Alerting: Add an Advanced EPL Rule

Document created by RSA Information Design and Development on Jul 26, 2016Last modified by RSA Information Design and Development on Jul 26, 2016
Version 2Show Document
  • View in full screen mode

EPL is a declarative language for handling high-frequency time-based event data. It is used to express filtering, aggregation, and joins over possibly sliding windows of multiple event streams. EPL also includes pattern semantics to express complex temporal causality among events.

Write an advanced EPL rule when rule criteria is more complex than what you can specify in Rule Builder.

It is outside the scope of this guide to explain EPL syntax. 



To add an Advanced EPL rule:

  1. In the Security Analytics menu, select Alerts > Configure.
  2. In the Rule Library, select addList.PNG  > Advanced EPL.
  3. Type a unique, descriptive name in the Rule Name field.
    This name will appear in the Rule Library so be specific enough to distinguish the rule from others.
  4. In the Description field, explain which events the rule detects.
    The beginning of this description will appear in the Rule Library
  5. Select Trial Rule to automatically disable the rule if all trial rules collectively exceed the memory threshold. 
    Use trial rule mode as a safeguard to see if a rule runs efficiently and to prevent downtime caused by running out of memory. For more information, see Work with Trial Rules.
  6. For Severityclassify the rule as Low, Medium, High or Critical.
  7. To define rule criteria, write a Query in EPL.

Note: For all meta key names, use an underscore not a period. For example, ec_outcome is correct but ec.outcome is not.

  1. If a rule should generate an alert, include this ESA annotation in the syntax:
    ESA provides two annotations. For details, see ESA Annotations.
You are here: Add Rules to the Rule Library > Alerting: Add an Advanced EPL Rule