Alerting: New Advanced EPL Rule Tab

Document created by RSA Information Design and Development Employee on Apr 22, 2016
Version 1Show Document
  • View in full screen mode

This topic describes the Advanced EPL Rule tab that you use to define rule criteria with an Event Processing Language (EPL) query.

To access the Advanced EPL Rule tab:

  1. In the Security Analytics menu, select Alerts > Configure.

    The Configure view is displayed with the Rules tab open by default.

  2. In the Rule Library toolbar, select addList.PNG  > Advanced EPL.

    The Advanced EPL Rule tab is displayed.

Below is a screen shot of the Advanced EPL Rule tab.



The following table lists the parameters in the Advanced EPL Rule tab.

Rule NamePurpose of the ESA rule.
Description Summary of what the ESA rule detects.
Trial RuleDeployment mode to see if the rule runs efficiently.
Severity Threat level of alert triggered by the rule.
QueryEPL query that defines rule criteria.


In the Notifications section, you can choose how to be notified when ESA generates an alert for the rule.

For more information on the alert notifications, see Add Notification Method to a Rule.

The following figure shows the Notifications section.


To add an alert notification type.
To delete the selected alert notification type.
OutputAlert notification type. Options are:
  • Email
  • SNMP
  • Syslog
  • Script
NotificationName of previously configured output, such as an email distribution list.
Notification ServerName of server that sends the output.
TemplateName of template for the alert notification.
Output Suppression of everyOption to specify alert frequency.
MinutesAlert frequency in minutes.


In the Enrichments section, you can add a data enrichment source to a rule.

For more information on the enrichments, see Add an Enrichment to a Rule.

The following figure shows the Enrichments section.


To add an enrichment.

To delete the selected enrichment.


Enrichment source type. Options are:

  • In-Memory Table
  • External DB Reference
  • Warehouse Analytics
  • GeoIP

Enrichment Source

Name of previously configured enrichment source, such as a .CSV filename for an In-Memory Table.

ESA Event Stream Meta

ESA meta key whose value will be used as one operand of join condition.

Enrichment Source Column Name

Enrichment source column name whose value will be used as the other operand of the join condition.
You are here: References > New Advanced EPL Rule Tab