RSA NetWitness Logs & Network ESA EPL Rules

Document created by Craig Hansen Employee on Feb 4, 2016Last modified by Connor Mccarthy on Aug 9, 2018
Version 18Show Document
  • View in full screen mode

Access Training

 

 

In order to register for a class, you need to first create an EMC account

If you need further assistance, contact us

 

Summary

This on-demand learning presents a recommended approach to learning EPL syntax and for writing EPL rules to detect threats

 

Overview

This on-demand learning identifies a best practice strategy for creating EPL rules as well as for learning the EPL rule syntax. It uses examples and use cases to illustrate EPL rule concepts, such as streams, constructs, data windows and time constraints.

 

Audience

Anyone interested in using RSA Security Analytics Event Stream Analysis to create EPL rules to help identify suspicious activity.

 

Delivery Type

On-Demand Learning

 

Duration

90 minutes

 

Prerequisite Knowledge/Skills

Students should have completed the following courses (or have equivalent knowledge) prior to taking this training:

 

Course Objectives

Upon successful completion of this course, participants should be able to:

  • Describe the Esper engine and EPL
  • Describe EPL Rule Types
  • Describe data windows
  • Describe how time is calculated
  • Describe a recommended process for designing and writing EPL rules
  • Describe EPL syntax
  • Create EPL rules for specific use cases
  • List the best practices for ESA rules

 

Course Outline

  1. EPL Overview
    • Event Processing Language
    • Esper engine
    • EPL rule types
    • EPL event stream
    • Data windows
    • How time is calculated in ESA
    • EPL rule examples
    • Recommended process for creating ESA rules
    • Designing rules checklist
    • Writing and testing rules guidelines
    • Using the EPL online tool
    • ESA meta keys
    • Creating EPL rules
    • Live Rules
  2. Writing EPL Rules
    • An effective way to learn EPL
    • Building an EPL library
    • Sample EPL templates
    • EPL Live rule use cases
    • EPL rule use cases
  3. Best Practices
    • General best practices
    • Trial rules
    • Best practice by task
    • Writing rules for accuracy
    • Writing rules for performance
    • EPL Caveats

 

 

 

 

 

 

Access Training

 

 

In order to register for a class, you need to first create an EMC account

If you need further assistance, contact us

Attachments

    Outcomes