Alerting: Deploy Rules to Run on ESA

Document created by RSA Information Design and Development Employee on Apr 22, 2016
Version 1Show Document
  • View in full screen mode

This topic explains how to select an ESA and the rules to run on it. Administrator, SOC Manager or DPO role permissions are required for all tasks in this section.

To create a deployment, you need to perform the steps described in Deployment Steps

How Deployment Works

A deployment consists of an ESA service and a set of ESA rules. When you deploy rules, the ESA service runs them to detect suspicious or undesirable activity in your network. Each ESA rule detects a different event, such as when a user account is created and deleted within one hour.

The ESA service performs the following functions:

  1. Gathers data in your network
  2. Runs ESA rules against the data
  3. Applies rule criteria to data
  4. Generates an alert for the captured event

The following graphic shows this workflow:

In addition, you may want to perform other steps on your deployment, such as deleting an ESA service in your deployment, editing or deleting a rule from your deployment, editing or deleting a deployment, or showing updates to a deployment. For descriptions of these procedures, see Additional Deployment Procedures


You are here: Alerting: Deploy Rules to Run on ESA