ESA Basics - Trial Rules
Hi All –
I’ve had a couple questions conversations around ESA best practices and rule creation. One of the easier things a you can do to protect ESA when you’re creating complex rules, or rules that might be more experimental in nature, is to ensure that they’re tagged as Trial Rules.
When rules are configured as Trial Rules, they will all be disabled when ESA Memory reaches a configured threshold. Note, ALL rules configured as Trial Rules will be disabled if the memory reaches that threshold.
The Trial Rules functionality is an easy way to add a level of protection when you’re working with complex or experimental rules.
For more info, there’s a nice write up of ESA Trial Rules, as well as ESA in general, in the online SA Docs.
Please let me know if you have any questions about this topic (or any ESA topic).
- Best Practices
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
Do we have a timeline for improved memory utilization in ESA via the GUI on a per rule basis?
i.e. look at which rules are using the most memory so you can tune them/manage resource constraints.
We're looking at a lot of different ways to improve the capacity of ESA in upcoming versions, it's a key part of our system and we want to keep making it better. Since this is a pretty specific roadmap item, I'll shoot you an email about this outside of the RSA Link forum.