This topic explains how to download configurable rules from the NetWitness Suite Live Content Management System so you can customize them to meet your needs.
RSA Live contains a catalog of rules. Each rule has configurable parameters so you can customize the rule for your environment. If RSA Live has a rule to detect events that you want to detect in your network, download the rule to save time. You can edit the configurable parameters and save the rule in your Rule Library.
This is a sample of how each RSA Live ESA rule is described on RSA Live:
As the name shows, the rule looks for logins across multiple servers. The description explains the rule criteria in more detail and specifies which parameters you modify.
These are the prerequisites for downloading configurable RSA Live ESA rules;
- Have permission to manage rules
- Create a Live Account. See the Live Services Management Guide for details.
- Set up Live on NetWitness Suite. See the Live Services Management Guidefor details.
To download configurable RSA Live ESA rules:
- Go to CONFIGURE > ESA Rules.
The Rules tab is displayed.
- In the options panel, click Get Rules from RSA Live.
The Live Content Search view is displayed.
- In Search Criteria, for Resource Type select RSA Event Stream Analysis Rule.
- Specify any of the following criteria to find a rule to configure for your environment.
For a detailed description of the search criteria, see "The Live Search View" in the Live Services Management Guide.
- Required Meta Keys
- Generated Meta Values
- Resource Created Date
- Resource Modified Date
- Click Search. Rules that match the search criteria are displayed in Matching Resources.
- Select each rule to download and click Deploy.
The Deployment Wizard is displayed
- Follow the steps in the wizard. If you need more information, see "Deploy Resources in Live" in the Live Services Management Guide.
When you finish the steps in the wizard, the selected rules are displayed in the Rule Library.