whether matching patterns should be confirmed or rejected.
  9. Click Save.

Deploy validations

Deploy validations to move all pending validations to published validations. Deploying validations creates new Reveal-Validations packages, and recreates the Reveal - Deploy Validations saved actions. Pending validations for other users remain pending.

Published validations apply to all hits of the corresponding rule. Rejected hits are ignored.

  1. From the Reveal menu, click Rule Validations.
  2. Click Pending to view pending rule validations.
  3. Click Deploy Validations.

Audit published validations

Audit validations to view snippets where pattern matches affected by a validation apply.

  1. From the Reveal menu, click Rule Validations.
  2. Click a published validation to view endpoints that contain pattern matches to which the validation has been applied.
  3. Click an endpoint to view files affected by the validation.
  4. Click a file to view snippets that match the validation.