Alerting: Add an Advanced EPL Rule

Document created by RSA Information Design and Development Employee on Sep 12, 2017Last modified by RSA Information Design and Development Employee on Apr 23, 2020
Version 14Show Document
  • View in full screen mode

This topic provides instructions to define rule criteria by writing an EPL query. EPL is a declarative language for handling high-frequency time-based event data. It is used to express filtering, aggregation, and joins over possibly sliding windows of multiple event streams. EPL also includes pattern semantics to express complex temporal causality among events.

Write an advanced EPL rule when rule criteria is more complex than what you can specify in Rule Builder.

It is outside the scope of this guide to explain EPL syntax. 

For best practices on writing advanced EPL rules, see ESA Rule Writing Best Practices.


The following are prerequisites for adding an advanced rule:

  • You must know Event Processing Language (EPL).
  • You must understand ESA Annotations to mark which EPL statements are linked to generating alerts.

Add an Advanced EPL Rule

  1. Go to Configure > ESA Rules.
  2. In the Rule Library, select Add List icon > Advanced EPL.
    New Advanced EPL Rule Tab

  3. Type a unique, descriptive name in the Rule Name field.

    This name will appear in the Rule Library so be specific enough to distinguish the rule from others.

  4. In the Description field, explain which events the rule detects.

    The beginning of this description will appear in the Rule Library

  5. Select Trial Rule to automatically disable the rule if all trial rules collectively exceed the memory threshold.

    Use trial rule mode as a safeguard to see if a rule runs efficiently and to prevent downtime caused by running out of memory. For more information, see Work with Trial Rules.

  6. (This option applies to 11.3 and later.) Select Alert to send an alert to Respond. Clear the checkbox if you do not want to send an alert to Respond. To turn alerts on or off for ALL rules, see the ESA Configuration Guide.
  7. For Severity, classify the rule as Low, Medium, High or Critical.
  8. To define rule criteria, write a Query in EPL.

    Note: For all meta key names, use an underscore not a period. For example, ec_outcome is correct but ec.outcome is not.

  9. For dynamic statement name generation in ESA, you must enclose the meta keys in curly brackets and include this annotation in the syntax:

    @Name("RIG {ip_src} {alias_host} {ec_activity}")


    • RIG is the static part of the statement name
    • {ip_src}, {alias_host}, {ec_activity} is the dynamic part of the statement name

    Note: If any of the metas in the dynamic part of the statement name has a null value, it is displayed as a static text.

    If a rule should generate an alert, include this ESA annotation in the syntax:


    For more information on ESA Annotations, see ESA Annotations.

You are here
Table of Contents > Add an Advanced EPL Rule