Rule Builder Tab

The Rule Builder tab enables you to define a Rule Builder rule.

What do you want to do?

Role I want to ... Show me how
Content Expert Define a Rule Builder rule. Add a Rule Builder RuleStep 1. Name and Describe the Rule
Content Expert Define rule criteria. Step 2. Build a Rule Statement
Content Expert Add conditions to the rule. Step 3. Add Conditions to a Rule Statement
Content Expert Test the ESA rule logic. Validate an ESA Rule

Related Topics

Quick Look

To access the Rule Builder tab:

  1. Go to netwitness_configureicon_24x21.png (Configure) > ESA Rules.

    The Rules tab opens by default.

  2. In the Rule Library toolbar, select netwitness_ic-addlist.png > Rule Builder.

    The Rule Builder tab is displayed.

The following figure shows the Rule Builder tab.


The following figure shows the Rule Builder tab scrolled down with the Test Rule section in view.

The following table lists the parameters in the Rule Builder tab.

Field Description
Rule Name Purpose of the ESA rule.
Description Summary of what the ESA rule detects.
Trial Rule Deployment mode to see if the rule runs efficiently.
Memory Threshold (This option applies to version 11.5 and later.) The maximum memory usage allowed for this rule in MB. Add Memory Thresholds to ESA rules that use memory. For example, if a rule contains windows or pattern matching, configure a memory threshold for that rule. If the configured memory threshold is exceeded, it gets disabled individually and an error is displayed for that rule on the netwitness_configureicon_24x21.png (Configure) > ESA Rules > Services tab.
New rules default to a 100 MB memory threshold. Rules that existed before version 11.5 do not have a default value and a memory threshold is not set.
Alert (This option applies to version 11.3 and later.) When selected, the alert is sent to Respond. If the checkbox is cleared, an alert will not be sent to Respond.
To turn alerts on or off for ALL rules, see the ESA Configuration Guide.
Severity Threat level of alert triggered by the rule.

The Rule Builder includes the following components:

Conditions Section

In the Conditions section of the Rule Builder tab, you define what the rule detects.

The following figure shows the Conditions section.


The following table lists the parameters of the Conditions section.

Parameter Description
netwitness_ic-add.png Add a statement.
netwitness_ic-delete.png Remove selected statement.
netwitness_ic-edit.png Edit selected statement.
Statement Logical group of conditions for one operation.
Occurs Alert frequency if the condition is met. This specifies that there must be at least that many events that satisfy the criteria in order to trigger an alert. The time window in minutes binds the Occurs count.
Connector Options to specify relationship among the statements:
  • followed by
  • not followed by
  • AND
  • OR
The Connector joins two statements with AND, OR, followed by, or not followed by. When followed by is used, it specifies that there is a sequencing of those events. AND and OR build one large criteria. The followed by creates distinct criteria that occurs in sequence.
Correlation Type Correlation Type applies only to followed by and not followed by. If you choose a correlation type of SAME, select one meta to correlate on, and if you choose a correlation type of JOIN, select two meta to correlate on. You may want to use JOIN if you are trying to correlate on meta from two different data sources. For example, say you want to correlate an AV alert with an IDS alert.
Meta Enter the meta condition if choosing a correlation type of SAME or JOIN (as described above).
Meta Enter the second meta condition if choosing a correlation type of JOIN (as described above). For example, The destination IP address from the AV alert and source IP address for the workstation from the IDS alert are joined to allow you to view the same entities across different sources.
occurs within minutes Time window within which the conditions must occur.
Event Sequence

Choose whether the pattern must follow a strict match or a loose match. If you specify a strict match, this means that the pattern must occur in the exact sequence you specified with no additional events occurring in between.

For example, if the sequence specifies five failed logins (F) followed by a successful login (S), this pattern will only match if the user executes the following sequence: F,F,F,F,F,S. If you specify a loose match, this means that other events may occur within the sequence, but the rule will still trigger if all of the specified events also occur. For example, five failed login attempts (F), followed by any number of intervening successful login attempts (S), followed by a successful login attempt might create the following pattern: F,S,F,S,F,S,F,S,F,S which would trigger the rule despite the intervening successful logins.

Group By

Select the meta key by which to group results from the dropdown list.

For example, suppose that there are three users; Joe, Jane, and John and you use the Group By meta, user_dst (user_dst is the meta field for the user destination account). The result will show events grouped under the user destination accounts, Joe, Jane, and John.
You can also group by multiple keys. For example, you might want to group by user and machine to see if a user logged in from the same machine attempts to log into an account multiple times. To do this, you might group by user_dst and ip_src.

Notifications Section

In the Notifications section, you can choose how to be notified when ESA generates an alert for the rule.

For more information on the alert notifications, see Add Notification Method to a Rule.

The following figure shows the Notifications section.

Parameter Description
netwitness_ic-addlist.png To add an alert notification type.
netwitness_ic-delete.png To delete the selected alert notification.
Output Alert notification type. Options are:
  • Email
  • SNMP (This option is not supported in NetWitness version 11.3 and later.)
  • Syslog
  • Script
Notification Name of previously configured output, such as an email distribution list.
Notification Server Name of server that sends the output.
Template Name of template for the alert notification.
Output Suppression of every Option to specify alert frequency.
Minutes Alert frequency in minutes.

Enrichments Section

In the Enrichments section, you can add a data enrichment source to a rule.

For more information on the enrichments, see Add an Enrichment to a Rule.

The following figure shows the Enrichments section.


Parameter Description
netwitness_ic-addlist.png To add an enrichment.
netwitness_ic-delete.png To delete the selected enrichment.
Output Enrichment source type. Options are:
  • In-Memory Table (Ad hoc only - Recurring In-Memory Tables are no longer supported in version 11.3 and later.)
  • GeoIP
Enrichment Source Name of previously configured enrichment source, such as a .CSV filename for an In-Memory Table.
ESA Event Stream Meta ESA meta key whose value will be used as one operand of join condition.
Enrichment Source Column Name

Enrichment source column name whose value will be used as the other operand of the join condition.

For an in-memory table, If you configured a key when creating a .CSV-based enrichment, this column automatically populates with the selected key. However, you can change it if you like. For a GeoIP enrichment source, ipv4 is automatically selected.

Debug Option

Select the Debug option to print alerts to the ESA logs for troubleshooting. This adds an @Audit(‘stream’) annotation to the rule. This is useful when debugging the Esper rules.

Test Rule Section

Note: The Test Rule section is available in NetWitness Platform 11.5 and later.

In the Test Rule section, you can validate your ESA rule to determine if the rule logic is working as expected before deploying the rule.


Field Description
ESA Service Select the ESA Correlation service to process the rule.
Input Data Enter the input events to test the rule. Download the events from the Investigate view in JSON format, copy the events, and paste them in this field.
Output Data After you select an ESA Correlation service, input data, and click the Test Rule button, you can view the output of the rule here and verify that the rule is working according to your requirements. You can view the alerts in the output, but this test does not send any alert notifications.

The following table describes the test rule output Engine Stats.

Field Description
Engine Version Esper version running on the ESA service
Events Offered Number of events processed by the ESA service since the last service start
Offered Rate The rate that the ESA service processes current events / The maximum rate that the ESA service processed events
Runtime Errors If applicable, this field can contain a link to runtime error messages related to the ESA rule deployment.

The following table describes the test rule output Rule Stats.

Field Description
Deployed A green checkmark indicates that the rule is deployed on the selected ESA service.
Statements Fired The number of statements that fired the alerts
Alerts Fired The number of alerts generated from the test data
Events in Memory The number of events placed in memory by the rule
Memory Usage The total amount of memory used by the rule
CPU % The percentage of the deployment CPU used by the rule. For example, a deployment with 1 rule shows 100% CPU usage for that rule and a deployment with two equally CPU heavy rules show 50% each.
Events Matched The number of events that matched the rule
Alerted Events If applicable, this field can contain a link to events that caused an alert.
Runtime Errors If applicable, this field can contain a link to runtime error messages related to the rule.
Debug Logs This field contains a link to Esper debug (audit) logs.


Click Show Syntax to view the EPL syntax of conditions, statements, and debugging parameters. It also provides a warning when the syntax is invalid. For more information, see Rule Syntax Dialog.