ESA Config: Configure Advanced Settings for an ESA Correlation Service

Document created by RSA Information Design and Development on Apr 11, 2019
Version 1Show Document
  • View in full screen mode
 

These procedures are optional and they apply only to ESA Correlation Rules.

In the Explore view for an ESA Correlation service, you can manage sending ESA rule alerts to the Respond view, turn on debugging for all rules, configure the events to preserve for rules with multiple events, and configure meta keys as string array values on ESA.

Access Advanced Settings for an ESA Correlation Service

  1. Go to ADMIN > Services.
    The Services view is displayed.
  2. In Services view, select an ESA Correlation service and then select Actions icon View > Explore.
    The Explore view is displayed.

ESA Correlation Service Explore view

Enable or Disable Sending ESA Rule Alerts to the Respond View

ESA gathers data, runs ESA Correlation rules against the data, captures events that meet rule criteria, and creates alerts for those captured events. You can view those alerts in the Respond view.

Before an ESA Correlation rule alert can go to the Respond view, both of the following settings must be enabled:

  1. For all rules, the ESA Correlation service must have the respond-enabled parameter set to true. (The default is true.)
  2. For an individual rule, the ESA Correlation rule must have the Alert option selected in the rule builder for that rule.

To enable or disable alert forwarding to the Respond view for ALL ESA Correlation rules:

  1. In the Explore view node list for an ESA Correlation service, select correlation > alert.
    ESA Correlation Service Explore view showing correlation/alert/respond-enabled
  2. To allow all ESA Correlation Rule alerts to go to the Respond view, set respond-enabled to true. Alerts for ESA rules that have the Alert option selected are visible in the Respond view.
  3. To stop all ESA Correlation Rule alerts from going to the Respond view, set respond-enabled to false.
    ESA Correlation Rules do not go to the Respond view, even if you select the Alert option in the rule.
  4. The changes take effect immediately.

Note: The respond-enabled parameter is equivalent to the Forward Alerts On Message Bus option in the Event Stream Analysis service in NetWitness Platform version 11.2 and earlier.

To send or not send alerts to the Respond view for a single ESA Correlation rule:

Content experts managing the ESA Correlation rules can decide whether to send alerts to the Respond view for each rule.

  1. Go to CONFIGURE > ESA Rules > Rules tab.
    The Rules tab is displayed.
  2. In the Rule Library, select the rule you want to edit and click Edit icon.
    Depending on the rule type, the respective rule tab is displayed.
    Rule Builder for ESA Correlation Rule showing the Alert option to send alerts the Respond view
    • To turn on Respond alerts for a rule, select the Alert checkbox.
    • To turn off Respond alerts for a rule, clear the Alert checkbox.
  3. Click Save.

    For more information, see the Alerting with ESA Correlation Rules User Guide.

Enable ESA Correlation Service Debugging for All Rules

You can turn on debugging for all ESA rules to see if rules are creating (firing) alerts and data is being processed properly by the ESA Correlation service. This can also be helpful when writing or fixing global notification templates, such as syslog or email. You can see the actual content of an alert before sending the notification.

When you disable ESA Correlation service debugging for all rules, you can still turn on debugging for an individual rule at any time.

  1. In the Explore view node list for an ESA Correlation service, select correlation > rule.
    ESA Correlation Service Explore view showing correlation/module log-fired-rules
  2. Set log-fired-rules to true to print alerts to the /var/log/netwitness/correlation-server/correlation-server.log for troubleshooting. This is the same as the Debug option in the rule builders for individual ESA rules except that this option enables debugging for all rules.
  3. When you are ready to turn off debugging for all ESA rules, set log-fired-rules to false.
    The changes take effect immediately.

Note: The log-fired-rules parameter is equivalent to the Debug Rules? option in the Event Stream Analysis service in NetWitness Platform version 11.2 and earlier.

Configure Maximum Events per Alert for All Rules

  1. In the Explore view node list for an ESA Correlation service, select correlation > rule.
    ESA Correlation Service Explore view showing correlation/max-constituent-events
  2. For rules that contain multiple events, in max-constituent-events, enter how many of the associated events to preserve. For example, if a rule fires an alert with 200 associated events and this parameter is set to 100, only the first 100 are preserved by ESA, the rest are dropped. The default value is 100.
    The changes take effect immediately.

Note: The max-constituent-events parameter is equivalent to the Max Constituent Events option in the Event Stream Analysis service in NetWitness Platform version 11.2 and earlier.

Configure Meta Keys as Arrays in ESA Correlation Rule Values

A common reason for an ESA rule to generate an error during deployment is because a meta key in the rule is a string array type, but it shows as a string type on ESA. To prevent or fix this issue, do the following:

Determine if a Meta Key is a String Array Type on ESA

  1. Go to CONFIGURE > ESA Rules and click the Settings tab.
    ESA Rules Settings tab showing Meta Key References
  2. In the Meta Key References, for each meta key that is a string array type, locate the meta key in the Name field and then check the value.
    • If it shows string[], it is configured as a string array type on ESA. This is fine.
    • If it shows string without the brackets, it is configured as a string type and you need to fix it on ESA. Go to Add the String Array Type Meta Key to ESA.

Add the String Array Type Meta Key to ESA

Caution: You can add string array type meta keys to the ESA Correlation service, but do not remove any of the existing keys. In NetWitness Platform 11.3, the ESA rules on Live use meta keys with array syntax and they depend on these meta keys. Removing values from the multi-valued list can cause the ESA Rule Deployments to fail. For more information, see Required String Array Meta Keys on the ESA Correlation Service.

  1. In the Explore view node list for an ESA Correlation service, select correlation > stream.
  2. Add string array meta keys to the multi-valued list to allow them to be used as an array in ESA rules.
    ESA Correlation service Explore view showing multi-valued
  3. Verify the configuration on ESA. Go to Verify that the String Array Type Meta Key is Configured Correctly on ESA.
  4. Note: The multi-valued parameter is equivalent to the arrayFieldNames parameter in the Event Stream Analysis service in NetWitness Platform version 11.2 and earlier.

Verify that the String Array Type Meta Key is Configured Correctly on ESA

  1. Go back to CONFIGURE > ESA Rules and click the Settings tab.
  2. In the Meta Key References, click the Meta Re-Sync (Refresh) icon (Meta Re-Sync (refresh) icon).
  3. Verify that the meta keys with a string array type show a value of string[].

Required String Array Meta Keys on the ESA Correlation Service

In NetWitness Platform 11.3, the ESA rules from Live use meta keys with array syntax and they depend on these meta keys to work correctly. The multi-valued parameter on the ESA Correlation service (Explore view > correlation > stream) includes the following default multi-valued (string array type) meta keys, which the ESA rules from Live require:

action , alert , alert.id , alias.host , alias.ip , alias.ipv6 , analysis.file , analysis.service , analysis.session , boc , browserprint , cert.thumbprint , checksum , checksum.all , checksum.dst , checksum.src , client.all , content , context , context.all , context.dst , context.src , dir.path , dir.path.dst , dir.path.src , directory , directory.all , directory.dst , directory.src , email , email.dst , email.src , eoc , feed.category , feed.desc , feed.name , file.cat , file.cat.dst , file.cat.src , filename.dst , filename.src , filter , function , host.all , host.dst , host.orig , host.src , host.state , inv.category , inv.context , ioc , ip.orig , ipv6.orig , netname , OS , param , param.dst , param.src , registry.key , registry.value , risk , risk.info , risk.suspicious , risk.warning , threat.category , threat.desc , threat.source , user.agent , username

Caution: You can add to the multi-valued parameter on the ESA Correlation service, but do not remove any meta keys. Removing values from the multi-valued parameter can cause the ESA Rule Deployments to fail.

You are here
Table of Contents > Additional ESA Correlation Rules Procedures > Configure Advanced Settings for ESA Correlation

Attachments

    Outcomes