This topic explains how to add ESA rules to a deployment and then deploy the rules on ESA. Each ESA rule has unique criteria. The ESA rules in a deployment determine which events ESA captures, which in turn determine the alerts you receive.
For example, Deployment A includes ESA Paris and, among others, a rule to detect file transfer using a non-standard port. When ESA Paris detects a file transfer that matches the rule criteria, it captures the event and generates an alert for it. If you remove this rule from Deployment A, ESA will no longer generate an alert for such an occurrence.
To add and deploy rules:
- In the Security Analytics menu, select Alerts > Configure.
The Rules tab is displayed.
- In the options panel, select a deployment.
- In the Deployment view, click in ESA Rules.
The Deploy ESA Rules dialog is displayed and shows each rule in your Rule Library:
- Select rules and click Save.
The Deployment view is displayed.
- The rules are listed in the ESA Rules section.
- In the Status column, Added is next to each new rule.
- In the Deployments section, indicates there are updates to the deployment.
- The total number of rules in the deployment is on the right.
- Click Deploy Now.
The ESA service runs the rule set.