Alerting: Add a Rule Builder Rule

Document created by RSA Information Design and Development on Nov 23, 2016Last modified by RSA Information Design and Development on Apr 26, 2017
Version 3Show Document
  • View in full screen mode
  

This topic introduces a set of end-to-end procedures for adding a Rule Builder type rule.

Each ESA rule is designed to detect something in your network and to generate an alert for it:

  • User activity that is not allowed, such as attempting to download software that is not sanctioned
  • Suspicious behavior, such as mass audit clearing
  • Known malicious threats, such as worm propagation or a password-cracking tool

There are two methods to design a rule in ESA:

  • Rule Builder is an easy-to-use interface. You provide a meta key and value, then select choices from lists to complete the criteria.
  • Advanced EPL allows you to write queries in the Event Processing Language. You must know EPL syntax.

If you know EPL, you can use either method. If you do not know EPL, you must use Rule Builder. These topics explain the Rule Builder. 

You are here
Table of Contents > Add Rules to the Rules Library > Add a Rule Builder Rule

Attachments

    Outcomes