The topic provides instructions to import ESA rules from a Security Analytics instance and to export ESA rules to your hard drive so you can keep a local copy.
If you exported a rule in an earlier version of Security Analytics, the following conditions apply when you import the rule in version 10.5 or later:
- Exported in version 10.3 – You cannot import rules to version 10.5.
- Exported in version 10.4 – Rule behavior depends if cross-correlation is disabled, which is the default, or enabled:
- Disabled – You can import rules to version 10.5.
- Enabled – You must restart Security Analytics or make a minor change to the rule, save, remove the minor change and save again. Either procedure generates the forwarding rule that the 10.5 cross-site correlation feature requires.
Import ESA Rules
- In the Security Analytics menu, select Alerts > Configure > Rules.
The Rules tab is displayed.
- In the Rules Library toolbar, click > Import.
The Import ESA Rules dialog is displayed.
- Click Browse to browse and select the file containing the ESA rules.
- Click Import.
- Select an ESA rule or multiple rules and click > Export in the Rule Library toolbar.
A warning dialog is displayed.
- Click Yes.
The Export Rules dialog is displayed.
- In the Enter File Name field, type a filename for the file with the ESA rules and click Export.
The file is exported as a binary file to your machine.
Note: The binary file cannot be edited.