Each ESA rule is designed to detect something in your network and to generate an alert for it:
- User activity that is not allowed, such as attempting to download software that is not sanctioned
- Suspicious behavior, such as mass audit clearing
- Known malicious threats, such as worm propagation or a password-cracking tool
There are two methods to design a rule in ESA:
- Rule Builder is an easy-to-use interface. You provide a meta key and value, then select choices from lists to complete the criteria.
- Advanced EPL allows you to write queries in the Event Processing Language. You must know EPL syntax.
If you know EPL, you can use either method. If you do not know EPL, you should use Rule Builder. These topics explain the Rule Builder.