Alerting: Download Configurable RSA Live ESA Rules

Document created by RSA Information Design and Development on Sep 12, 2017Last modified by RSA Information Design and Development on Jul 8, 2019
Version 10Show Document
  • View in full screen mode
 

This topic explains how to download configurable rules from the NetWitness Platform Live Content Management System so you can customize them to meet your needs.

RSA Live contains a catalog of rules. Each rule has configurable parameters so you can customize the rule for your environment. If RSA Live has a rule to detect events that you want to detect in your network, download the rule to save time. You can edit the configurable parameters and save the rule in your Rule Library. For detailed information about each rule, including whether the rule is for logs, packets, or both, see "RSA ESA Rules" at the following link: https://community.rsa.com/docs/DOC-43401

This is an example of how each RSA Live ESA rule is described on RSA Live:

               
Rule NameDescription
Logins across Multiple ServersDetects logins from the same user across 3 or more separate servers within 5 minutes.

The time window and number of unique destinations are configurable.

As the name shows, the rule looks for logins across multiple servers. The description explains the rule criteria in more detail and specifies which parameters you modify.

Note: When a rule description includes a configurable parameter, the default setting for the parameter is used. In the sample rule, the description states 5 minutes. However, the time window is configurable so 5 is the default number of minutes.

Prerequisites

These are the prerequisites for downloading configurable RSA Live ESA rules;

  • Have permission to manage rules
  • Create a Live Account. See the Live Services Management Guide for details.
  • Set up Live on NetWitness Platform. See the Live Services Management Guide for details.

Download RSA Live ESA Rules

  1. Go to CONFIGURE > ESA Rules.
    The Rules tab is displayed.
    Rules tab showing the Get Rules from RSA Live option
  2. In the options panel, click Get Rules from RSA Live.
    The Live Content Search view is displayed. (Alternatively, you can go to CONFIGURE > Live Content.)
    RSA Live Search from ESA Rules
  3. In Search Criteria, for Resource Types select Event Stream Analysis Rule.
  4. Specify any of the following criteria to find a rule to configure for your environment. For detailed information about each rule, including whether the rule is for logs, packets, or both, see "RSA ESA Rules" at the following link: https://community.rsa.com/docs/DOC-43401
    For a detailed description of the search criteria, see "The Live Search View" in the Live Services Management Guide.
    1. Keywords
    2. Category
    3. Resource Types (Event Stream Analysis Rule)
    4. Medium (Log, Log and Packet, or Packet)
    5. Required Meta Keys
    6. Generated Meta Values
    7. Resource Created Date
    8. Resource Modified Date
    9. Include Discontinued Resources
  5. Click Search. Rules that match the search criteria are displayed in Matching Resources.
  6. Select each rule to download and click Deploy
    Live Content Search: Rule and Deploy selected
    The Deployment Wizard is displayed.
    Deployment Wizard
  7. Follow the steps in the wizard. If you need more information, see "Deploy Resources in Live" in the Live Services Management Guide.

When you finish the steps in the wizard, the selected rules are displayed in the Rule Library.

You are here
Table of Contents > Download Configurable RSA Live ESA Rules

Attachments

    Outcomes