I'm seeing too many alerts (false positives). | Several | One possible cause is that the Whois Lookup service is failing or is not configured. The Whois lookup is helpful in determining whether a URL is valid, and if the connection fails or is not properly configured, it can result in false positives. See "Configure Whois Lookup Service" in the ESA Configuration Guide. |
| | You may need to whitelist URLs. Sometimes the legitimate behavior for a URL triggers an alert. One way to prevent this from occurring is to add the URL to the whitelist. See "Add an Entity to a Whitelist" in the NetWitness Respond User Guide. |
I'm not seeing any alerts. | The ESA host requires a "warm-up" period when you deploy an ESA Analytics Module Mapping for Automated Threat Detection. | When you deploy an ESA analytics module mapping for Automated Threat Detection, there is a "warm-up" period, during which no alerts are viewable. Each module type has a default warm-up period and you need to wait until the warm-up period is complete. For more information, see "Mapping ESA Data Sources to Analytics Modules" in the ESA Configuration Guide. |
I'm seeing performance issues (more resource usage or a drop in throughput). | Several | If you are having performance issues on an ESA host that is running both Automated Threat Detection (ESA Analytics) and ESA rules, follow the troubleshooting steps for rules. For these troubleshooting steps, see "Troubleshoot ESA" in the Alerting with ESA Correlation Rules User Guide. |
In NetWitness Platform 11.3, the Respond Event List in 11.3 does not show the Command and Control (C2) enrichment information for HTTP packet alerts in Suspected C&C Incidents. | In version 11.3, you can view the C2 enrichment information in the Alert Details view. | View C2 enrichment information for the Suspected C&C incidents in the corresponding alerts in the Alert Details view. - Go to RESPOND > Incidents, look for a Suspected C&C incident, and note the incident ID.
- Go to RESPOND > Alerts and in the Filters panel, select the following to locate an alert in the Alerts list with the incident ID noted above:
- In Alert Names section, select http-packet.
- In the Part of Incident section, select Yes.
If you are still not able to locate an alert in the Alerts list with the incident ID noted above, try filtering your alerts list more using the time range of the incident. - In the Alerts list, click the http-packet link in the NAME field of the alert associated with the incident ID.
The Event Details view shows the C2 enrichment information. |