Alerting: Deploy Rules to Run on ESA

Document created by RSA Information Design and Development on Nov 23, 2016Last modified by RSA Information Design and Development on Apr 26, 2017
Version 3Show Document
  • View in full screen mode
  

This topic explains how to select an ESA and the rules to run on it. Administrator, SOC Manager or DPO role permissions are required for all tasks in this section.

To create a deployment, you need to perform the steps described in Deployment Steps

How Deployment Works

A deployment consists of an ESA service and a set of ESA rules. When you deploy rules, the ESA service runs them to detect suspicious or undesirable activity in your network. Each ESA rule detects a different event, such as when a user account is created and deleted within one hour.

The ESA service performs the following functions:

  1. Gathers data in your network
  2. Runs ESA rules against the data
  3. Applies rule criteria to data
  4. Generates an alert for the captured event

The following graphic shows this workflow:
deploy_1a.PNG
 

In addition, you may want to perform other steps on your deployment, such as deleting an ESA service in your deployment, editing or deleting a rule from your deployment, editing or deleting a deployment, or showing updates to a deployment. For descriptions of these procedures, see Additional Deployment Procedures

 

You are here
Table of Contents > Deploy Rules to Run on ESA

Attachments

    Outcomes