Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Alerting: ESA Rule Deployment Steps

Document created by RSA Information Design and Development Employee on Jan 30, 2020Last modified by RSA Information Design and Development Employee on Sep 8, 2020
Version 7Show Document
  • View in full screen mode
 

This topic explains how to add an ESA rule deployment, which includes an ESA service with its associated data sources and a set of ESA rules. You can add an ESA rule deployment to organize and manage ESA services and rules. Think of the deployment as a container for these components:

  • An ESA service
  • One or more data sources (This is available in version 11.3 and later.)
  • A set of ESA rules

For example, if you add a Spam Activity deployment it could include an ESA London service, Concentrators with the appropriate data, and a set of ESA rules to detect suspicious email activity. 

Note: An ESA rule deployment can have only one ESA service. You can, however, use the same ESA service in multiple deployments.
In NetWitness Platform version 11.2 and earlier, the ESA service is the Event Stream Analysis service. In version 11.3 and later, it is the ESA Correlation service.

To add an ESA rule deployment, you need to complete the following procedures:

Step 1. Add an ESA Rule Deployment

Prerequisites

The following are required to add an ESA rule deployment:

To add an ESA rule deployment:

  1. Go to (Configure) > ESA Rules.
    The Rules tab is displayed.
  2. In the options panel on the left, next to Deployments, select Add deployment icon > Add and type a name for the deployment. The naming convention is up to you. For example, it could indicate the purpose or identify an owner.
    Rules tab Options panel - Adding a deployment
  3. In NetWitness Platform 11.3 and later, the deployment names that you choose appear on the deployment tabs in the (Configure) > ESA Rules > Services tab.
  4. Press Enter.
    The deployment is added. The Deployment view is displayed on the right.
    Deployment added

Step 2. Add an ESA Service

The ESA service in an ESA rule deployment gathers data in your network and runs ESA rules against the data. The goal is to capture events that match rule criteria, then generate an alert for the captured event.

An ESA rule deployment can have only one ESA service. You can, however, use the same ESA service in multiple deployments. For example, ESA London could be in these deployments simultaneously:

  • Deployment EUR, which includes one set of rules
  • Deployment CORP, which includes another set of rules.

Changes made to an ESA rule deployment do not take effect until you click Deploy Now. For example, Deployment EUR could include the ESA London service and a set of 25 rules. If you replace the ESA London service with the ESA Paris service, the next time you deploy Deployment EUR, the 25 rules will be removed from ESA London and added to ESA Paris.

Deleting an ESA rule deployment immediately removes the rules from the ESA service. If an ESA service is not part of any deployment, the ESA service does not have any rules.

To add an ESA service:

  1. Go to (Configure) > ESA Rules > Rules tab.
  2. In the options panel, select a deployment:
    Deployment view showing a selected deployment
  3. In the Deployment view, click Add icon in ESA Services.
    The Deploy ESA Services dialog lists each configured ESA.
    Deploy ESA Services dialog
  4. Select an ESA service and click Save.
    The Deployment view is displayed. The ESA service is listed in the ESA Services section, with the status Added.

    Service added

Step 3. Add Data Sources

Note: This option is available in version 11.3 and later.

You can select one or more data sources, such as Concentrators, to use for your selected ESA Service. This enables you to specify different data sources for each deployment. For example, you may want to use Concentrators with HTTP packet data in one deployment and Concentrators with HTTP log data in another deployment.

  1. Go to (Configure) > ESA Rules > Rules tab.
  2. In the options panel, select a deployment.
  3. Configure one or more data sources for your deployment. Do the following for each data source:
    1. In the Deployment view Data Sources section, click Add icon.
      The Available Configured Data Sources dialog lists the services that have been configured for use as a data source.
      Available Configured Data Sources dialog
    2. To add a data source configuration, click Add icon.
      The Available Services dialog lists the available data sources from the (Admin) > Services view, such as Concentrators.
      Available Services dialog

      Note: You can add a Log Decoder as a data source for ESA, but it is better to add a Concentrator to take advantage of undivided aggregation as the Decoder may have other processes aggregating from it.

    3. In the Available Services dialog, select a data source, such as a Concentrator, and click OK.
    4. In the Add Service dialog, type the Administrator username and password for the data source.
      Add Service dialog for adding a Concentrator data source
    5. To enable the SSL or Compression options, select the corresponding checkboxes.
    6. (Optional) You have the option to adjust the Compression Level for Concentrators on ESA in NetWitness Platform 11.3 and later. To enable compression, select the Compression checkbox. You can set the Compression Level for a Concentrator from 0-9:
      • Compression Level = 0 (If compression is enabled, it allows Core Services to control the amount of compression.)
      • Compression Level = 1 (It uses the lowest amount of compression and has the highest performance.)
      • Compression Level = 9 (It uses the highest amount of compression and has the worst performance.)

      Somewhere in the middle between 1 and 9 is usually the best setting, which is what you get when you select a compression level of 0. For more detailed information, see the Core Database Tuning Guide.

      Note: If you make any ESA service, data source, or ESA rule changes to an ESA rule deployment, you need to redeploy the deployment. For example, if you change the configuration of a data source in an ESA rule deployment, you must redeploy all the ESA rule deployments that contain that data source.
      When you set the compression level for a Concentrator on ESA, it sets the same compression level for that Concentrator for ESA Correlation Rules.

    7. Click Test Connection to make sure that it can communicate with the ESA service.
      Add Service dialog for adding a Concentrator - Successful test
    8. Click OK.
      After you configure your data sources and they appear in the Available Configured Data Sources dialog, you can use them for your deployment.
  4. In the Available Configured Data Sources dialog, select at least one data source to use for the deployment.
    Available Configured Data Sources dialog with a data source selected
    A solid colored green circle indicates a running service and a white circle indicates a stopped service.
  5. Click Save.
    In the Deployment view Data Sources section, the selected data sources are added to the deployment. The Deploy Now button activates after an ESA service, a data source, and rules are added to an ESA rule deployment.
    Deployment view Data Sources section with a data source added
  6. (Optional) If you have a medium to large NetWitness Platform deployment and you have high throughputs, you can create a filter to forward only the data relevant to this deployment to ESA. Before deploying the ESA rule deployment, add the data source filter. See (Optional) Add a Data Source Filter.

Step 4. Add and Deploy Rules

This topic explains how to add ESA rules to an ESA rule deployment and then deploy the rules on ESA. Each ESA rule has unique criteria. The ESA rules in an ESA rule deployment determine which events ESA captures, which in turn determine the alerts you receive.

For example, Deployment A includes ESA Paris and, among others, a rule to detect file transfer using a non-standard port. When ESA Paris detects a file transfer that matches the rule criteria, it captures the event and generates an alert for it. If you remove this rule from Deployment A, ESA will no longer generate an alert for such an occurrence.

To add and deploy rules:

  1. Go to (Configure) > ESA Rules > Rules tab.
  2. In the options panel, select a deployment.
  3. In the Deployment view, click Add icon in ESA Rules.
    The Deploy ESA Rules dialog is displayed and shows each rule in your Rule Library:
    Deploy ESA Rules dialog
  4. Select rules and click Save.
    The Deployment view is displayed and the Deploy Now button is enabled.

    Deployment view showing rules added to a deployment

  5. The rules are listed in the ESA Rules section.
  • In the Status column, Added is next to each new rule.
  • In the Deployments section, Deployment Update icon indicates there are updates to the deployment.
  • The total number of rules in the deployment is on the right.
    Deployments section showing the number of events on the right
  1. Click Deploy Now.
    The ESA Correlation service runs the rule set. After ESA correlation completes the processing of each rule in the deployment, the status changes to Deployed.

    Deployment view showing an ESA rule deployment with a Deployed status

(Optional) Add a Data Source Filter

Note: This option is available in NetWitness Platform version 11.5 and later.

To improve performance, you can add an optional data source filter to your ESA rule deployment so that only the data relevant to the deployment is forwarded to ESA. The filter is comprised of application rules, which are applied to the Decoders mapped to your selected data sources. There are two options that you can use to create the filter:

  • The Simple data source filter option enables you to select the application rules to be included in the filter query. The application rules that you select must be enabled on the Decoders that feed the data sources in your ESA rule deployment. ESA Correlation uses the filtered event data to process the ESA rules. This is the procedure described here.
  • The Advanced data source filter option enables you to add a data source query directly. The individual application rule queries must be separated by an “or” condition. For more information on creating and writing Decoder rules, see "Configure Application Rules" in the Decoder and Log Decoder Configuration Guide.

Caution: The data source filter is intended for advanced users familiar with Decoder application rules. Improper filtering can cause the required data to not be forwarded to and analyzed by ESA.

Using a data source filter can be performance intensive for data aggregation. A filter slows the event aggregation rate, but when you are filtering a large amount of traffic, it can have performance benefits on ESA Correlation server. However, if you use a complex filter and do not filter a large amount of traffic, the event aggregation rate may be lower than expected.

IMPORTANT: If an application rule linked to a data source filter is modified on a Decoder, the filter must be removed, added again, and redeployed. The changes take effect on ESA after the deployment is redeployed.

To add a Simple data source filter:

  1. Go to (Configure) > ESA Rules > Rules tab.
  2. In the options panel, select a deployment.
  3. In the Deployment view Data Source Filter (Optional) section, click Add icon.
    Data Source Filter section in an ESA rule deployment
    The Create Data Source Filter dialog lists the application rules that are available to filter the events in the data sources in your ESA rule deployment.
  4. Select the application rules that you want to use to filter the data sources in your deployment and click Save. The Alert Field shows the meta key used in the alert. Present On shows the number of Decoders mapped to the data sources that have the rule. Absent On shows the number of mapped Decoders that do not have the rule. If present, hover over the Information icon icon to view the names of the Decoders. You can use the filter to help locate the rules. For example, you can type "account" to search for application rules that contain that word.

    Create Data Source Filter dialog with application rules selected

    The application rules that you select appear in a Filter Query with the status of Added.
    The Data Source Filter section with a filter query added
  5. When you are ready to deploy your ESA rule deployment, click Deploy Now.
    The ESA Correlation service runs the rule set. After ESA Correlation completes the processing of each rule in the deployment, the status changes to Deployed. The data source filter status changes to Deployed when the filter is actively streaming only the relevant data as defined in the filter query.

    Troubleshooting Information: When filtering out a large portion of the traffic, you may see an "Invalid header size" error while communicating with Core services in the ESA Correlation log file. Decrease the max-sessions parameter from 10,000 to a lower session count. See Adjust Maximum Sessions for the Data Source Filter.

Deploy the Endpoint Risk Scoring Rules Bundle

An Endpoint Risk Scoring Rules Bundle, which contains approximately 400 rules, comes with NetWitness Platform 11.3 and later. Endpoint risk scoring rules only apply to NetWitness Endpoint. You can add the Endpoint Risk Scoring Rules Bundle to an ESA rule deployment in the same way that you would add any ESA rule. However, you must specify endpoint data sources (Concentrators) in the ESA Rule Deployment.

The ESA Correlation service can process endpoint risk scoring rules, which generate alerts that are used in risk scoring calculations to identify suspicious files and hosts. To turn on risk scoring for NetWitness Endpoint, you must deploy endpoint risk scoring rules on ESA. For instructions, see "Deploy Endpoint Risk Scoring Rules on ESA" in the ESA Configuration Guide. For complete information on configuring NetWitness Endpoint, see the NetWitness Endpoint Configuration Guide.

Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents.


You are here
Table of Contents > Deploy Rules to Run on ESA > ESA Rule Deployment Steps

Attachments

    Outcomes