This topic introduces starter pack rules that come with Security Analytics so analysts can become familiar with rules before adding their own.
Security Analytics comes with two starter pack rules so you can become familiar with how rules look before you create your own rules. Use the starter pack rules to become familiar with the Rule Builder and to practice editing and deploying a rule.
Starter pack rules are installed in the Rule Library, which will contain every rule you download or create. The following figure shows the Rule Library after installation.
These are the two starter pack rules:
SAMPLE: Non SMTP Traffic on TCP Port 25 Containing Executable
SAMPLE: HP2P Software as Detected by an Intrusion Detection Device
Each name begins with SAMPLE to distinguish the rules that are installed with Security Analytics from the rules you download and create.
The Rule Library shows the following information for a rule:
- Name summarizes the data or events the rule collects.
- Description explains the rule in more detail, although only the beginning shows in the Rule Library.
- Trial Rule indicates if trial mode is enabled or disabled for the rule.
- Type shows the origin of the rule, built in Rule Builder or Advanced EPL or downloaded from RSA Live.
- In the Security Analytics menu, select Alerts > Configure.
The Configure view is displayed with the Rules tab open.
- In the Rule Library, select a sample rule and click , or double-click a rule.
The rule is opened in Rule Builder.
- To practice with a starter pack rule, refer to the following topics for detailed descriptions and procedures:
- To familiarize yourself with the Rule Builder user interface, see Rule Builder Tab for a description of each field.
- To learn how to edit a rule, see Add a Rule Builder Rule for a step-by-step procedure.
- To deploy a starter pack rule, see Deploy Rules to Run on ESA to learn how to associate the rule with an ESA service.
After you practice with starter pack rules, you will be able to download, create and deploy your own rules.