This topic describes the Advanced EPL Rule tab that you use to define rule criteria with an Event Processing Language (EPL) query.
To access the Advanced EPL Rule tab:
In the Security Analytics menu, select Alerts > Configure.
The Configure view is displayed with the Rules tab open by default.
The Advanced EPL Rule tab is displayed.
Below is a screen shot of the Advanced EPL Rule tab.
The following table lists the parameters in the Advanced EPL Rule tab.
|Rule Name||Purpose of the ESA rule.|
|Description||Summary of what the ESA rule detects.|
|Trial Rule||Deployment mode to see if the rule runs efficiently.|
|Severity||Threat level of alert triggered by the rule.|
|Query||EPL query that defines rule criteria.|
In the Notifications section, you can choose how to be notified when ESA generates an alert for the rule.
For more information on the alert notifications, see Add Notification Method to a Rule.
The following figure shows the Notifications section.
In the Enrichments section, you can add a data enrichment source to a rule.
For more information on the enrichments, see Add an Enrichment to a Rule.
To add an enrichment.
|To delete the selected enrichment.|
Enrichment source type. Options are:
|Name of previously configured enrichment source, such as a .CSV filename for an In-Memory Table.|
ESA Event Stream Meta
ESA meta key whose value will be used as one operand of join condition.
Enrichment Source Column Name
|Enrichment source column name whose value will be used as the other operand of the join condition.|