Change Rule Parameters
Some Event Stream Analysis Rules can have parameters (for example, a time period) that you can modify using the ESA Rules View. For example, the Adapter in Promiscuous Mode after Multiple Login Attempts ESA rule has the Within this number of seconds parameter with the default time of 5 minutes (300 seconds). This is the time that needs to elapse before the rule goes into promiscuous mode.
To change an Event Stream Analysis rule parameter:
-
Depending on your version:
- For NetWitness 11.x: Go to CONFIGURE > ESA Rules > Rules.
- For Security Analytics 10.x: In the Security Analytics menu, click Alerts > Configure > Rules.
Note: Select GET RULES FROM RSA LIVE to find, download, and deploy rules.
-
Select a rule (for example, Adapter in Promiscuous Mode after Multiple Login Attempts) and click .
A new tab for building and editing rules displays.
- In the Parameters field, click on the value of the parameter (for example 300).
- Change the existing value to the desired value (for example 480) and click Save.