Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Alerting: Add a Rule Builder Rule

Document created by RSA Information Design and Development Employee on Sep 12, 2017Last modified by RSA Information Design and Development Employee on Nov 11, 2020
Version 16Show Document
  • View in full screen mode

Each ESA rule is designed to detect something in your network and to generate an alert for it:

  • User activity that is not allowed, such as attempting to download software that is not sanctioned
  • Suspicious behavior, such as mass audit clearing
  • Known malicious threats, such as worm propagation or a password-cracking tool

There are two methods to design a rule in ESA:

  • Rule Builder is an easy-to-use interface. You provide a meta key and value, then select choices from lists to complete the criteria.
  • Advanced EPL allows you to write queries in the Event Processing Language. You must know EPL syntax.

If you know EPL, you can use either method. If you do not know EPL, you should use Rule Builder. These topics explain the Rule Builder. 

You are here
Table of Contents > Add a Rule Builder Rule