This topic explains how to download configurable rules from the NetWitness Platform Live Content Management System so you can customize them to meet your needs.
RSA Live contains a catalog of rules. Each rule has configurable parameters so you can customize the rule for your environment. If RSA Live has a rule to detect events that you want to detect in your network, download the rule to save time. You can edit the configurable parameters and save the rule in your Rule Library. For detailed information about each rule, including whether the rule is for logs, packets, or both, see "RSA ESA Rules" at the following link: https://community.rsa.com/docs/DOC-43401
This is an example of how each RSA Live ESA rule is described on RSA Live:
|Logins across Multiple Servers||Detects logins from the same user across 3 or more separate servers within 5 minutes.|
The time window and number of unique destinations are configurable.
As the name shows, the rule looks for logins across multiple servers. The description explains the rule criteria in more detail and specifies which parameters you modify.
These are the prerequisites for downloading configurable RSA Live ESA rules;
- Have permission to manage rules
- Create a Live Account. See the Live Services Management Guide for details.
- Set up Live on NetWitness Platform. See the Live Services Management Guide for details.
- Update your meta keys. See "Update Your ESA Rules for the Required Multi-Value and Single-Value Meta Keys" in the ESA Configuration Guide.
Download RSA Live ESA Rules
- Go to Configure > ESA Rules.
The Rules tab is displayed.
- In the options panel, click Get Rules from RSA Live.
The Live Content Search view is displayed. (Alternatively, you can go to Configure > Live Content.)
- In Search Criteria, for Resource Types select Event Stream Analysis Rule.
- Specify any of the following criteria to find a rule to configure for your environment. For detailed information about each rule, including whether the rule is for logs, packets, or both, see "RSA ESA Rules" at the following link: https://community.rsa.com/docs/DOC-43401
For a detailed description of the search criteria, see "The Live Search View" in the Live Services Management Guide.
- Resource Types (Event Stream Analysis Rule)
- Medium (Log, Log and Packet, or Packet)
- Required Meta Keys
- Generated Meta Values
- Resource Created Date
- Resource Modified Date
- Include Discontinued Resources
- Click Search. Rules that match the search criteria are displayed in Matching Resources.
- Select each rule to download and click Deploy.
The Deployment Wizard is displayed.
- Follow the steps in the wizard. If you need more information, see "Deploy Resources in Live" in the Live Services Management Guide.
When you finish the steps in the wizard, the selected rules are displayed in the Rule Library.