Alerting: New Advanced EPL Rule Tab

Document created by RSA Information Design and Development on Jul 20, 2016Last modified by RSA Information Design and Development on Apr 26, 2017
Version 2Show Document
  • View in full screen mode
  

This topic describes the Advanced EPL Rule tab that you use to define rule criteria with an Event Processing Language (EPL) query.

To access the Advanced EPL Rule tab:

  1. In the Security Analytics menu, select Alerts > Configure.

    The Configure view is displayed with the Rules tab open by default.

  2. In the Rule Library toolbar, select addList.PNG  > Advanced EPL.

    The Advanced EPL Rule tab is displayed.

Below is a screen shot of the Advanced EPL Rule tab.

NwAdvRuleTb.png

Features

The following table lists the parameters in the Advanced EPL Rule tab.

                             
ParametersDescription
Rule NamePurpose of the ESA rule.
Description Summary of what the ESA rule detects.
Trial RuleDeployment mode to see if the rule runs efficiently.
Severity Threat level of alert triggered by the rule.
QueryEPL query that defines rule criteria.

Notifications

In the Notifications section, you can choose how to be notified when ESA generates an alert for the rule.

For more information on the alert notifications, see Add Notification Method to a Rule.

The following figure shows the Notifications section.

NotificationAdded.png

                                         
ParameterDescription
To add an alert notification type.
To delete the selected alert notification type.
OutputAlert notification type. Options are:
  • Email
  • SNMP
  • Syslog
  • Script
NotificationName of previously configured output, such as an email distribution list.
Notification ServerName of server that sends the output.
TemplateName of template for the alert notification.
Output Suppression of everyOption to specify alert frequency.
MinutesAlert frequency in minutes.

Enrichments

In the Enrichments section, you can add a data enrichment source to a rule.

For more information on the enrichments, see Add an Enrichment to a Rule.

The following figure shows the Enrichments section.
RuleEnrSec.png

                                   
ParameterDescription

To add an enrichment.

To delete the selected enrichment.

Output

Enrichment source type. Options are:

  • In-Memory Table
  • External DB Reference
  • Warehouse Analytics
  • GeoIP

Enrichment Source

Name of previously configured enrichment source, such as a .CSV filename for an In-Memory Table.

ESA Event Stream Meta

ESA meta key whose value will be used as one operand of join condition.

Enrichment Source Column Name

Enrichment source column name whose value will be used as the other operand of the join condition.
Previous Topic:References
You are here
Table of Contents > References > New Advanced EPL Rule Tab

Attachments

    Outcomes