This topic describes each type of ESA rule, when to use them and the permissions each role has with them. The following table lists each type, describes it and explains when to use it.
|Rule Type||Description||When to Use|
|Rule Builder||In the rule builder, you define rule criteria in an easy-to-use interface.||Use the rule builder to create your first rules. You choose many of the rule conditions from lists.|
|Advanced EPL||With the Event Processing Language (EPL), you define rule criteria by writing a query.||Use advanced EPL rules to define rule criteria for in the EPL syntax.|
|RSA Live ESA||RSA Live has a catalog of ESA rules that you can download and modify to run in your network.||Download RSA Live ESA rules to leverage rules that are already built. Modify the configurable parameters to customize to meet your requirements.|
Starter Pack Rules
A few sample Rule Builder rules come with Security Analytics and appear in the Rule Library. Use starter pack rules to get comfortable working with rules before creating your own. You can safely edit and deploy these sample rules.
Trial Rules Mode
For any type of rule, you can select the Trial Rule setting as an additional safeguard. Trial rules get disabled if they exceed a memory threshold the administrator sets. Run a rule in trial mode to monitor memory usage and to disable the rule automatically if it uses more memory than the threshold allows.