Change Core ESA Rule or Alert Parameters

Document created by RSA Information Design and Development on Jun 7, 2016Last modified by RSA Information Design and Development on Jun 18, 2018
Version 147Show Document
  • View in full screen mode
 

Change Rule Parameters

Some Event Stream Analysis Rules can have parameters (for example, a time period) that you can modify using the ESA Rules View. For example, the Adapter in Promiscuous Mode after Multiple Login Attempts ESA rule has the Within this number of seconds parameter with the default time of 5 minutes (300 seconds). This is the time that needs to elapse before the rule goes into promiscuous mode.

To change an Event Stream Analysis rule parameter:

  1. Depending on your version:

    • For NetWitness 11.x: Go to CONFIGURE > ESA Rules > Rules.
    • For Security Analytics 10.x: In the Security Analytics menu, click Alerts > Configure > Rules.

    Note: Select GET RULES FROM RSA LIVE to find, download, and deploy rules.

  2. Select a rule (for example, Adapter in Promiscuous Mode after Multiple Login Attempts) and click .

    A new tab for building and editing rules displays.

  3. In the Parameters field, click on the value of the parameter (for example 300).
  4. Change the existing value to the desired value (for example 480) and click Save.
You are here
Table of Contents > Change Core ESA Rule or Alert Parameters

Attachments

    Outcomes