000032502 - RSA Security Analytics Event Stream Analysis (ESA) Trial rules

Document created by RSA Customer Support Employee on Jun 30, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000032502
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Event Stream Analysis, Security Analytics UI
RSA Version/Condition: 10.5.x
IssueWhile configuring a new rule, it is suggested to mark it as Trial rule for a while to assess its effectiveness and stability.
ResolutionWhen we configure a rule as trial rule, ESA does the following:
  • ESA periodically checks memory utilization
  • If memory utilization exceeds the threshold, all rules marked as trial will get disabled
  • Threshold values - Memory Utilization 85% / Check Interval 300 seconds
  • These prevents any bad/misconfigured rules from crashing the ESA service
NotesThe above settings can be changed from : ESA Explore View -> CEP -> Module -> Configuration
The parameters are
  • MemoryThresholdForTrialRules (Default Value 85)
  • MemoryCheckPeriod (Default Value 300)