Article Number
000032502
Applies To
RSA Product Set: Security Analytics
RSA Product/Service Type: Event Stream Analysis, Security Analytics UI
RSA Version/Condition: 10.5.x
Issue
While configuring a new rule, it is suggested to mark it as Trial rule for a while to assess its effectiveness and stability.
Resolution
When we configure a rule as trial rule, ESA does the following:
- ESA periodically checks memory utilization
- If memory utilization exceeds the threshold, all rules marked as trial will get disabled
- Threshold values - Memory Utilization 85% / Check Interval 300 seconds
- These prevents any bad/misconfigured rules from crashing the ESA service
Notes
The above settings can be changed from : ESA Explore View -> CEP -> Module -> Configuration
The parameters are
- MemoryThresholdForTrialRules (Default Value 85)
- MemoryCheckPeriod (Default Value 300)