RSA Live contains a catalog of rules. Each rule has configurable parameters so you can customize the rule for your environment. If RSA Live has a rule to detect events that you want to detect in your network, download the rule to save time. You can edit the configurable parameters and save the rule in your Rule Library.
This is a sample of how each RSA Live ESA rule is described on RSA Live:
|Logins across Multiple Servers||Detects logins from the same user across 3 or more separate servers within 5 minutes.|
The time window and number of unique destinations are configurable.
As the name shows, the rule looks for logins across multiple servers. The description explains the rule criteria in more detail and specifies which parameters you modify.
Note: When a rule description includes a configurable parameter, the default setting for the parameter is used. In the sample rule, the description states 5 minutes. However, the time window is configurable so 5 is the default number of minutes.
- Have permission to manage rules
- Create Live Account
- Set Up Live on Security Analytics
To download configurable RSA Live ESA rules:
- In the Security Analytics menu, select Alerts > Configure.
The Rules tab is displayed.
- In the options panel, click Get Rules from RSA Live.
The Search tab is displayed.
- In Search Criteria, for Resource Type select RSA Event Stream Analysis Rule.
- Specify any of the following criteria to find a rule to configure for your environment.
For a detailed description of the search criteria, see Live Search View in the Live Resource Management Guide.
- Required Meta Keys
- Generated Meta Values
- Resource Created Date
- Resource Modified Date
- Click Search. Rules that match the search criteria are displayed in Matching Resources.
- Select each rule to download and click Deploy.
The Deployment Wizard is displayed.
- Follow the steps in the wizard. If you need more information, see Deploy Resources in Live, in the Live Resource Management Guide.
When you finish the steps in the wizard, the selected rules are displayed in the Rule Library.