difference between Incident rules, ESA rules, NetWitness rules
There are many types of alert rules within the system. Netwitness rules could come in the form of the following:
Application Rules - These look for specific values in logs or network sessions and the result is meta is added to the system. For example, when you have a session that has a source address of 188.8.131.52 and a destination port of 80 add the word "suspicious" into the meta key "alert.id"
Reporting Engine Alert Rules - These are similar to an application rule, however the main function is to provide an output action, such as sending an email or a syslog message. Reporting engine rules are very limited as they can not look for sequences, such as a Log in to a VPN system followed by a windows log in.
ESA Rules - The ESA engine is a full Correlation engine with very few limitations. Rules looking for patterns or sequences are written here, as well as more complex rules.
Incident rules are run within the Respond module. Think of these rules as correlation rules run on top of existing rules that have triggered. For example aggregate all rules that have fired for my CEO and group them into a single incident.
Hope this helps