Validating pattern matches
Create validations to improve the accuracy of rule performance and to reduce the number of false positive results on the data that rules target. Validate rules to ensure that pattern matches are accurate and consistent in the targeted data. By validating rules, you can focus any analysis of data on results that have been confirmed or rejected as relevant pattern matches.
Validations apply to pattern matches in the context of a rule where the text selected for the validation is in specific proximity to the matched pattern. A successful validation is comprised of three parts:
- The selected (highlighted) validation characters
- The number of characters, including spaces, between the the validation selection and the start of the pattern match
- The pattern match itself
New validations display in a pending state, and are only visible to the user who created them. Pending validations automatically apply to snippet results, but do not affect rule hit counts until they are published.
If a matched rule uses a pattern proximity group, the pattern match is automatically validated. For more information about pattern proximity groups, see Creating rules.
In validations, confirmations always take precedence over rejections. This is to reduce the number of false positives that are returned for rule matches. Additionally, the most recent validations take precedence over older validations.
- From the Reveal menu, click Rules.
- Click the rule name for a specific rule to view a list of results and associated endpoints.
- Select the check box next to an endpoint that has one or more files that match patterns. Click Connect .
- After the connection establishes, click the computer name.
- Click the Filename for the file that contains one or more pattern matches.
- Review the snippets that show where a pattern matches. Confirmed and unverified snippets are shown by default. The text in the file that matches the pattern is highlighted. To limit which results display, click Filter Results to view or hide unverified, confirmed, rejected, and excluded snippets.
Excluded snippets are unverified snippets that do not match patterns exactly. This includes matches to pattern proximity groups outside the proximity range. You can confirm or reject an excluded snippet.
- For each snippet, select the highlighted text that matches either a confirmation or rejection, and then click Confirm or Reject. Rejected snippets are filtered from future results.
Validations are tracked relative to the beginning of the match. Unicode and ASCII control characters - with the exception of tab, carriage return (CR) and line feed (LF) - are not supported in validation text. This includes Unicode characters U+0000 through U+0008, U+000B through U+000C, U+000E, and U+000F. If you select validation text that contains unsupported control characters, an error appears in the Create Validation page.
Validations for snippets are applied to the entire document by default unless the document is in table format. If a document is in table format, the validation applies to the individual cell, column, or row that is actively selected when you create the validation.
Keyboard shortcuts include (c) for Confirm and (r) for Reject. If you do not want to add a name and description for the validation, press (cc) for Confirm and Save, or (rr) for Reject and Save; these two shortcuts skip the next two steps.
- Provide a name and description for the validation. A preview of the text you have validated appears and reports the number of pattern matches that the validation affects in the current file, the rule that the validation affects, and whether matching patterns should be confirmed or rejected.
- Click Save. Snippets that contain validations are displayed as pending; meaning that validations have been authored recently and have not been distributed to endpoints. Validations deploy to endpoints within 30 minutes of authoring.
When you have completed validating pattern matches in a file, click Next File at the top of the page to create validations in the next file on the endpoint where patterns have been matched.
When validations have been confirmed or rejected, values in the Unconfirmed hits and Confirmed hits columns on the Affected Files - <Computer Name> page for any rule where patterns have been matched and validated display in orange. Orange indicates that the data is "stale"; meaning that new validation data exists. If a file is designated as stale, it is prioritized for rescanning. When no new validation data exists, the values display in black.
Published validations apply to all hits of the corresponding rule. Rejected hits are ignored.
- From the Reveal menu, click Validations.
- Click Deploy Validations.
Audit validations to view snippets where pattern matches affected by a validation apply.
- From the Reveal menu, click Validations.
- Click a published validation to view endpoints that contain pattern matches to which the validation has been applied.
- Select the check box next to an endpoint that has one or more files that match patterns. Click Connect.
- View files affected by the validation.
- Click a file to view snippets that match the validation.
Last updated: 9/2/2022 1:37 PM | Feedback