Alerting: Deploy Rules as Trial Rules

Document created by RSA Information Design and Development on Jul 26, 2016Last modified by RSA Information Design and Development on Jul 26, 2016
Version 2Show Document
  • View in full screen mode

This topic explains to administrators how to enable trial rules when creating new rules or editing rules.

Trial rules are automatically disabled if a specified total JVM memory utilization threshold is exceeded.

To deploy rules as trial rules:

  1. In the Security Analytics menu, go to Alerts > Configure
    The Configure view is displayed with the Rules tab open.
  2. From the Rule Library, choose to add or edit a rule. The rule builder is displayed in a new Security Analytics tab.
  3. To make a new or existing rule a trial rule, select trialrule_checked.png.
  4. Add the rule conditions or modify the rule as needed. For instructions on editing rules, see Add Rules to the Rule Library.
  5. Click Save
  6. Ensure that trial rules are enabled for your ESA and that you are satisfied with the thresholds configured for trial rules. 
    The memory threshold is set in the configuration file. To configure it, see Change Memory Threshold for Trial Rules in the Event Stream Analysis Configuration Guide.
    The threshold is configured per ESA and is a percentage of Java Virtual Memory.
    The configuration parameter, MemoryThresholdforTrialRules default is 85.
  7. Optionally, you can set up the policies in Health and Wellness to send you an email notification if the total JVM memory utilization threshold is exceeded. For more details on how to do this, see Manage Policies in the System Maintenance Guide.

The next time you deploy the rule, it runs in trial rule mode.

Note:  If a trial rule is disabled, you will need to go to the Alerts > Configure > Services tab to re-enable the trial rules.  For more instructions on re-enabling trial rules on a service, see View Stats for ESA Service.

You are here: Work with Trial Rules > Deploy Rules as Trial Rules