Alerting: Add an Advanced EPL Rule

Document created by RSA Information Design and Development Employee on Nov 23, 2016Last modified by RSA Information Design and Development Employee on Apr 26, 2017
Version 3Show Document
  • View in full screen mode

This topic provides instructions to define rule criteria by writing an EPL query. EPL is a declarative language for handling high-frequency time-based event data. It is used to express filtering, aggregation, and joins over possibly sliding windows of multiple event streams. EPL also includes pattern semantics to express complex temporal causality among events.

Write an advanced EPL rule when rule criteria is more complex than what you can specify in Rule Builder.

It is outside the scope of this guide to explain EPL syntax. 


The following are prerequisites for adding an advanced rule:

  • You must know Event Processing Language (EPL).
  • You must understand ESA Annotations to mark which EPL statements are linked to generating alerts.


To add an Advanced EPL rule:

  1. In the Security Analytics menu, select Alerts > Configure.
  2. In the Rule Library, select addList.PNG  > Advanced EPL.


  3. Type a unique, descriptive name in the Rule Name field.

    This name will appear in the Rule Library so be specific enough to distinguish the rule from others.

  4. In the Description field, explain which events the rule detects.

    The beginning of this description will appear in the Rule Library

  5. Select Trial Rule to automatically disable the rule if all trial rules collectively exceed the memory threshold.

    Use trial rule mode as a safeguard to see if a rule runs efficiently and to prevent downtime caused by running out of memory. For more information, see Work with Trial Rules.

  6. For Severity, classify the rule as Low, Medium, High or Critical.
  7. To define rule criteria, write a Query in EPL.

    Note: For all meta key names, use an underscore not a period. For example, ec_outcome is correct but ec.outcome is not.

  8. If a rule should generate an alert, include this ESA annotation in the syntax:


    ESA provides two annotations. For details, see ESA Annotations.

You are here
Table of Contents > Add Rules to the Rules Library > Add an Advanced EPL Rule