Step 1. Name and Describe the Rule

This topic provides instructions to identify a rule, indicate if it is a trial rule and assign a severity level. When you add a new rule, the first information to provide is a unique name and description of what the rule detects. After you save the rule, this information is displayed in the Rule Library.


You must have permission to manage rules. See ESA Permissions.

Name and Describe a Rule

  1. Go to netwitness_configureicon_24x21.png (Configure) > ESA Rules > Rules tab.
  2. In the Rule Library, select netwitness_ic-addlist.png > Rule Builder.
    The New Rule tab is displayed.
  3. Type a unique, descriptive name in the Rule Name field.
    This name will appear in the Rule Library so be specific enough to distinguish the rule from others.
  4. In the Description field, explain which events the rule detects.
    The beginning of this description will appear in the Rule Library.
  5. By default, new rules are configured as a Trial Rule. A trial rule automatically disables the rule if all trial rules collectively exceed the memory threshold. If you are editing an existing rule, you can select Trial Rule to safely test the rule edits.
    Use trial rule mode as a safeguard to see if a rule runs efficiently and to prevent downtime caused by running out of memory. For more information, see Working with Trial Rules.
  6. (This option applies to 11.5 and later.) Enter a Memory Threshold for a rule that uses memory, such as a rule that contains windows or pattern matching. If the configured memory threshold is exceeded, the rule gets disabled individually and an error is displayed for that rule on the netwitness_configureicon_24x21.png (Configure) > ESA Rules > Services tab. The Memory Threshold option works for trial rules and non-trial rules. New rules default to a 100 MB memory threshold. Rules that existed before version 11.5 do not have a default value and a memory threshold is not set.
  7. (This option applies to 11.3 and later.) Select Alert to send an alert to Respond. Clear the checkbox if you do not want to send an alert to Respond. To turn alerts on or off for ALL rules, see the ESA Configuration Guide.
  8. For Severity, classify the rule as Low, Medium, High or Critical.