This section explains how an ESA Rule Deployment works and how to set up a deployment to run a group of ESA rules. Administrator, SOC Manager, or Data Privacy Officer role permissions are required for all procedures in this section.
To create an ESA rule deployment, you need to perform the steps described in ESA Rule Deployment Steps.
How an ESA Rule Deployment Works
An ESA rule deployment consists of an ESA service, one or more data sources, and a set of ESA rules. When you deploy rules, the ESA service runs them to detect suspicious or undesirable activity in your network. Each ESA rule detects a different event, such as when a user account is created and deleted within one hour.
The ESA service performs the following functions:
- Gathers data in your network
- Runs ESA rules against the data
- Applies rule criteria to data
- Generates an alert for the captured event
In addition, you may want to perform other steps on your deployment, such as replacing an ESA service, changing a data source, editing or deleting a rule from the deployment, renaming or deleting the deployment, or showing updates to the deployment. For descriptions of these procedures, Additional ESA Rule Deployment Procedures.