Skip to content
  • There are no suggestions because the search field is empty.

Rule Builder Tab

Rule Builder TabRule Builder Tab

The Rule Builder tab enables you to define a Rule Builder rule.

What do you want to do?What do you want to do?

Related TopicsRelated Topics

Quick LookQuick Look

To access the Rule Builder tab:

  1. Go to netwitness_configureicon_24x21.png (Configure) > ESA Rules.

    The Rules tab opens by default.

  2. In the Rule Library toolbar, select netwitness_ic-addlist.png > Rule Builder.

    The Rule Builder tab is displayed.

The following figure shows the Rule Builder tab.

netwitness_121_newrulebuilder_esacorr_1122_768x435.png

The following figure shows the Rule Builder tab scrolled down with the Test Rule section in view.
netwitness_121_rb_esacorrtest_1122_768x436.png

The following table lists the parameters in the Rule Builder tab.

The Rule Builder includes the following components:

Conditions SectionConditions Section

In the Conditions section of the Rule Builder tab, you define what the rule detects.

The following figure shows the Conditions section.

netwitness_rbcond5f1spwdchngrllow_672x155.png

The following table lists the parameters of the Conditions section.

Notifications SectionNotifications Section

In the Notifications section, you can choose how to be notified when ESA generates an alert for the rule.

For more information on the alert notifications, see Add Notification Method to a Rule.

The following figure shows the Notifications section.
netwitness_notificationadded_672x95.png

Enrichments SectionEnrichments Section

In the Enrichments section, you can add a data enrichment source to a rule.

For more information on the enrichments, see Add an Enrichment to a Rule.

The following figure shows the Enrichments section.

netwitness_ruleenrsec_576x81.png

Debug OptionDebug Option

Select the Debug option to print alerts to the ESA logs for troubleshooting. This adds an @Audit(‘stream’) annotation to the rule. This is useful when debugging the Esper rules.

Test Rule SectionTest Rule Section

Note: The Test Rule section is available in NetWitness Platform 11.5 and later.

In the Test Rule section, you can validate your ESA rule to determine if the rule logic is working as expected before deploying the rule.

netwitness_rb_testrulesection_576x472.png

The following table describes the test rule output Engine Stats.

The following table describes the test rule output Rule Stats.