Alerting: Practice with Starter Pack Rules

Document created by RSA Information Design and Development on Sep 12, 2017Last modified by RSA Information Design and Development on Apr 11, 2019
Version 9Show Document
  • View in full screen mode
 

NetWitness Platform comes with starter pack rules so analysts can become familiar with how rules look before they create their own rules. Use the starter pack rules to become familiar with the Rule Builder and to practice editing and deploying a rule.

Starter pack rules are installed in the Rule Library, which contains every rule you download or create. The following figure shows sample rules in the Rule Library.

Rule Library showing sample rules

These are the available starter pack rules:

  • SAMPLE - Blacklist - From inside countries that are not the US, Non SMTP Traffic on TCP Port 25 Containing Executable
  • SAMPLE - Non SMTP Traffic on TCP Port 25 Containing Executable
  • SAMPLE - P2P Software as Detected by an Intrusion Detection Device 
  • SAMPLE - User Added to Admin Group Same User su Sudo
  • SAMPLE - Whitelist - From outside of Germany, P2P Software as Detected by an Intrusion Detection Device.

Each name begins with SAMPLE to distinguish the rules that are installed with NetWitness Platform from the rules you download and create.

Rule Library

The Rule Library shows the following information for a rule:

  • Name summarizes the data or events the rule collects.
  • Description explains the rule in more detail, although only the beginning shows in the Rule Library.
  • Trial Rule indicates if trial mode is enabled or disabled for the rule.
  • Type shows the origin of the rule, built in Rule Builder or Advanced EPL, downloaded from RSA Live, or Endpoint Rule Bundle.

Rules Library showing different types of rules

Practice with Starter Pack Sample Rules

  1. Go to CONFIGURE > ESA Rules.
    The ESA Rules view is displayed with the Rules tab open.
  2. In the Rule Library, double-click a sample rule or select a sample rule and click Edit icon.
    The rule is opened in Rule Builder.
    Rule Builder showing sample rule
  3. To practice with a starter pack rule, refer to the following topics for detailed descriptions and procedures:
    • To familiarize yourself with the Rule Builder user interface, see Rule Builder Tab for a description of each field.
    • To learn how to edit a rule, see Add a Rule Builder Rule for a step-by-step procedure.
    • To deploy a starter pack rule, see Deploy Rules to Run on ESA to learn how to associate the rule with an ESA service.

After you practice with starter pack rules, you will be able to download, create, and deploy your own rules.

Previous Topic:Role Permissions
You are here
Table of Contents > ESA Rule Types > Practice with Starter Pack Rules

Attachments

    Outcomes