Validating pattern matches
Create validations to improve the accuracy of rule performance and to reduce the number of false positive results on the data that rules target. Validate rules to ensure that pattern matches are accurate and consistent in the targeted data. By validating rules, you can focus any analysis of data on results that have been confirmed or rejected as relevant pattern matches.
Validations apply to pattern matches in the context of a rule where the text selected for the validation is in specific proximity to the matched pattern. A successful validation is comprised of three parts:
- The selected (highlighted) validation characters
- The number of characters, including spaces, between the the validation selection and the start of the pattern match
- The pattern match itself
New validations display in a pending state, and are only visible to the user who created them. Pending validations automatically apply to snippet results, but do not affect rule hit counts until they are published.
- From the Reveal menu, click Rules.
- Select a specific rule to view a list of results and associated endpoints.
- Select the check box next to an endpoint that has one or more files that match patterns. Click Live Connect .
- After the connection establishes, click the computer name.
- Select a file that contains one or more pattern matches.
- View the snippets that show where a pattern matches. Confirmed and unverified snippets are shown by default. To limit which results display, click Filter Results to view or hide unverified, confirmed, rejected, and excluded snippets.
Excluded snippets are unverified snippets that do not match patterns exactly. This includes matches to pattern groups outside the proximity range. You can confirm or reject an excluded snippet.
- For each snippet, highlight the relevant text. Validations are tracked relative to the beginning of the match. Unicode and ASCII control characters - with the exception of tab, carriage return (CR) and line feed (LF) - are not supported in validation text. This includes Unicode characters U+0000 through U+0008, U+000B through U+000C, U+000E, and U+000F. If you select validation text that contains unsupported control characters, an error appears in the Create Validation page.
Validations for snippets are applied to the entire document by default unless the document is in table format. If a document is in table format, the validation applies to the individual cell, column, or row that is actively selected when you create the validation.
- Select Confirm or Reject. Rejected snippets are filtered from future results.
Keyboard shortcuts include (c) for Confirm and (r) for Reject. If you do not want to add a name and description for the validation, press (cc) for Confirm and Save, or (rr) for Reject and Save; these two shortcuts skip the next two steps.
- Provide a name and description for the validation. A preview of the text you have validated appears and reports the number of pattern matches that the validation affects in the current file, the rule that the validation affects, and whether matching patterns should be confirmed or rejected.
- Click Save. Snippets that contain validations are displayed as pending; meaning that validations have been authored recently and have not been distributed to endpoints. Validations deploy to endpoints within 30 minutes of authoring.
When you have completed validating pattern matches in a file, click Next at the top of the page to create validations in the next file on the endpoint where patterns have been matched.
When validations have been confirmed or rejected, values in the affected files view for any rule where patterns have been matched and validated display in orange in the Unconfirmed hits and Confirmed hits columns. Orange indicates that the data is "stale"; meaning that new validation data exists. If a file is designated as stale, it is prioritized for rescanning. When no new validation data exists, the values display in black.
Deploying validations creates new Reveal - Validations packages, and recreates the Reveal - Deploy Validations saved actions.
Published validations apply to all hits of the corresponding rule. Rejected hits are ignored.
- From the Reveal menu, click Rule Validations.
- Click Deploy Validations.
Audit validations to view snippets where pattern matches affected by a validation apply.
- From the Reveal menu, click Rule Validations.
- Click a published validation to view endpoints that contain pattern matches to which the validation has been applied.
- Select the check box next to an endpoint that has one or more files that match patterns. Click Live Connect.
- View files affected by the validation.
- Click a file to view snippets that match the validation.
Last updated: 10/18/2021 12:03 PM | Feedback