Creating an ESM check

You can create ESM checks using the Check Builder wizard.

The Check Builder wizard provides you with the following options to create checks:

The Quick Check Builder option	Lets you create a check without a precondition.
The Advanced Check Builder option.	Lets you add a precondition to the new check.

The check execution process in ESM includes the following:

Every check in a CCS 9.0 ESM standard maps to a module in an ESM policy.
The CCS evaluation engine checks if the ESM agent reports the security messages that the corresponding CCS ESM check generates.
If the ESM agents reports security messages, then the CCS check is reported as "Fail."

In case of a failed check, the evidence report includes the following:
- The ESM message title
- The message name
- The message information
If the ESM agent does not report any security message, then the CCS evaluation engine checks if the agent reports any error message.
If the ESM agents reports error messages, then the CCS check is reported as "Unknown" and the evidence report includes the ESM error messages.
If the ESM agent does not report any security message or any error message, then the CCS check is reported as "Pass."

Note:

You must include the policy name and the module name in the data filter when you create an expression in an ESM check. The ESM data collector uses the policy name and module name that you specify when it collects data for the checks.