Alerting: Deploy Rules to Run on ESA

Document created by RSA Information Design and Development on Sep 12, 2017Last modified by RSA Information Design and Development on Apr 11, 2019
Version 9Show Document
  • View in full screen mode
 

This topic explains how to select an ESA service and the rules to run on it. Administrator, SOC Manager or DPO role permissions are required for all tasks in this section.

To create an ESA rule deployment, you need to perform the steps described in ESA Rule Deployment Steps

How an ESA Rule Deployment Works

An ESA rule deployment consists of an ESA service, one or more data sources, and a set of ESA rules. When you deploy rules, the ESA service runs them to detect suspicious or undesirable activity in your network. Each ESA rule detects a different event, such as when a user account is created and deleted within one hour.

The ESA service performs the following functions:

  1. Gathers data in your network
  2. Runs ESA rules against the data
  3. Applies rule criteria to data
  4. Generates an alert for the captured event

The following graphic shows this workflow:
Deploy Rules workflow
 

In addition, you may want to perform other steps on your deployment, such as replacing an ESA service, changing a data source, editing or deleting a rule from the deployment, renaming or deleting the deployment, or showing updates to the deployment. For descriptions of these procedures, Additional ESA Rule Deployment Procedures.

You are here
Table of Contents > Deploy Rules to Run on ESA

Attachments

    Outcomes