Alerting: Deploy Rules as Trial Rules

Document created by RSA Information Design and Development Employee on Mar 23, 2017Last modified by RSA Information Design and Development Employee on Apr 26, 2017
Version 4Show Document
  • View in full screen mode

This topic explains to administrators how to enable trial rules when creating new rules or editing rules. Trial rules are automatically disabled if a specified total JVM memory utilization threshold is exceeded.


To deploy rules as trial rules:

  1. In the Security Analytics menu, go to Alerts > Configure
    The Configure view is displayed with the Rules tab open.
  2. From the Rule Library, choose to add or edit a rule. The rule builder is displayed in a new Security Analytics tab.
  3. To make a new or existing rule a trial rule, select trialrule_checked.png.
  4. Add the rule conditions or modify the rule as needed. For instructions on editing rules, see Add Rules to the Rule Library.
  5. Click Save
  6. Ensure that trial rules are enabled for your ESA and that you are satisfied with the thresholds configured for trial rules. 
    The memory threshold is set in the configuration file. To configure it, see "Change Memory Threshold for Trial Rules" in the ESA Configuration Guide.
    The threshold is configured per ESA and is a percentage of Java Virtual Memory.
    The configuration parameter, MemoryThresholdforTrialRules default is 85.
  7. Optionally, you can set up the policies in Health and Wellness to send you an email notification if the total JVM memory utilization threshold is exceeded.

The next time you deploy the rule, it runs in trial rule mode.

Note:  If a trial rule is disabled, you will need to go to the Alerts > Configure > Services tab to re-enable the trial rules.  For more instructions on re-enabling trial rules on a service, see View ESA Stats and Alerts.

Previous Topic:Work with Trial Rules
You are here
Table of Contents > Work with Trial Rules > Deploy Rules as Trial Rules