Access Training
for Customers/Partners
Access Training
for NetWitness Employees
$210 USD
2,000 Training Credits
Summary
This on-demand learning presents a recommended approach to learning EPL syntax and for writing EPL rules to detect threats
Overview
This on-demand learning identifies a best practice strategy for creating EPL rules as well as for learning the EPL rule syntax. It uses examples and use cases to illustrate EPL rule concepts, such as streams, constructs, data windows and time constraints.
Audience
Anyone interested in using RSA Security Analytics Event Stream Analysis to create EPL rules to help identify suspicious activity.
Delivery Type
On-Demand Learning
Duration
90 minutes
Prerequisite Knowledge/Skills
Students should have completed the following courses (or have equivalent knowledge) prior to taking this training:
- Introduction to the RSA NetWitness Platform
- RSA NetWitness Platform ESA Fundamentals
- RSA NetWitness Platform Foundations
Course Objectives
Upon successful completion of this course, participants should be able to:
- Describe the Esper engine and EPL
- Describe EPL Rule Types
- Describe data windows
- Describe how time is calculated
- Describe single-value and multi-value meta keys
- Describe a recommended process for designing and writing EPL rules
- Describe EPL syntax
- Use the EPL Online Tool to design and test EPL rules
- Create EPL rules for specific use cases
- List the best practices for ESA rules
Course Outline
- EPL Overview
- Event Processing Language
- Esper engine
- EPL rule types
- EPL event stream
- Data windows
- How time is calculated in ESA
- Single and multi-valued meta keys
- EPL rule examples
- Writing EPL Rules
- An effective way to learn EPL
- Building an EPL library
- Sample EPL templates
- Recommended process for creating ESA rules
- Designing rules checklist
- Writing and testing rules guidelines
- ESA meta keys
- Creating EPL rules
- Live Rules
- Using the EPL online tool
- EPL Use Cases
- Techniques for developing and testing EPL rules
- Videos demonstrating common use cases
- Best Practices
- General best practices
- Trial rules
- Best practice by task
- Writing rules for accuracy
- Writing rules for performance
- EPL Caveats
If you have any questions, please contact your account manager or Contact Us directly!