Alerting: ESA Rule Types

Document created by RSA Information Design and Development on Sep 12, 2017Last modified by RSA Information Design and Development on Jul 8, 2019
Version 9Show Document
  • View in full screen mode

This topic describes each type of ESA rule, when to use them and the permissions each role has with them. The following table lists each type, describes it, and explains when to use it.

Rule TypeDescriptionWhen to Use
RSA Live ESARSA Live has a catalog of ESA rules that you can download and modify to run in your network.Download RSA Live ESA rules to leverage rules that are already built. Modify the configurable parameters to customize to meet your requirements.
Rule BuilderIn the rule builder, you define rule criteria in an easy-to-use interface. Use the rule builder to create your first rules. You choose many of the rule conditions from lists.
Advanced EPLWith the Event Processing Language (EPL), you define rule criteria by writing a query.Use advanced EPL rules to define rule criteria in the EPL syntax.
Endpoint Rule Bundle An Endpoint Risk Scoring Rules Bundle, which contains approximately 400 rules, comes with NetWitness Platform 11.3 and later. The rules in this bundle only apply to NetWitness Endpoint.If you have NetWitness Endpoint, you can configure risk scoring to identify suspicious files and hosts. To turn on risk scoring for NetWitness Endpoint, you must deploy endpoint risk scoring rules on ESA. For instructions, see "Deploy Endpoint Risk Scoring Rules on ESA" in the ESA Configuration Guide. For complete information on configuring NetWitness Endpoint, see the NetWitness Endpoint Configuration Guide.

Starter Pack Rules

Sample Rule Builder rules come with NetWitness Platform and appear in the Rule Library. Use starter pack rules to get comfortable working with rules before creating your own. You can safely edit and deploy these sample rules.

Endpoint Risk Scoring Rules Bundle

An Endpoint Risk Scoring Rules Bundle, which contains approximately 400 rules, comes with NetWitness Platform 11.3 and later. These rules appear in the Rule Library with the sample rules. Endpoint risk scoring rules only apply to NetWitness Endpoint. You can add the Endpoint Risk Scoring Rules Bundle to an ESA rule deployment in the same way that you would add any ESA rule. However, you must specify endpoint data sources (Concentrators) in the ESA Rule Deployment.

Trial Rules Mode

For any type of rule, you can select the Trial Rule setting as an additional safeguard. Trial rules get disabled if they exceed a memory threshold set by the administrator. Run a rule in trial mode to monitor memory usage and to disable the rule automatically if it uses more memory than the threshold allows.

The following figure shows the Trial Rule setting in the Rule Builder.

Rule Builder showing trial rule setting

Next Topic:Role Permissions
You are here
Table of Contents > ESA Rule Types