An ESM rule is a programmed procedure that attempts to correlate incoming network Events and generates new events that report on correlation when it occurs, as determined by security policy. Rules also apply Conditions and perform Rule Actions.
Canned rules can be viewed, edited, and used as templates to create your own enterprise-specific or custom rules. To see what's available, browse the description provided with each rule in the ArcSight Console.
Different users can simultaneously create rules from their ArcSight Consoles. Once created, all rules are sent to the Manager, which updates any other individual Consoles. Updates to Resources, including rules, are automatically refreshed every few seconds so that clients get the latest changes from other clients.
Information on creating, deploying, and managing rules is provided in Rule Authoring.