This topic describes the Advanced EPL Rule tab that you use to define rule criteria with an Event Processing Language (EPL) query.
The Advanced EPL Rule tab enables you to define an Advanced EPL rule.
To access the Advanced EPL Rule tab:
- In the Security Analytics menu, select Alerts > Configure.
The Configure view is displayed with the Rules tab open by default.
- In the Rule Library toolbar, select > Advanced EPL.
The Advanced EPL Rule tab is displayed.
Below is a screen shot of the Advanced EPL Rule tab.
The following table lists the parameters in the Advanced EPL Rule tab.
|Rule Name||Purpose of the ESA rule.|
|Description||Summary of what the ESA rule detects.|
|Trial Rule||Deployment mode to see if the rule runs efficiently.|
|Severity||Threat level of alert triggered by the rule.|
|Query||EPL query that defines rule criteria.|
In the Notifications section, you can choose how to be notified when ESA generates an alert for the rule.
For more information on the alert notifications, see Add Notification Method to a Rule.
The following figure shows the Notifications section.
In the Enrichments section, you can add a data enrichment source to a rule.
For more information on the enrichments, see Add an Enrichment to a Rule.