The Rule Builder tab enables you to define a Rule Builder rule.
What do you want to do?
|Role||I want to ...||Show me how|
|Content Expert|| |
Define a Rule Builder rule.
|Content Expert|| |
Define rule criteria.
|Step 2. Build a Rule Statement|
Add conditions to the rule.
To access the Rule Builder tab:
Go to Configure > ESA Rules.
The Rules tab opens by default.
The Rule Builder tab is displayed.
The following figure shows the Rule Builder tab.
The following table lists the parameters in the Rule Builder tab.
|Rule Name||Purpose of the ESA rule.|
|Description||Summary of what the ESA rule detects.|
|Trial Rule||Deployment mode to see if the rule runs efficiently.|
(This option applies to version 11.3 and later.) When selected, the alert is sent to Respond. If the checkbox is cleared, an alert will not be sent to Respond.
|Severity||Threat level of alert triggered by the rule.|
The Rule Builder includes the following components:
- Conditions section
- Notifications section
- Enrichments section
In the Conditions section of the Rule Builder tab, you define what the rule detects.
The following figure shows the Conditions section.
The following table lists the parameters of the Conditions section.
In the Notifications section, you can choose how to be notified when ESA generates an alert for the rule.
For more information on the alert notifications, see Add Notification Method to a Rule.
In the Enrichments section, you can add a data enrichment source to a rule.
For more information on the enrichments, see Add an Enrichment to a Rule.
The following figure shows the Enrichments section.
Select the Debug option to print alerts to the ESA logs for troubleshooting. This adds an @Audit(‘stream’) annotation to the rule. This is useful when debugging the Esper rules.
Click Show Syntax to view the EPL syntax of conditions, statements, and debugging parameters. It also provides a warning when the syntax is invalid. For more information, see Rule Syntax Dialog.