The ESA deployment consists of a policy with ESA rules, ESA services, and data sources. The ESA service scans your network for suspicious activity whenever you deploy policies. An ESA rule detects a different event every time, such as when a user account is created and deleted within 24 hours.

In addition, you can perform other steps on your deployment, such as changing a data source, editing or deleting a rule from the deployment through policy, renaming or deleting the deployment, or showing updates to the deployment, see Additional ESA Correlation Rules Procedures

In 12.1 and later versions, you must create a policy with the ESA rule content type and associate the policy with the group having a correlation service to create a deployment.

For more information on policies, see Policies

For more information about groups, see Groups

Note: With the unified ESA Deployments tab, you can manage deployments from a single view across all policies within Policy-based Centralized Content Management (CCM).

You can do the following: