How to list incidents by response rule.
search cancel

How to list incidents by response rule.

book

Article ID: 159764

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

In some cases, its useful to be able to count or identify the number of incidents that have a particular response rule associated with the policy that generated them.

Resolution

Log into SQLPlus as protect user (or whatever the schema owner may be).

 

Find the response rule by running the following statement:

set pagesize 100

select responseruleid||':'||name from responserule;

 

Use this list to identify the response rule of interest.

Run the following script to get a count of incidents associated with these response rules through policy.  It will prompt for the responserule id:

select count(*)
from incident i,
  policyresponserule pr
where pr.responseruleid=&responseruleid
and pr.policyid=i.policyid;

Run the following script to list the incidentid associated with these response rules through policy. It will prompt for the responserule id:

select i.incidentid
from incident i,
policyresponserule pr
where pr.responseruleid=&responseruleid
and pr.policyid=i.policyid;

These scripts can be "throttled" to show targeted incidents for a specified time range.  For example, this script will show only those incidents created during the month of March, 2023:

select i.incidentid
from incident i,
policyresponserule pr
where pr.responseruleid=&responseruleid
and pr.policyid=i.policyid
and creationdate between to_timestamp('01-MAR-2023','DD-MON-YYYY')
                     and to_timestamp('31-MAR-2023','DD-MON-YYYY');

 

 

Powered by Wolken Software