Alerting: Import or Export Rules

Document created by RSA Information Design and Development on Sep 12, 2017Last modified by RSA Information Design and Development on Oct 10, 2017
Version 5Show Document
  • View in full screen mode

The topic provides instructions to import ESA rules from a NetWitness Suite instance and to export ESA rules to your hard drive so you can keep a local copy.

If you exported a rule in an earlier version of NetWitness Suite, the following conditions apply when you import the rule in version 10.5 or later:

  • Exported in version 10.3 – You cannot import rules to version 10.5 or later.
  • Exported in version 10.4 – Rule behavior depends if cross-correlation is disabled, which is the default, or enabled:
    • Disabled – You can import rules to version 10.5 or later.
    • Enabled – You must restart NetWitness Suite or make a minor change to the rule, save, remove the minor change and save again. Either procedure generates the forwarding rule that the 10.5 or later cross-site correlation feature requires.


Import ESA Rules

  1. Go to CONFIGURE >ESA Rules > Rules tab.
    The Rules tab is displayed.
    Rules tab showing import option
  2. In the Rules Library toolbar, select Action icon > Import
    The Import ESA Rules dialog is displayed.
    Import ESA Rules dialog
  3. Click Browse to browse and select the file containing the ESA rules.
  4. Click Import


  1. Select an ESA rule or multiple rules and select Action icon > Export in the Rule Library toolbar.
    A warning dialog is displayed.
  2. Click Yes.
    The Export Rules dialog is displayed.
  3. In the Enter File Name field, type a filename for the file with the ESA rules and click Export.
    The file is exported as a binary file to your machine.

Note: The binary file cannot be edited.

You are here
Table of Contents > Add Rules to the Rules Library > Working With Rules > Import or Export Rules