Using Search

Rule Lifecycle Management App (RLM) provides a search tool for filtering rules, similar to the TQL search tool in the SecureTrack Rule Viewer. This feature allows you to filter information and is incorporated into the Pending, My Queue, and All Rules screens.

Use the Search Feature

  1. From the Select Rule Set list, select a filter:

    • Certified Rules

    • Decertified Rules

    • Verified Disabled Rules

    • Waiting Rules

  2. Click in the Search box. A list of possible search fields appears depending on the current window(see Field Names).

  3. Depending on the field, select an operator (see Supported Operators). For example, you can select these operators for the last_modified field:

  4. Type or select a value after the operator.

  5. Press <Enter> or click .

RLM displays the results according to the search criteria within the selected Rule Set.

Supported Operators

You can use AND or OR operators to combine parameters and narrow the search results. The AND and OR operators have the same precedence, and are parsed from left to right.

  • AND: Combine parameters in the search query.

  • OR: Search for one of the parameters in the search query.

Query Examples

  • Show rules certified between Jan 1, 2024 and March 27, 2024. List the most recently certified rules first down to last certified.

    certification_date after '2024-01-01' and certification_date before '2024-03-27' order by certification_date asc
    certification_date after '2024-01-01' and certification_date before '2024-03-27' order by certification_date asc
  • Show the rules that are expired, sorting by the longest expired rules first.

    certification_expiration_date before today and order by certification_expiration_date desc
    certification_expiration_date before today and order by certification_expiration_date desc
  • Show rules certified in the past day. List most recently certified first.

    certification_status = "CERTIFIED' and certification_date after 'yesterday' order by certification_date asc
    certification_status = "CERTIFIED' and certification_date after 'yesterday' order by certification_date asc

    OR

    certification date after 'yesterday' order by certification_date asc
    certification date after 'yesterday' order by certification_date asc
  • Show rules that were certified in January 2024.

    certification_date after 2024-12-31 and certification_date before 2024-02-01
    certification_date after 2024-12-31 and certification_date before 2024-02-01
  • Find rules for Panorama or IOS devices.

    device.name = 'Panorama' or device.name = 'IOS'
    device.name = 'Panorama' or device.name = 'IOS'
  • Find rules that were modified before last month with a permissiveness of HIGH.

    last_modified before 'last month' and permissiveness = 'HIGH'
    last_modified before 'last month' and permissiveness = 'HIGH'
  • Show the rules according to the last_hit field in ascending order.

    order by last_hit asc
    order by last_hit asc
  • Find rules with a certification status of CERTIFIED.

    certification_status = 'CERTIFIED'
    certification_status = 'CERTIFIED'
  • Find rules with source and destination zones set to Any.

    from_zone.name = '0.0.0.0' and to_zone.name = '0.0.0.0'
    from_zone.name = '0.0.0.0' and to_zone.name = '0.0.0.0'

Field Names

The field names that can be used in the query are specific to the window and appear when you click the search bar.

Field Name Description Values /
Format
acl_name ACL name for Cisco devices String
applications.name Applications included in the rule.

String *

business_owner_email Email address for the business owner. String
business_owner_name Name of the business owner. String
certification_date Date when the rule was certified. String
certification_expiration_date Date when the rule will finish. String
certification_status Status for the rule certification.

Possible Values:

  • CERTIFIED

  • DECERTIFIED

  • N/A

comment Comment for the rule. String

description

Description for the rule.

String

destinations.data

Data about the service.

String

destinations.name

IP address of the destination. To represent Any, use IP 0.0.0.0.

String

device.domain_name

Domain name

String

device.name

Device name.

String

device.parent_name

Name of the device's parent (if the device has a parent, such as with Palo Alto devices).

String

expire_date

Date on which the rule will expire.

String

from_zone.name

Source zone for the rule. To represent Any, use IP 0.0.0.0.

String

install_on

Device name on which the rule is installed.

String

last_hit

Last date that the rule hit.

String

last_modified

Last date that the rule was modified.

String

logged

Rule is logged.

Enabled/Disabled

owners.name

Name of the owner.

String

permissiveness

Permissiveness level.

Possible values:

  • LOW

  • MEDIUM

  • HIGH

  • N/A

policy_name

Name of the policy.

String

recert_ticket.scw_ticket_id

Rule status.

String

rule_name

Name of the rule.

String

rule_number

Number of the rule.

String

services.data

Data about the service. If the service is a group, the data includes all of the group's protocols and ports. The user can search for these protocols and ports inside the service.

String

services.name

Service name.

String *

sources.data

Data about the assets in the source.

String

sources.name

IP address of the source. To represent Any, use IP 0.0.0.0.

String

tech_owner

Technical owner for the rule.

String

to_zone.name

Destination zone for the rule. To represent Any, use IP 0.0.0.0.

String