Before creating ESA rules, make sure to update the schema in ESA. The custom meta key should be indexed in the concentrator. Refer to Update the Schema in ESA under Additional Procedures for instructions.
Create an ESA Rule with Custom Meta
Option 1: Build a new Rule and add Custom Meta by using the Rule Statement
Option 2: Edit an existing Rule and add Custom Meta by using the Rule Statement
Option 1: Build a new Rule and add Custom Meta
Step 1. Name and Describe the Rule
This topic provides instructions to identify a rule, indicate if it is a trial rule and assign a severity level. When you add a new rule, the first information to provide is a unique name and description of what the rule detects. After you save the rule, this information is displayed in the Rule Library.
You must have permission to manage rules. See Role Permissions.
To name and describe a rule:
In the Security Analytics menu, select Alerts > Configure > Rule
In the Rule Library, select > Rule Builder. The New Rule tab is displayed.
Type a unique, descriptive name in the Rule Name field. This name will appear in the Rule Library so be specific enough to distinguish the rule from others.
In the Description field, explain which events the rule detects. The beginning of this description will appear in the Rule Library.
By default, new rules are configured as a Trial Rule. A trial rule automatically disables the rule if all trial rules collectively exceed the memory threshold. If you are editing an existing rule, you can select Trial Rule to safely test the rule edits. Use trial rule mode as a safeguard to see if a rule runs efficiently and to prevent downtime caused by running out of memory. For more information, see Work with Trial Rules.
For Severity, classify the rule as Low, Medium, High or Critical.
Step 2: Build a Rule Statement
This topic provides instructions to define rule criteria in Rule Builder by adding statements. A statement is a logical grouping of rule criteria in the Rule Builder. You add statements to define what a rule detects.
To build a rule statement, you must know the meta key and the meta value. For a complete list of meta keys, go to Alerts > Configure > Settings > Meta Key References.
To build a rule statement:
In the Security Analytics menu, select Alerts > Configure.
The Rules tab is displayed by default.
In the Rule Library, click > Rule Builder or edit an existing Rule Builder rule.
The Rule Builder view is displayed.
In the Conditions section, click .
The Build Statement dialog is displayed.
Name the statement. Be clear and specific. The statement name will appear in the Rule Builder.
From the drop-down list, select which circumstances the rule requires:
if all conditions are met
if one of these conditions are met
Specify the criteria for the statement:
For Key, type the name of the Meta Key.
For Operator specify the relationship between the meta key and the value you will provide for it. The choices are: is, is not, is not null, is greater than (>), is greater than or equal to (>=), is less than (<), is less than or equal to (<=), contains, not contains, begins with, ends with
Type the Value for the meta key. Do not add quotes around a value. Separate multiple values with a comma.
The Ignore Case? field is designed for use with string and string array values. By choosing the Ignore Case field, the query will treat all string text as a lowercase value. This ensures that a rule that searches for the user named Johnson would trigger if the event contains "johnson," "JOHNSON," or "JoHnSoN."
The Array?field indicates if the contents of the Value field represent one or more than one value.
Select the Array checkbox if you entered multiple, comma-separated values in the Value field. For example, "ec_activity is Logon, Logoff" requires you to select the Array checkbox.
To use another meta key in the statement, click , select Add Meta Condition and repeat step 6.
To save the statement, click Save.
Click Show Syntax to test if the defined ESA rule is valid.
Click Save. A new rule is created which triggers an alert when a critical enterprise resource (defined in the feed) is accessed from any of the suspicious countries (defined in the feed).
Option 2: Edit an existing Rule and add Custom Meta
To edit a rule and add custom meta:
In the Security Analytics menu, select Alerts > Configure > Rules. The Rules tab is displayed.
In the Rule Library, select the rule you want to edit and click . Depending on the rule type, the respective rule tab is displayed.
To add the custom meta, follow steps 3 to 6 in the previous procedure (Step 2. Build a Rule Statement).
To save the statement, click Save.
Deploy Rule to Run on ESA
This topic explains how to add ESA rules to a deployment and then deploy the rules on ESA. Each ESA rule has unique criteria. The ESA rules in a deployment determine which events ESA captures, which in turn determine the alerts you receive.
To add and deploy rules:
In the Security Analytics menu, select Alerts > Configure. The Rules tab is displayed.
In the options panel, select a deployment.
In the Deployment view, click in ESA Rules. The Deploy ESA Rules dialog is displayed and shows each rule in your Rule Library:
Select rules and click Save. The Deployment view is displayed.
The rules are listed in the ESA Rules section.
In the Status column, Added is next to each new rule.
In the Deployments section, indicates there are updates to the deployment.
The total number of rules in the deployment is on the right.
Click Deploy Now. The ESA service runs the rule set.