Customize an RSA Live ESA Rule

This topic explains how to configure parameters in an RSA Live ESA rule. When you download an RSA Live ESA rule, the rule appears in the Rule Library which includes the following columns:

  • Rule Name
  • Description
  • Trial Rule
  • Type
  • Actions


The type is RSA Live ESA Rule.


  • Administrator, Operator, SOC Manager, or DPO role permissions are required.
  • Rules must be downloaded to the Rule Library.

Configure Parameters for an RSA Live ESA Rule

  1. Go to netwitness_configureicon_24x21.png (Configure) > ESA Rules > Rules tab.
  2. In the Rule Library, double-click an RSA Live ESA Rule or select the rule and click netwitness_ic-edit.png.
    The RSA Live ESA Rule tab is displayed.
  3. (Optional) Change the following fields:
    • Rule Name
    • Description
    • Trial Rule (Enabled by default. NetWitness recommends you run a rule as a trial rule long enough to assess the performance during normal and peak network traffic.)
    • Alert (This option applies to 11.3 and later.) Select Alert to send an alert to Respond. Clear the checkbox if you do not want to send an alert to Respond. To turn alerts on or off for ALL rules, see the ESA Configuration Guide.
    • Severity
    • Notifications
    • Enrichments
  1. To configure the rule for your environment, in the Parameters section replace the default in the Value Column.
  2. Click Save.