Edit, Duplicate or Delete a Rule

This topic provides instructions to edit, duplicate, or delete an Event Stream Analysis (ESA) rule. When you edit a rule, ESA applies the updated criteria going forward. No changes are made to previously generated alerts.

Edit a Rule

  1. Go to netwitness_configureicon_24x21.png (Configure) > ESA Rules > Rules tab.
    The Rules tab is displayed.
  2. In the Rule Library, select the rule you want to edit and click netwitness_ic-edit.png.
    Depending on the rule type, the respective rule tab is displayed.
  3. Modify the required parameters.
  4. Click Save.

Duplicate a Rule

  1. In the Rule Library, select the rule you want to duplicate and click netwitness_ic-duplicate.png.
  2. The Duplicate a Rule dialog is displayed. The system adds Copy of in front of the rule name.
    netwitness_duprule_384x92.png
  3. In the Name field, type a unique name for the duplicate rule and click OK.

A duplicate rule with the new name is added to the Rule Library.

Delete a Rule

  1. Go to netwitness_configureicon_24x21.png (Configure) > ESA Rules > Rules.
    The Rules tab is displayed.
    netwitness_121_esarulestb_1122_576x255.png

  2. In the Rule Library, select one or more rules and click netwitness_ic-delete.png.

    A warning dialog is displayed.

  3. Click Yes.
    A confirmation message that the rule is deleted successfully is displayed and the selected rule is deleted from the Rule Library.