Alerting: Add an Advanced EPL Rule

Document created by RSA Information Design and Development on Jun 26, 2017Last modified by RSA Information Design and Development on Sep 14, 2017
Version 2Show Document
  • View in full screen mode
  

This topic provides instructions to define rule criteria by writing an EPL query. EPL is a declarative language for handling high-frequency time-based event data. It is used to express filtering, aggregation, and joins over possibly sliding windows of multiple event streams. EPL also includes pattern semantics to express complex temporal causality among events.

Write an advanced EPL rule when rule criteria is more complex than what you can specify in Rule Builder.

It is outside the scope of this guide to explain EPL syntax. 

Prerequisites

The following are prerequisites for adding an advanced rule:

  • You must know Event Processing Language (EPL).
  • You must understand ESA Annotations to mark which EPL statements are linked to generating alerts.

Procedure

To add an Advanced EPL rule:

  1. In the Security Analytics menu, select Alerts > Configure.
  2. In the Rule Library, select addList.PNG  > Advanced EPL.

    NwAdvRuleTb.png

  3. Type a unique, descriptive name in the Rule Name field.

    This name will appear in the Rule Library so be specific enough to distinguish the rule from others.

  4. In the Description field, explain which events the rule detects.

    The beginning of this description will appear in the Rule Library

  5. Select Trial Rule to automatically disable the rule if all trial rules collectively exceed the memory threshold.

    Use trial rule mode as a safeguard to see if a rule runs efficiently and to prevent downtime caused by running out of memory. For more information, see Work with Trial Rules.

  6. For Severity, classify the rule as Low, Medium, High or Critical.
  7. To define rule criteria, write a Query in EPL.

    Note: For all meta key names, use an underscore not a period. For example, ec_outcome is correct but ec.outcome is not.

  8. For dynamic statement name generation in ESA, you must enclose the meta keys in curly brackets and include this annotation in the syntax:

    @Name("RIG {ip_src} {alias_host} {ec_activity}")

    where,

    • RIG is the static part of the statement name
    • {ip_src}, {alias_host}, {ec_activity} is the dynamic part of the statement name

    Note: If any of the metas in the dynamic part of the statement name has a null value, it is displayed as a static text.
    If you want to view the meta along with the curly braces, for instance, {meta}, you can use the "\\" character. For example, @Name("static text \\{ip_src\\}")

    If a rule should generate an alert, include this ESA annotation in the syntax:

    @RSAAlert

    For more information on ESA Annotations, see ESA Annotations.

You are here
Table of Contents > Add Rules to the Rules Library > Add an Advanced EPL Rule

Attachments

    Outcomes