On This Page
Using Search
Rule Lifecycle Management App (RLM) provides a search tool for filtering rules, similar to the TQL search tool in the SecureTrack Rule Viewer. This feature allows you to filter information and is incorporated into the Pending, My Queue, and All Rules screens.
Use the Search Feature
-
From the Select Rule Set list, select a filter:
-
Certified Rules
-
Decertified Rules
-
Verified Disabled Rules
-
Waiting Rules
-
-
Click in the Search box. A list of possible search fields appears depending on the current window(see Field Names).
-
Depending on the field, select an operator (see Supported Operators). For example, you can select these operators for the last_modified field:
-
Type or select a value after the operator.
-
Press <Enter> or click .
RLM displays the results according to the search criteria within the selected Rule Set.
Supported Operators
You can use AND or OR operators to combine parameters and narrow the search results. The AND and OR operators have the same precedence, and are parsed from left to right.
-
AND: Combine parameters in the search query.
-
OR: Search for one of the parameters in the search query.
Query Examples
-
Show rules certified between Jan 1, 2024 and March 27, 2024. List the most recently certified rules first down to last certified.
-
Show the rules that are expired, sorting by the longest expired rules first.
-
Show rules certified in the past day. List most recently certified first.
certification_status = "CERTIFIED' and certification_date after 'yesterday' order by certification_date asc
certification_status = "CERTIFIED' and certification_date after 'yesterday' order by certification_date ascOR
-
Show rules that were certified in January 2024.
-
Find rules for Panorama or IOS devices.
-
Find rules that were modified before last month with a permissiveness of HIGH.
-
Show the rules according to the last_hit field in ascending order.
-
Find rules with a certification status of CERTIFIED.
-
Find rules with source and destination zones set to Any.
Field Names
The field names that can be used in the query are specific to the window and appear when you click the search bar.
Field Name | Description | Values / Format |
---|---|---|
acl_name | ACL name for Cisco devices | String |
applications.name | Applications included in the rule. |
String * |
business_owner_email | Email address for the business owner. | String |
business_owner_name | Name of the business owner. | String |
certification_date | Date when the rule was certified. | String |
certification_expiration_date | Date when the rule will finish. | String |
certification_status | Status for the rule certification. |
Possible Values:
|
comment | Comment for the rule. | String |
description |
Description for the rule. |
String |
destinations.data |
Data about the service. |
String |
destinations.name |
IP address of the destination. To represent Any, use IP 0.0.0.0. |
String |
device.domain_name |
Domain name |
String |
device.name |
Device name. |
String |
device.parent_name |
Name of the device's parent (if the device has a parent, such as with Palo Alto devices). |
String |
expire_date |
Date on which the rule will expire. |
String |
from_zone.name |
Source zone for the rule. To represent Any, use IP 0.0.0.0. |
String |
install_on |
Device name on which the rule is installed. |
String |
last_hit |
Last date that the rule hit. |
String |
last_modified |
Last date that the rule was modified. |
String |
logged |
Rule is logged. |
Enabled/Disabled |
owners.name |
Name of the owner. |
String |
permissiveness |
Permissiveness level. |
Possible values:
|
policy_name |
Name of the policy. |
String |
recert_ticket.scw_ticket_id |
Rule status. |
String |
rule_name |
Name of the rule. |
String |
rule_number |
Number of the rule. |
String |
services.data |
Data about the service. If the service is a group, the data includes all of the group's protocols and ports. The user can search for these protocols and ports inside the service. |
String |
services.name |
Service name. |
String * |
sources.data |
Data about the assets in the source. |
String |
sources.name |
IP address of the source. To represent Any, use IP 0.0.0.0. |
String |
tech_owner |
Technical owner for the rule. |
String |
to_zone.name |
Destination zone for the rule. To represent Any, use IP 0.0.0.0. |
String |