Alerting: Advanced EPL Rule Tab

Document created by RSA Information Design and Development on Jul 26, 2016Last modified by RSA Information Design and Development on Jul 26, 2016
Version 2Show Document
  • View in full screen mode
 

This topic describes the Advanced EPL Rule tab that you use to define rule criteria with an Event Processing Language (EPL) query.

The Advanced EPL Rule tab enables you to define an Advanced EPL rule.

To access the Advanced EPL Rule tab:

  1. In the Security Analytics menu, select Alerts > Configure.
    The Configure view is displayed with the Rules tab open by default.
  2. In the Rule Library toolbar, select addList.PNG > Advanced EPL.
    The Advanced EPL Rule tab is displayed.

Below is a screen shot of the Advanced EPL Rule tab.

NwAdvRuleTb.png

Features

The following table lists the parameters in the Advanced EPL Rule tab.

                             
ParametersDescription
Rule NamePurpose of the ESA rule.
Description Summary of what the ESA rule detects.
Trial RuleDeployment mode to see if the rule runs efficiently.
Severity Threat level of alert triggered by the rule.
QueryEPL query that defines rule criteria.

Notifications

In the Notifications section, you can choose how to be notified when ESA generates an alert for the rule.

For more information on the alert notifications, see Add Notification Method to a Rule.

The following figure shows the Notifications section.

NotificationAdded.png

                                  
ParameterDescription
To add an alert notification type.
To delete the selected alert notification type.
OutputAlert notification type. Options are:
  • Email
  • SNMP
  • Syslog
  • Script
NotificationName of previously configured output, such as an email distribution list.
Notification ServerName of server that sends the output.
TemplateName of template for the alert notification.
Output Suppression of everyOption to specify alert frequency.
MinutesAlert frequency in minutes.

Enrichments

In the Enrichments section, you can add a data enrichment source to a rule.

For more information on the enrichments, see Add an Enrichment to a Rule.

The following figure shows the Enrichments section.
RuleEnrSec.png

                              
ParameterDescription
To add an enrichment.
To delete the selected enrichment.
OutputEnrichment source type. Options are:
  • In-Memory Table
  • External DB Reference
  • Warehouse Analytics
  • GeoIP
Enrichment SourceName of previously configured enrichment source, such as a .CSV filename for an In-Memory Table.
ESA Event Stream MetaESA meta key whose value will be used as one operand of join condition.
Enrichment Source Column NameEnrichment source column name whose value will be used as the other operand of the join condition.
You are here: References > Advanced EPL Rule Tab

Attachments

    Outcomes