Working with RSA Live ESA RulesWorking with RSA Live ESA Rules
This topic explains working with configurable RSA ESA rules from the NetWitness Live Content Management System so you can customize them to meet your needs.
RSA Live contains a catalog of rules. Each rule has configurable parameters so you can customize the rule for your environment. If RSA Live has a rule to detect events that you want to detect in your network, download the rule to save time. You can edit the configurable parameters and save the rule in your Rule Library. For detailed information about each rule, including whether the rule is for logs, packets, or both, see "RSA ESA Rules" at the following link: https://community.netwitness.com/t5/netwitness-platform-threat/rules/ta-p/677884
This is an example of how each RSA Live ESA rule is described on RSA Live:
Rule Name | Description |
---|---|
Logins across Multiple Servers | Detects logins from the same user across 3 or more separate servers within 5 minutes. The time window and number of unique destinations are configurable. |
As the name shows, the rule looks for logins across multiple servers. The description explains the rule criteria in more detail and specifies which parameters you modify.
Note: When a rule description includes a configurable parameter, the default setting for the parameter is used. In the example rule, the description states 5 minutes. However, the time window is configurable so 5 is the default number of minutes.
PrerequisitesPrerequisites
These are the prerequisites for working with configurable Live ESA rules;
- Have permission to manage rules.
- Create a Live Account. See the Live Services Management Guide for details.
- Set up Live on NetWitness. See the Live Services Management Guide for details.
- Update your meta keys. See "Update Your ESA Rules for the Required Multi-Value and Single-Value Meta Keys" in the ESA Configuration Guide
Subscribe and Unsubscribe Live ESA RulesSubscribe and Unsubscribe Live ESA Rules
You can subscribe and unsubscribe live ESA rules from the Configure > Policies page.
To Subscribe the Live ESA rules
- Go to (CONFIGURE) > Policies.
- In the policies panel, click Content.
The available policies are displayed.
-
Click a Policy.
The selected policy view is displayed and by default Application Rule is selected.
-
Click Event Stream Analysis Rule > Rules.
-
Click one or more Live ESA rules and click Subscribe.
Note: ESA Rules cannot be manually deployed via Live Services. By default, all the ESA rules from Live are available in the ESA Rule library, if live is configured.