Manual pattern execution
Patterns are generally triggered on specific events or changes that occur in the course of a discovery run. Sometimes you may want to run a pattern outside a discovery run, for example, you may be developing patterns against already scanned hosts. This can be achieved by running a pattern against the nodes contained in a Group.
When you run a pattern manually, it is not the same as triggering it as a result of scanning. Discovery calls may be made from the pattern, but it does not undertake full discovery. If you have changed your discovery credentials or configuration, you should rescan before running patterns manually.
Selecting hosts or other nodes
You can select hosts or other nodes by adding them to a group.
- From a view node (including host) page: from the Actions list, select Groups and add the node to a group.
- From a report or other search result: select the required items, then from the Actions list, select Groups and add the nodes to a group.
Node types against which patterns can be run
You should add nodes to your group of the kind that the pattern triggers on (for example, if the pattern triggers on a DiscoveredProcess, then you should add DiscoveredProcess nodes). However, the system is able to expand host nodes in an intelligent fashion such that it is possible, for example, to simply add a host even though the pattern requires a DiscoveredProcess.
The following table defines the complete set of traversals used to expand from host nodes to other node kinds. Where more than one traversal is shown, the traversal steps are followed one after the other.
To run a pattern against a group, navigate to the View Pattern page of the pattern you wish to run. To do this:
- From the Discovery tab, click Pattern Management.
- Click the Package containing the pattern you want to run from the package list.
- Click the Pattern Modules link.
- Select the Pattern Module containing the pattern that you want to run.
From this page you can edit the pattern source or configuration if necessary. Editing the pattern is described in Pattern configuration and editing.Click this link to continue this procedure after editing the pattern.
- Once the pattern is edited, you are returned to the Pattern Management: Browse Packages page.
- Select the Package containing the pattern you want to run from the package list.
- Click the Pattern Modules link.
- Click the Pattern Package link.
- Click the Pattern link in the heading table.
From the Actions list, select Run Pattern.
Select the Group that you want to run the pattern against using the Run against Group list. Then choose the settings for the pattern run. Set Expand, Execution Logging, and Additional Discovery. The settings are described in the table below.
Run against Group
Provides the list to select the group to run the pattern against.
• Only show Working Set: If you do not have any Working Sets, this check box is disabled. If you have at least one working set, clearing this check box enables you to choose Groups that are not in your working set.
• Expand: Selecting this check box checks the host for additional nodes that match the pattern's trigger. This depends on what nodes are in the group and what node kind the pattern triggers on. The text displayed under the Run against Group menu shows the number of nodes in the group that are the correct node kind to match the pattern's trigger. If the group contains a host node, select this check box.
For example, the
ApacheBasedWebserverpattern triggers on DiscoveredProcess nodes. If the group contains one DiscoveredProcess node and one host node (containing, 162 DiscoveredProcess nodes) this field shows
1 Discovered Process nodeif Expand is not checked and
163 Discovered Process nodes (including 162 via 1 Host node)if it is checked.
As another example, if you have DiscoveredProcess nodes in your group and you trigger on DiscoveredProcess, then you do not select this check box.
Select the logging level for this pattern run. This is one of Debug, Info, Warning, Error, or Critical.
Choose whether discovery commands that perform additional discovery should perform live discovery of the host. For example, the
runCommandmethod performs additional discovery by calling remote commands from patterns.
• Do not get extra data: Use any existing data that is available on the appliance.
• Get data as needed: Use any existing data that is available on the appliance. If additional data is required, perform discovery on the target to obtain it. Get data as needed will only make a request if that request has not been made before.
• Get all new discovery data: Always perform a new discovery. Do not use any previously discovered data.
While the pattern is running, the results page is displayed.