When rules use too much memory, your ESA service can become slow or unresponsive. To ensure rules don't use excessive memory, you can enable trial rules for any type of rule. When you create a trial rule, you set a global threshold of the percentage of memory that rules may use. If that configured memory threshold is exceeded, all trial rules are disabled.
The Security Analytics Event Stream Analysis (ESA) service is capable of processing large volumes of disparate event data from Concentrators. However, when working with Event Stream Analysis, it is possible to create rules that use excessive memory. This can slow your ESA service or even cause it to shut down unexpectedly. To ensure that this doesn't happen, you can configure your rule as a trial rule. When you configure a trial rule, you also set global threshold of the percentage of memory that rules may use. If that configured memory threshold is exceeded, all trial rules are disabled automatically.
For suggestions on creating more efficient rules, see "Best Practices for Writing Rules" in Best Practices.
As a best practice, when you add a new rule or edit an existing rule, select the Trial Rule option, which allows you to:
- Deploy the rule with an added safeguard.
- Optionally, view a snapshot of memory utilization to understand if the rule creates memory issues.
- Know if you must modify the rule criteria to improve performance.
Note: Run a rule as a trial rule long enough to assess the performance during normal and peak network traffic.