ESA Config: Overview 75219

Document created by RSA Information Design and Development on Mar 23, 2017Last modified by RSA Information Design and Development on Apr 14, 2017
Version 3Show Document
  • View in full screen mode
 

Custom meta in an ESA rule enriches the rule. This makes investigation more efficient by:

  • Providing more informative results
  • Reducing the number of alerts triggered because of false-positive findings.

After you set up and deploy the rule with the custom meta, you use it to conduct an investigation in the same manner as any ESA alert. The following examples illustrate how to view:

  • A summary of all the alerts triggered by this rule over a specified time period.
  • Meta details for a single event that triggered alert.

View ESA Alerts

After you deploy an ESA rule, it runs continuously. You can view the alerts generated by these rules to conduct an investigation. Refer to View ESA Stats and Alerts topic in the Alerting Using ESA Guide for detailed instructions.

Summary of Alerts Triggered by Rule for Specified Time Period

The following example shows a summary of all the alerts triggered by the Critical resource accessed from Suspicious country rule over the period of the last two days.

Meta Details for Single Event That Triggered Rule

The following example shows all the meta for a single event in the alert that triggered by the Critical resource accessed from Suspicious country.

You are here
Table of Contents > ESA Config: Overview

Attachments

    Outcomes