Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Alerting: Practice with Sample Rules

Document created by RSA Information Design and Development Employee on Jan 30, 2020Last modified by RSA Information Design and Development Employee on Sep 8, 2020
Version 4Show Document
  • View in full screen mode
 

NetWitness Platform comes with sample rules so analysts can become familiar with how rules look before they create their own rules. Use the sample rules to become familiar with the Rule Builder and to practice editing and deploying a rule.

Sample rules are installed in the Rule Library, which contains every rule you download or create. The following figure shows sample rules in the Rule Library.

Rule Library showing sample rules

These are the available sample rules:

  • SAMPLE - Blacklist - From inside countries that are not the US, Non SMTP Traffic on TCP Port 25 Containing Executable
  • SAMPLE - Non SMTP Traffic on TCP Port 25 Containing Executable
  • SAMPLE - P2P Software as Detected by an Intrusion Detection Device 
  • SAMPLE - User Added to Admin Group Same User su Sudo
  • SAMPLE - Whitelist - From outside of Germany, P2P Software as Detected by an Intrusion Detection Device.

Each name begins with SAMPLE to distinguish the rules that are installed with NetWitness Platform from the rules you download and create.

Rule Library

The Rule Library shows the following information for a rule:

  • Name summarizes the data or events the rule collects.
  • Description explains the rule in more detail, although only the beginning shows in the Rule Library.
  • Trial Rule indicates if trial mode is enabled or disabled for the rule.
  • Type shows the origin of the rule, built in Rule Builder or Advanced EPL, downloaded from RSA Live, or Endpoint Rule Bundle.

Rules Library showing different types of rules

Practice with Sample Rules

  1. Go to (Configure) > ESA Rules.
    The ESA Rules view is displayed with the Rules tab open.
  2. In the Rule Library, double-click a sample rule or select a sample rule and click Edit icon.
    The rule is opened in Rule Builder.
    Rule Builder showing sample rule
  3. To practice with a sample rule, refer to the following topics for detailed descriptions and procedures:

After you practice with sample rules, you will be able to download, create, and deploy your own rules.

Previous Topic:ESA Permissions
You are here
Table of Contents > ESA Rule Types > Practice with Sample Rules

Attachments

    Outcomes