Edit an ESA Rule
This topic provides instructions to edit an Event Stream Analysis (ESA) rule. When you edit a rule, ESA applies the updated criteria going forward. No changes are made to previously generated alerts.
To edit an ESA Rule
-
Go to
(CONFIGURE) > Policies.
-
In the policies panel, click Content.
-
In the left panel, click Content Library.
The available rules are displayed.
-
Click Event Stream Analysis Rule.
-
In the ESA rule panel, select the rule that needs to be edited.
The overview panel opens, showing the Edit Rule tab on top.
-
Click the Edit Rule tab.
![12.3ESARuleMan3.png 12.3ESARuleMan3.png](https://community.netwitness.com/t5/image/serverpage/image-id/428936iBDB9A4E9A326D1F3/image-size/large?v=v2&px=999)
It navigates to ESA Rules > Rules view.
For more information on editing an ESA rule, see Edit, Duplicate or Delete a Rule.
Configure MITRE ATT&CK Details for an ESA Rule
You can tag MITRE ATT&CK Tactics and Techniques for an ESA rule. MITRE framework provides insight into tactics, techniques, or sub-techniques used by advanced attackers or advanced persistent threats (APTs). When you tag an ESA rule with MITRE ATT&CK Tactics and Techniques, analysts can easily identify incidents, alerts, and events that are associated with MITRE techniques and tactics.
To configure MITRE ATT&CK details for an ESA Rule
-
Go to
(CONFIGURE) > Policies.
-
In the policies panel, click Content.
-
In the left panel, click Content Library.
The available rules are displayed.
-
Click Event Stream Analysis Rule.
-
In the ESA rule panel, select the rule that needs to be edited.
The overview panel opens, showing the Edit Rule tab on top.
-
Click the Configure MITRE ATT&CK Details option.
![12.4_ccm_mitre_configure_esa.png 12.4_ccm_mitre_configure_esa.png](https://community.netwitness.com/t5/image/serverpage/image-id/428938i89F986DFA1EE6FB9/image-size/large?v=v2&px=999)
-
In the Configure MITRE ATT&CK Details window, select the MITRE ATT&CK Tactics. You can apply multiple MITRE Tactics for an ESA rule.
-
Select the MITRE ATT&CK Techniques. You can apply multiple MITRE Techniques for an ESA rule.
For more information on MITRE ATT&CK framework, see About MITRE ATT&CK Tactics and Techniques .
Previous Page Next Page