Alerting: ESA Rule Types

Document created by RSA Information Design and Development Employee on Apr 22, 2016
Version 1Show Document
  • View in full screen mode

This topic describes each type of ESA rule, when to use them and the permissions each role has with them. The following table lists each type, describes it and explains when to use it.

Rule TypeDescriptionWhen to Use
Rule BuilderIn the rule builder, you define rule criteria in an easy-to-use interface. Use the rule builder to create your first rules. You choose many of the rule conditions from lists.
Advanced EPLWith the Event Processing Language (EPL), you define rule criteria by writing a query.Use advanced EPL rules to define rule criteria for in the EPL syntax.
RSA Live ESARSA Live has a catalog of ESA rules that you can download and modify to run in your network.Download RSA Live ESA rules to leverage rules that are already built. Modify the configurable parameters to customize to meet your requirements.

Starter Pack Rules

A few sample Rule Builder rules come with Security Analytics and appear in the Rule Library. Use starter pack rules to get comfortable working with rules before creating your own. You can safely edit and deploy these sample rules.

Trial Rules Mode

For any type of rule, you can select the Trial Rule setting as an additional safeguard. Trial rules get disabled if they exceed a memory threshold the administrator sets. Run a rule in trial mode to monitor memory usage and to disable the rule automatically if it uses more memory than the threshold allows.

You are here: Alerting: ESA Rule Types