Alerting: Rule Builder Tab

Document created by RSA Information Design and Development Employee on Apr 22, 2016
Version 1Show Document
  • View in full screen mode

The Rule Builder tab enables you to define a Rule Builder rule.

To access the Rule Builder tab:

  1. In the Security Analytics menu, select Alerts > Configure.

    The Configure view is displayed with the Rules tab open by default.

  2. In the Rule Library toolbar, select addList.PNG > Rule Builder.

    The Rule Builder tab is displayed.

The following figure shows the Rule Builder tab.



The following table lists the parameters in the Rule Builder tab.

Rule NamePurpose of the ESA rule.
Description Summary of what the ESA rule detects.
Trial RuleDeployment mode to see if the rule runs efficiently.
Severity Threat level of alert triggered by the rule.

The Rule Builder includes the following components:

  • Conditions section
  • Notifications section
  • Enrichments section

Conditions Section

In the Conditions section of the Rule Builder tab, you define what the rule detects.

The following figure shows the Conditions section.


The following table lists the parameters of the Conditions section.

Add icon Add a statement.
Delete icon Remove selected statement.
Edit icon Edit selected statement.
StatementLogical group of conditions for one operation.
OccursAlert frequency if the condition is met. This specifies that there must be at least that many events that satisfy the criteria  in order to trigger an alert. The time window in minutes binds the Occurs count.
ConnectorOptions to specify relationship among the statements:
  • followed by
  • not followed by
  • AND
  • OR
The Connector joins two statements with AND, OR, followed by, or not followed by. When followed by is used, it specifies that there is a sequencing of those events. AND and OR build one large criteria. The followed by creates distinct criteria that occurs in sequence.
Correlated OnOption for the "Not followed by" connector. Specify the meta key for the field that you want to ensure does not follow in the sequence.
occurs within minutesTime window within which the conditions must occur. 
Event Sequence

Choose whether the pattern must follow a strict match or a loose match. If you specify a strict match, this means that the pattern must occur in the exact sequence you specified with no additional events occurring in between. For example, if the sequence specifies five failed logins (F) followed by a successful login (S), this pattern will only match if the user executes the following sequence: F,F,F,F,F,S. If you specify a loose match, this means that other events may occur within the sequence, but the rule will still trigger if all of the specified events also occur. For example, five failed login attempts (F),  followed by any number of intervening successful login attempts (S), followed by a successful login attempt might create the following pattern: F,S,F,S,F,S,F,S,F,S which would trigger the rule despite the intervening successful logins. 

Group By

Select the meta key by which to group results from the dropdown list. For example, suppose that there are three users; Joe, Jane, and John and you use the Group By meta, user_dst (user_dst is the meta field for the user destination account). The result will show events grouped under the user destination accounts, Joe, Jane, and John.

You can also group by multiple keys. For example, you might want to group by user and machine to see if a user logged in from the same machine attempts to log into an account multiple times.  To do this, you might group by device_class and user_dst.


In the Notifications section, you can choose how to be notified when ESA generates an alert for the rule.

For more information on the alert notifications, see Add Notification Method to a Rule.

The following figure shows the Notifications section.


To add an alert notification type.
To delete the selected alert notification.
OutputAlert notification type. Options are:
  • Email
  • SNMP
  • Syslog
  • Script
NotificationName of previously configured output, such as an email distribution list.
Notification ServerName of server that sends the output.
TemplateName of template for the alert notification.
Output Suppression of every    Option to specify alert frequency.
MinutesAlert frequency in minutes.


In the Enrichments section, you can add a data enrichment source to a rule.

For more information on the enrichments, see Add an Enrichment to a Rule.

The following figure shows the Enrichments section.


ic-addList.PNG To add an enrichment.
To delete the selected enrichment.
OutputEnrichment source type. Options are:
  • In-Memory Table
  • External DB Reference
  • Warehouse Analytics
  • GeoIP
Enrichment SourceName of previously configured enrichment source, such as a .CSV filename for an In-Memory Table.
ESA Event Stream MetaESA meta key whose value will be used as one operand of join condition.
Enrichment Source Column Name Enrichment source column name whose value will be used as the other operand of the join condition.

For an in-memory table, If you configured a key when creating a .CSV-based enrichment, this column automatically populates with the selected key. However, you can change it if you like. 

For a GeoIP enrichment source, ipv4 is automatically selected. 
You are here: References > Rule Builder Tab