When rules use too much memory, your ESA service can become slow or unresponsive. To ensure rules do not use excessive memory, you can enable trial rules for any type of rule. By default, new rules you create and RSA Live rules you import are configured to be trial rules. RSA recommends you disable the trial rule setting only after testing the new rule in your environment during normal and peak network traffic. When you create a trial rule, you set a global threshold of the percentage of memory that rules may use. If that configured memory threshold is exceeded, all trial rules are disabled.
The Security Analytics Event Stream Analysis (ESA) service is capable of processing large volumes of disparate event data from Concentrators. However, when working with Event Stream Analysis, it is possible to create rules that use excessive memory. This can slow your ESA service or even cause it to shut down unexpectedly. To ensure that this doesn't happen, you can configure your rule as a trial rule. When you configure a trial rule, you also set global threshold of the percentage of memory that rules may use. If that configured memory threshold is exceeded, all trial rules are disabled automatically.
For suggestions on creating more efficient rules, see "Best Practices for Writing Rules" in Best Practices
By default, new rules and RSA Live rules are configured as trial rules. As a best practice, when you edit an existing rule, select the Trial Rule option, which allows you to:
- Deploy the rule with an added safeguard.
- Optionally, view a snapshot of memory utilization to understand if the rule creates memory issues.
- Know if you must modify the rule criteria to improve performance.
Note: Run a rule as a trial rule long enough to assess the performance during normal and peak network traffic.