Alerting: Customize an RSA Live ESA Rule

Document created by RSA Information Design and Development on Sep 12, 2017Last modified by RSA Information Design and Development on Sep 26, 2019
Version 11Show Document
  • View in full screen mode
 

This topic explains how to configure parameters in an RSA Live ESA rule. When you download an RSA Live ESA rule, the rule appears in the Rule Library which includes the following columns:

  • Rule Name
  • Description
  • Trial Rule
  • Type
  • Actions

Rule Library showing ESA Live Rules

The type is RSA Live ESA Rule.

Prerequisites

  • Administrator, Operator, SOC Manager, or DPO role permissions are required.
  • Rules must be downloaded to the Rule Library.

Configure Parameters for an RSA Live ESA Rule

  1. Go to CONFIGURE > ESA Rules > Rules tab.
  2. In the Rule Library, double-click an RSA Live ESA Rule or select the rule and click Edit icon.
    The RSA Live ESA Rule tab is displayed.
  3. (Optional) Change the following fields:
    • Rule Name
    • Description
    • Trial Rule (Enabled by default. RSA recommends you run a rule as a trial rule long enough to assess the performance during normal and peak network traffic.)
    • Alert (This option applies to 11.3 and later.) Select Alert to send an alert to Respond. Clear the checkbox if you do not want to send an alert to Respond. To turn alerts on or off for ALL rules, see the ESA Configuration Guide.
    • Severity
    • Notifications
    • Enrichments
  1. To configure the rule for your environment, in the Parameters section replace the default in the Value Column.
    Parameters section showing values column
  2. Click Save

You are here
Table of Contents > Download Configurable RSA Live ESA Rules > Customize an RSA Live ESA Rule

Attachments

    Outcomes