ESA Config: Deploy Endpoint Risk Scoring Rules on ESA

Document created by RSA Information Design and Development on Apr 11, 2019Last modified by RSA Information Design and Development on Jan 30, 2020
Version 3Show Document
  • View in full screen mode
 

Note: The Information in this topic applies to RSA NetWitness Platform 11.3 and later.

Endpoint Risk Scoring Rules only apply to NetWitness Endpoint.

The ESA Correlation service processes and deploys endpoint risk scoring rules. These rules generate alerts that are used in risk scoring calculations to identify suspicious files and hosts. To turn on Risk Scoring for NetWitness Endpoint, you must deploy endpoint risk scoring rules on ESA. An Endpoint Risk Scoring Rules Bundle comes with NetWitness Platform along with the sample ESA rules. The Endpoint Risk Scoring Bundle contains approximately 400 rules. You add this rule bundle to an ESA Rule Deployment in the same way that you would add any ESA rule. However, you must specify endpoint data sources (Concentrators) during ESA Rule Deployment.

For complete information on configuring NetWitness Endpoint, see the NetWitness Endpoint Configuration Guide. For more information about ESA rule deployments, see "Deploy Rules to Run on ESA" in the Alerting with ESA Correlation Rules User Guide.

Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents.

Important Considerations when Deploying the Endpoint Risk Scoring Rules Bundle

  • If you add the Endpoint Risk Scoring Bundle to an ESA rule deployment, the deployment should have data sources with endpoint data.
  • An ESA rule deployment can have only one ESA Correlation service. You can, however, use the same ESA Correlation service in multiple deployments.
  • If you have two ESA Correlation services with the same endpoint data sources, deploy the Endpoint Risk Scoring Rules Bundle on only one of them.

Deploy the Endpoint Risk Scoring Rules Bundle on ESA

Caution: Before you deploy the Endpoint risk scoring rules, update your meta keys. See Update Your ESA Rules for the Required Multi-Value and Single-Value Meta Keys.

When you deploy the Endpoint Risk Scoring Rules Bundle in an ESA rule deployment, the ESA Correlation service gathers endpoint data in your network and runs endpoint risk scoring rules against the data. The goal is to capture events that match rule criteria, then generate alerts for the captured events.

The following procedure shows how to create an ESA rule deployment with the Endpoint Risk Scoring Rules Bundle and deploy it. If you already have an ESA rule deployment with endpoint data sources, you can add the Endpoint Risk Scoring Rules Bundle to the existing deployment.

To create and deploy an ESA rule deployment with the Endpoint Risk Scoring Bundle:

  1. Go to Configure > ESA Rules > Rules tab.
  2. In the options panel on the left, next to Deployments, select Add deployment icon > Add to add a deployment, type a name for the deployment, such as Endpoint Risk Scoring Rules, and press Enter.
    Rules tab Options panel - Adding a deployment

    The deployment is added and the Deployment view is displayed on the right.
    Deployment added


    The deployment name that you choose also appears on a deployment tab in the Configure > ESA Rules > Services tab, where you can view deployment details and statistics.
  3. Add an ESA Correlation service:
    1. In the Deployment view ESA Services section, click Add icon .
      The Deploy ESA Services dialog lists each configured ESA Correlation service.
      Deploy ESA Services dialog
    2. Select an ESA Correlation service and click Save.
      The Deployment view is displayed. The ESA Correlation service is listed in the ESA Services section with an Added status.

      Service added
  4. Add one or more data sources with endpoint data:
    1. In the Deployment view Data Sources section, click Add icon.
      The Available Configured Data Sources dialog lists the services that have been configured for use as a data source.
      Available Configured Data Sources dialog
    2. To add a data source configuration, click Add icon.
      The Available Services dialog lists the available data sources from the Admin > Services view.

      Available Services dialog
      If an endpoint data source (service) that you are looking for is not in the list, see the Hosts and Services Getting Started Guide for instructions on how to install a service on a host.
    3. Note: You can add a Log Decoder as a data source for ESA, but it is better to add a Concentrator to take advantage of undivided aggregation as the Decoder may have other processes aggregating from it.

    4. In the Available Services dialog, select an endpoint data source, such as a Concentrator, and click OK.
    5. In the Add Service dialog, type the Administrator username and password for the endpoint data source.
      Add Service dialog for adding a Concentrator data source
    6. To enable the SSL or Compression options, select the corresponding checkboxes.
    7. (Optional) You have the option to adjust the Compression Level for Concentrators on ESA in NetWitness Platform 11.3 and later. To enable compression, select the Compression checkbox. You can set the Compression Level for a Concentrator from 0-9:
      • Compression Level = 0 (If compression is enabled, it allows Core Services to control the amount of compression.)
      • Compression Level = 1 (It uses the lowest amount of compression and has the highest performance.)
      • Compression Level = 9 (It uses the highest amount of compression and has the worst performance.)

      Somewhere in the middle between 1 and 9 is usually the best setting, which is what you get when you select a compression level of 0. For more detailed information, see the Core Database Tuning Guide.

      Note: If you make any ESA service, data source, or ESA rule changes to an ESA rule deployment, you need to redeploy the deployment. For example, if you change the configuration of a data source in an ESA rule deployment, you must redeploy all the ESA rule deployments that contain that data source.
      When you set the compression level for a Concentrator on ESA, it sets the same compression level for that Concentrator for ESA Analytics and ESA Correlation Rules.

    8. Click Test Connection to make sure that it can communicate with the ESA Correlation service.
      Add Service dialog for adding a Concentrator - Successful test
    9. Click OK.
      After you configure your endpoint data sources and they appear in the Available Configured Data Sources dialog, you can use them for your deployment.
    10. In the Available Configured Data Sources dialog, select at least one endpoint data source to use for the deployment.
      Available Configured Data Sources dialog with a data source selected
      A solid colored green circle indicates a running service and a white circle indicates a stopped service.
    11. Click Save.
      In the Deployment view Data Sources section, the selected data sources are added to the deployment. The Deploy Now button activates after a service, data source, and rules are added to an ESA rule deployment.
      Deployment view Data Sources section with a data source added
  5. Add the Endpoint Risk Scoring Rules Bundle:
    1. In the Deployment view ESA Rules section, click Add icon.
      The Deploy ESA Rules dialog is displayed and shows each rule in your Rule Library.
      Deploy ESA Rules dialog
    2. Select the Endpoint Risk Scoring Rule Bundle and click Save.
      The Deployment view is displayed and the Deploy Now button is enabled.

      Deployment view showing rules added to a deployment

      The Endpoint Risk Scoring Rules Bundle is listed in the ESA Services section with an Added status.
  6. Click Deploy Now.
    The ESA Correlation service runs the rules in the Endpoint Risk Scoring Rules Bundle. The status of the bundle changes to Deployed.

    Deployment view showing the Endpoint Risk Scoring Rules deployed
    You can now view information and statistics on the Configure > ESA Rules > Services tab. See View the Status of the Endpoint Risk Scoring Rules Deployment.

Change the Endpoint Risk Scoring Rule Bundle in a Deployment

You cannot edit or duplicate the Endpoint Risk Scoring Rules Bundle. After the bundle is deployed, you can enable and disable individual rules within the bundle. See Disable or Enable Individual Endpoint Risk Scoring Rules.

When you make changes to the ESA Rule Deployment containing the Endpoint Risk Scoring Rules Bundle, such as changing the endpoint data sources or changing compression levels, you must redeploy it for the changes to take effect. To redeploy, click the Deploy Now button for that deployment.

Caution: Deleting an ESA Rule Deployment with an Endpoint Risk Scoring Rule Bundle stops the Risk Scoring alerts that are used in risk scoring calculations to identify suspicious files and hosts.

For more information about changing ESA rule deployments, see "Additional ESA Rule Deployment Procedures" in the Alerting with ESA Correlation Rules User Guide.

View the Status of the Endpoint Risk Scoring Rules Deployment

  1. Go to the ESA Rules Services tab (Configure > ESA Rules > Services).
  2. In the options panel on the left, select your ESA Correlation service.
    Your deployment name shows on a tab to the right, for example, Endpoint Risk Scoring Rules. If you see multiple tabs on the right, select the tab for your endpoint risk scoring rules deployment.
    ESA Rules Services tab showing the ESA Correlation Service on the left and the Deployment tab on the right
  3. In the Engine Stats, Rules Stats and Alert Status sections, look at the statistics related to the deployment, such as Rules Enabled, Rules Disabled, and Events Matched, which show the total numbers for the deployment.
  4. In the Deployed Rules Stats section, look at the following details for each Endpoint Risk Scoring Rule:
    • Enable: Indicates the enabled status. A green circle icon Enabled icon indicates that the rule is enabled. A white circle icon Disabled icon indicates that the rule is disabled.
    • Name: Shows the name of the rule.
    • Rule Type: Endpoint indicates a rule from the Endpoint Risk Scoring Bundle and Esper indicates Esper-specific rules, such as Rule Builder and Advanced EPL rules.
    • Last Detected: Shows the last time an alert was triggered for the rule.
    • Events Matched: Shows the total number of events that matched the rule.

Disable or Enable Individual Endpoint Risk Scoring Rules

  1. Go to the ESA Rules Services tab (Configure > ESA Rules > Services).
  2. In the options panel on the left, select your ESA Correlation service.
    Your deployment name shows on a tab to the right, for example, Endpoint Risk Scoring Rules. If you see multiple tabs on the right, select the tab for your endpoint risk scoring rules deployment.
  3. In the Deployed Rules Stats section, do one of the following:
    • To enable rules, select the rules that you want to enable in the rules list and click the Enable button above the list.
      The Deployed Rule Stats section showing a rule being enabled.
      The selected rules are enabled and a message shows that the rules enabled successfully.
    • To disable rules, select the rules that you want to disable in the rules list and click the Disable button above the list.
      The Deployed Rule Stats section showing a rule being disabled.
      The selected rules are disabled and a message shows that the rules disabled successfully.

You are here
Table of Contents > Additional ESA Correlation Rules Procedures > Deploy Endpoint Risk Scoring Rules on ESA

Attachments

    Outcomes