Alerting: Practice with Starter Pack Rules

Document created by RSA Information Design and Development on Sep 12, 2017Last modified by RSA Information Design and Development on Oct 10, 2017
Version 5Show Document
  • View in full screen mode

NetWitness Suite comes with starter pack rules so analysts can become familiar with how rules look before you create your own rules. Use the starter pack rules to become familiar with the Rule Builder and to practice editing and deploying a rule.

Starter pack rules are installed in the Rule Library, which will contain every rule you download or create. The following figure shows sample rules in the Rule Library.

Rule Library showing sample rules

These are the available starter pack rules:

  • SAMPLE: P2P Software as Detected by an Intrusion Detection Device 
  • SAMPLE: Non SMTP Traffic on TCP Port 25 Containing Executable
  • SAMPLE: Whitelist - From outside of Germany, P2P Software as Detected by an Intrusion Detection Device.
  • SAMPLE: Blacklist - From inside countries that are not the US, Non-SMTP Traffic on TCP Port 25 Containing Executable
  • SAMPLE: User Added to Admin Group Same User su Sudo

Each name begins with SAMPLE to distinguish the rules that are installed with NetWitness Suite from the rules you download and create.

Rule Library

The Rule Library shows the following information for a rule:

  • Name summarizes the data or events the rule collects.
  • Description explains the rule in more detail, although only the beginning shows in the Rule Library.
  • Trial Rule indicates if trial mode is enabled or disabled for the rule.
  • Type shows the origin of the rule, built in Rule Builder or Advanced EPL, or downloaded from RSA Live.

Rules Library showing different types of rules


  1. Go to CONFIGURE > ESA Rules.
    The ESA Rules view is displayed with the Rules tab open.
  2. In the Rule Library, select a sample rule and click Edit icon, or double-click a rule.
    The rule is opened in Rule Builder.
    Rule Builder showing sample rule
  3. To practice with a starter pack rule, refer to the following topics for detailed descriptions and procedures:
    • To familiarize yourself with the Rule Builder user interface, see Rule Builder Tab for a description of each field.
    • To learn how to edit a rule, see Add a Rule Builder Rule for a step-by-step procedure.
    • To deploy a starter pack rule, see Deploy Rules to Run on ESA to learn how to associate the rule with an ESA service.

After you practice with starter pack rules, you will be able to download, create, and deploy your own rules.

Previous Topic:Role Permissions
You are here
Table of Contents > ESA Rule Types > Practice with Starter Pack Rules