Differentiating between the File Size Filter in the DIM Advanced Search versus the File Size Scale in Event Scenarios
search cancel

Differentiating between the File Size Filter in the DIM Advanced Search versus the File Size Scale in Event Scenarios

book

Article ID: 428818

calendar_today

Updated On:

Products

Information Centric Analytics

Issue/Introduction

You would like clarification on two components related to file size handling in Information Centric Analytics (ICA):

  1. Advanced Search – File Size Filter
    1. How is the file size value calculated for filtering within the DIM Advanced Search?
    2. Does the filter reflect the raw file size, a normalized size, compressed size, or another internal metric?
    3. Are there any thresholds, rounding rules, or units (KB/MB/GB)?
  2. Event Scenario – File Size Scale
    1. How is the File Size scale in Event Scenarios calculated?
    2. What inputs or metadata influence this scale value?
    3. How does this scale differ from the actual file size value used in the DIM Advanced Search?
    4. How do these two attributes differ, how are they computed, and how should they be interpreted for tuning, detection logic, and troubleshooting?

Environment

Release : 6.x

Resolution

ICA copies MessageSize values from DLP (which is in bytes), and stores these values in the RiskFabric relational database verbatim without rounding or conversion. File size in ICA is the same as file size in DLP - same unit of measure, same values.

When using the DIM Advanced Search, ICA queries the actual file size value (that is, the MessageSize value) stored in the FileSize column of the table LDW_DIMIncidentsToFiles. ICA does not apply rounding rules, thresholds, or unit conversions.

ICA computes the file size scale when processing file size values into the OLAP cube (that is, the Analyzer) as follows:

CASE 
    WHEN d2f.FileSize = 0 THEN 'Empty (0 KB)'
    WHEN d2f.FileSize BETWEEN 0 AND 16000 THEN 'Tiny (0-16 KB)'
    WHEN d2f.FileSize between 16000 AND 1000000 THEN 'Small (16-1 MB)'
    WHEN d2f.FileSize/1000000 between 1 AND 128 THEN 'Medium (1-128 MB)'
    WHEN d2f.FileSize/1000000 between 128 AND 1000 THEN 'Large (128-1 GB)'
    WHEN d2f.FileSize/1000000/1000 between 1 AND 4 THEN 'Huge (1-4 GB)'
    WHEN d2f.FileSize/1000000/1000 > 4 THEN 'Gigantic (>4 GB)'
    ELSE NULL

Note that ICA provides both the measure DIM Incident File Size and the dimension DIM Incident File Size in the Analyzer. The former is an aggregation (summation) of file sizes, while the latter groups file sizes according to the scale above.

Powered by Wolken Software