.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Edit an ESA Rule
This topic provides instructions to edit an Event Stream Analysis (ESA) rule. When you edit a rule, ESA applies the updated criteria going forward. No changes are made to previously generated alerts.
To edit an ESA Rule
-
Go to
(CONFIGURE) > Policies. -
In the policies panel, click Content.
-
In the left panel, click Content Library.
The available rules are displayed.
-
Click Event Stream Analysis Rule.
-
In the ESA rule panel, select the rule that needs to be edited.
The overview panel opens, showing the Edit Rule tab on top.
-
Click the Edit Rule tab.
It navigates to ESA Rules > Rules view.
For more information on editing an ESA rule, see Edit, Duplicate or Delete a Rule.
Configure MITRE ATT&CK Details for an ESA Rule
You can tag MITRE ATT&CK Tactics and Techniques for an ESA rule. MITRE framework provides insight into tactics, techniques, or sub-techniques used by advanced attackers or advanced persistent threats (APTs). When you tag an ESA rule with MITRE ATT&CK Tactics and Techniques, analysts can easily identify incidents, alerts, and events that are associated with MITRE techniques and tactics.
To configure MITRE ATT&CK details for an ESA Rule
-
Go to
(CONFIGURE) > Policies. -
In the policies panel, click Content.
-
In the left panel, click Content Library.
The available rules are displayed.
-
Click Event Stream Analysis Rule.
-
In the ESA rule panel, select the rule that needs to be edited.
The overview panel opens, showing the Edit Rule tab on top.
-
Click the Configure MITRE ATT&CK Details option.
-
In the Configure MITRE ATT&CK Details window, select the MITRE ATT&CK Tactics. You can apply multiple MITRE Tactics for an ESA rule.
-
Select the MITRE ATT&CK Techniques. You can apply multiple MITRE Techniques for an ESA rule.
For more information on MITRE ATT&CK framework, see About MITRE ATT&CK Tactics and Techniques .