Rule Types

ESM provides the following rule types:

Type	Description
Standard rules	Include all features for rule creation such as one or more event aliases (has joins), field aggregation options, and rule actions based on different triggers. You can convert a standard rule to a lightweight or pre-persistent rule (Converting Rule Types).
Lightweight rules	Include a small set of features for rule creation for faster and simpler rule processing. A lightweight rule: Has only one event alias (no joins). Does not aggregate data fields, therefore, the Aggregation tab is disabled. Executes a specific action only on the On Every Event trigger. Only allows active and session list actions. See also Rule Actions Reference for additional details on the Active List and Session List rule actions. Does not generate correlation or audit events, although failures are logged. Is processed earlier in the flow than standard rules. Can be converted to other rule types (Converting Rule Types).
Pre-persistence rules	Include a small set of features to enable basic event analysis and the setting of various event fields, therefore enriching these base events, before the events themselves are persisted in the database. A typical usage for this rule type would be for threat-level formula calculations. A pre-persistence rule: Has only one event alias (no joins). Does not aggregate data fields, therefore, the Aggregation tab is disabled. Executes a specific action only on the On Every Event trigger. Can only perform the Set Event Field action. The action is applied to incoming base events. Values of the modified fields are available to standard and lightweight real-time rules, which run during the post-persistence processing flow. Does not generate correlation or audit events, although failures are logged. Is processed earlier in the flow than lightweight and standard rules. Cannot be scheduled or replayed, since events occurring in the past have already been persisted and can no longer be modified. Can be converted to other rule types (see Converting Rule Types).

Type

Description

Standard rules

Include all features for rule creation such as one or more event aliases (has joins), field aggregation options, and rule actions based on different triggers. You can convert a standard rule to a lightweight or pre-persistent rule (Converting Rule Types).

Lightweight rules

Include a small set of features for rule creation for faster and simpler rule processing.

A lightweight rule:

Has only one event alias (no joins).
Does not aggregate data fields, therefore, the Aggregation tab is disabled.
Executes a specific action only on the On Every Event trigger.
Only allows active and session list actions. See also Rule Actions Reference for additional details on the Active List and Session List rule actions.
Does not generate correlation or audit events, although failures are logged.
Is processed earlier in the flow than standard rules.
Can be converted to other rule types (Converting Rule Types).

Pre-persistence rules

Include a small set of features to enable basic event analysis and the setting of various event fields, therefore enriching these base events, before the events themselves are persisted in the database. A typical usage for this rule type would be for threat-level formula calculations.

A pre-persistence rule:

Has only one event alias (no joins).
Does not aggregate data fields, therefore, the Aggregation tab is disabled.
Executes a specific action only on the On Every Event trigger.
Can only perform the Set Event Field action. The action is applied to incoming base events. Values of the modified fields are available to standard and lightweight real-time rules, which run during the post-persistence processing flow.
Does not generate correlation or audit events, although failures are logged.
Is processed earlier in the flow than lightweight and standard rules.
Cannot be scheduled or replayed, since events occurring in the past have already been persisted and can no longer be modified.
Can be converted to other rule types (see Converting Rule Types).