NetWitness Platform Online Documentation

Browse the official NetWitness Platform Online documentation for helpful tutorials, step-by-step instructions, and other valuable resources.

Options

Subscribe to RSS Feed

Bookmark

Subscribe

Printer Friendly Page

Report Inappropriate Content

Versions

Collections

All Downloads

Table of Contents

Customize an RSA Live ESA RuleCustomize an RSA Live ESA Rule

This topic explains how to configure parameters in an RSA Live ESA rule. When you download an RSA Live ESA rule, the rule appears in the Rule Library which includes the following columns:

Rule Name
Description
Trial Rule
Type
Actions

The type is RSA Live ESA Rule.

PrerequisitesPrerequisites

Administrator, Operator, SOC Manager, or DPO role permissions are required.
Rules must be downloaded to the Rule Library.

Configure Parameters for an RSA Live ESA RuleConfigure Parameters for an RSA Live ESA Rule

Go to (Configure) > ESA Rules > Rules tab.
In the Rule Library, double-click an RSA Live ESA Rule or select the rule and click .
The RSA Live ESA Rule tab is displayed.
(Optional) Change the following fields:

Rule Name
Description
Trial Rule (Enabled by default. NetWitness recommends you run a rule as a trial rule long enough to assess the performance during normal and peak network traffic.)
Alert (This option applies to 11.3 and later.) Select Alert to send an alert to Respond. Clear the checkbox if you do not want to send an alert to Respond. To turn alerts on or off for ALL rules, see the ESA Configuration Guide.
Severity
Notifications
Enrichments

To configure the rule for your environment, in the Parameters section replace the default in the Value Column.
Click Save.

On this page