The Rule Builder tab enables you to define a Rule Builder rule.
To access the Rule Builder tab:
In the Security Analytics menu, select Alerts > Configure.
The Configure view is displayed with the Rules tab open by default.
The Rule Builder tab is displayed.
The following figure shows the Rule Builder tab.
The following table lists the parameters in the Rule Builder tab.
|Rule Name||Purpose of the ESA rule.|
|Description||Summary of what the ESA rule detects.|
|Trial Rule||Deployment mode to see if the rule runs efficiently.|
|Severity||Threat level of alert triggered by the rule.|
The Rule Builder includes the following components:
- Conditions section
- Notifications section
- Enrichments section
In the Conditions section of the Rule Builder tab, you define what the rule detects.
The following figure shows the Conditions section.
The following table lists the parameters of the Conditions section.
In the Notifications section, you can choose how to be notified when ESA generates an alert for the rule.
For more information on the alert notifications, see Add Notification Method to a Rule.
The following figure shows the Notifications section.
In the Enrichments section, you can add a data enrichment source to a rule.
For more information on the enrichments, see Add an Enrichment to a Rule.
The following figure shows the Enrichments section.