Alerting: Add a Rule Builder Rule

Document created by RSA Information Design and Development Employee on Apr 22, 2016
Version 1Show Document
  • View in full screen mode

This topic introduces a set of end-to-end procedures for adding a Rule Builder type rule.

Each ESA rule is designed to detect something in your network and to generate an alert for it:

  • User activity that is not allowed, such as attempting to download software that is not sanctioned
  • Suspicious behavior, such as mass audit clearing
  • Known malicious threats, such as worm propagation or a password-cracking tool

There are two methods to design a rule in ESA:

  • Rule Builder is an easy-to-use interface. You provide a meta key and value, then select choices from lists to complete the criteria.
  • Advanced EPL allows you to write queries in the Event Processing Language. You must know EPL syntax.

If you know EPL, you can use either method. If you do not know EPL, you must use Rule Builder. These topics explain the Rule Builder. 

You are here: Add Rules to the Rules Library > Alerting: Add a Rule Builder Rule