Working with Trial Rules

The ESA Correlation service is capable of processing large volumes of disparate event data from Concentrators. However, when working with ESA Correlation rules, it is possible to create rules that use excessive memory. This can slow your ESA service or even cause it to shut down unexpectedly. To ensure that rules do not use excessive memory, you can enable them as trial rules. You should disable the trial rule setting only after testing the new rule in your environment during times of both normal and peak network traffic.

You can set a global threshold of the percentage of memory that trial rules may use. If that configured memory threshold is exceeded, all trial rules are disabled automatically. To configure the memory threshold, see "Change Memory Threshold for All Trial Rules" in the ESA Configuration Guide.

For suggestions on creating more efficient rules, see "Best Practices for Writing Rules" in Best Practices.

By default, new rules and RSA Live rules that you import are configured as trial rules. As a best practice, when you edit an existing rule, select the Trial Rule option, which allows you to deploy the rule with an added safeguard.

Note: Run a rule as a trial rule long enough to assess the performance during normal and peak network traffic.

Deploy Rules as Trial Rules

This topic explains to administrators how to enable trial rules when creating new rules or editing rules. Trial rules are automatically disabled if a specified total JVM memory utilization threshold is exceeded.

In NetWitness 11.4 and later, ESA trial rules no longer change status after an upgrade or deployment. For example, if you change the status of a trial rule to disabled ( netwitness_configureicon_24x21.png (Configure) > ESA Rules > Services tab) and redeploy the ESA rule deployment ( netwitness_configureicon_24x21.png (Configure) > ESA Rules > Rules tab), the trial rule remains disabled.

  1. Go to netwitness_configureicon_24x21.png (Configure) > ESA Rules.
    The Configure ESA Rules view is displayed with the Rules tab open.
  2. From the Rule Library, choose to add or edit a rule. The rule builder is displayed in a new tab.
    netwitness_121_rulebuilder_esacorr_1122_672x378.png
  3. To make a new or existing rule a trial rule, select the Trial Rule checkbox.
  4. Add the rule conditions or modify the rule as needed. For instructions on editing rules, see Add Rules to the Rule Library.
  5. Click Save.
  6. Ensure that trial rules are enabled for your ESA and that you are satisfied with the thresholds configured for trial rules.
    The memory threshold is set in the configuration file. To configure it, see "Change Memory Threshold for All Trial Rules" in the ESA Configuration Guide.
    • The threshold is configured per ESA and is a percentage of Java Virtual Memory.
    • The configuration parameter, fatal-percentage, has a default value of 90.
  7. Optionally, you can set up the policies in Health and Wellness to send you an email notification if the total JVM memory utilization threshold is exceeded.

The next time you deploy the rule, it runs in trial rule mode.

Note: If a trial rule is disabled, you will need to go to the netwitness_configureicon_24x21.png (Configure) > ESA Rules > Services tab to re-enable the trial rules. For more instructions on re-enabling trial rules on a service, see View ESA Stats and Alerts.