Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Alerting: Additional ESA Rule Deployment Procedures

Document created by RSA Information Design and Development Employee on Jan 30, 2020Last modified by RSA Information Design and Development Employee on Sep 8, 2020
Version 5Show Document
  • View in full screen mode
 

In addition to deploying an ESA service and rules, you may want to perform other steps on your ESA rule deployment, such as replacing an ESA service, changing a data source, editing or deleting a rule from the deployment, renaming or deleting the deployment, or showing updates to an ESA rule deployment.

Note: You cannot edit or duplicate an Endpoint Risk Scoring Rules Bundle.

In NetWitness Platform version 11.3 and later, you can add or remove a data source from a deployment. In NetWitness Platform 11.3.0.2 and later, you can edit a data source in an ESA rule deployment. This enables you to change the data source password, SSL, port, and compression settings.

Each of the following procedures starts in the Rules tab [ (Configure) > ESA Rules > Rules tab].

Anytime you make changes to an ESA rule deployment, you must redeploy it for the changes to take effect. To redeploy the deployment, click the Deploy Now button for that deployment.

Replace an ESA Service in an ESA Rule Deployment

An ESA rule deployment can have only one ESA service, but you can replace it at any time with another ESA service. You can use the same ESA service in multiple deployments.

Remove an ESA Service from an ESA Rule Deployment

  1. Go to (Configure) > ESA Rules > Rules tab.
    The Rules tab is displayed.
  2. In the options panel, under Deployments, select a deployment.
  3. In the ESA Services section, select a service and click Delete icon in the toolbar.
    A confirmation dialog is displayed.
  4. Click Yes.
    The service is removed from the deployment.
  5. After you finish making changes to the deployment, click Deploy Now to redeploy it. The changes take effect on ESA after the deployment is redeployed.

Add an ESA Service to an ESA Rule Deployment

  1. To add an ESA Service to an ESA rule deployment, see Step 2. Add an ESA Service. For the ESA Correlation service in NetWitness Respond 11.3 and later, you must add at least one data source to the service. See Step 3. Add Data Sources.
  2. After you finish making changes to the ESA rule deployment, click Deploy Now to redeploy it. The changes take effect on ESA after the ESA rule deployment is redeployed.

Edit a Data Source in an ESA Rule Deployment

Note: This procedure applies to NetWitness Platform 11.3.0.2 and later versions.

You can change the configuration of a data source in an ESA rule deployment. You can change the data source password, SSL, port, and compression settings. When a data source password changes, it is important to change the password on the data source so that ESA can continue to communicate with the data source.

Note: If you make any ESA service, data source, or ESA rule changes to an ESA rule deployment, you need to redeploy the deployment. For example, if you change the configuration of a data source in an ESA rule deployment, you must redeploy all the ESA rule deployments that contain that data source.

  1. Go to (Configure) > ESA Rules > Rules tab.
    The Rules tab is displayed.
  2. In the Rules tab options panel, under Deployments, select a deployment.
  3. In the Data Sources section, select a data source and click Edit icon in the toolbar.
  4. In the Edit Service dialog, type the Administrator username and password for the data source. If the password changed on the data source, enter the new password here.
    Edit Service dialog for editing a data source

  5. To enable the SSL or Compression options, select the corresponding checkboxes.
  6. (Optional) You have the option to adjust the Compression Level for Concentrators on ESA in NetWitness Platform 11.3 and later. To enable compression, select the Compression checkbox. You can set the Compression Level for a Concentrator from 0-9:
    • Compression Level = 0 (If compression is enabled, it allows Core Services to control the amount of compression.)
    • Compression Level = 1 (It uses the lowest amount of compression and has the highest performance.)
    • Compression Level = 9 (It uses the highest amount of compression and has the worst performance.)

    Somewhere in the middle between 1 and 9 is usually the best setting, which is what you get when you select a compression level of 0. For more detailed information, see the Core Database Tuning Guide.

    Note: When you set the compression level for a Concentrator on ESA, it sets the same compression level for that Concentrator for ESA Correlation Rules.

  7. Click Test Connection to make sure that it can communicate with the ESA service.
    Edit Service dialog for editing a data source - Successful test

  8. Click OK.
  9. After you finish making changes to the deployment, click Deploy Now to redeploy the ESA rule deployment. The changes take effect on ESA after the deployment is redeployed. You can view the update information in the Updates to the Deployments dialog. See Show Updates to an ESA Rule Deployment.

Add or Remove a Data Source

Note: This option is available in NetWitness Platform version 11.3 and later.

Remove a Data Source from an ESA Rule Deployment

  1. Go to (Configure) > ESA Rules > Rules tab.
    The Rules tab is displayed.
  2. In the Rules tab options panel, under Deployments, select a deployment.
  3. In the Data Sources section, select the data source and click Delete icon in the toolbar.
    The data source is removed from the deployment.
  4. After you finish making changes to the deployment, click Deploy Now to redeploy it. The changes take effect on ESA after the deployment is redeployed.

Add a Data Source to an ESA Rule Deployment

  1. To add a data source, see Step 3. Add Data Sources.
  2. After you finish making changes to the deployment, click Deploy Now to redeploy it. The changes take effect on ESA after the deployment is redeployed.

(Optional) Add or Remove a Data Source Filter

To improve performance, you can add an optional data source filter to your ESA rule deployment so that only the data relevant to the deployment is forwarded to ESA. The filter is comprised of application rules, which are applied to the Decoders mapped to your selected data sources.

You cannot edit a data source filter. To modify a data source filter, you must remove the filter, add a new filter, and then redeploy the ESA rule deployment.

Note: This option is available in NetWitness Platform version 11.5 and later.

Caution: The data source filter is intended for advanced users familiar with Decoder application rules. Improper filtering can cause the required data to not be forwarded to and analyzed by ESA.

Using a data source filter can be performance intensive for data aggregation. A filter slows the event aggregation rate, but when you are filtering a large amount of traffic, it can have performance benefits on ESA Correlation server. However, if you use a complex filter and do not filter a large amount of traffic, the event aggregation rate may be lower than expected.

IMPORTANT: If an application rule linked to a data source filter is modified on a Decoder, the filter must be removed, added again, and redeployed. The changes take effect on ESA after the deployment is redeployed.

Remove a Data Source Filter from an ESA Rule Deployment

If you plan to replace your data source filter with an adjusted filter, you may want to copy the filter query in the data source filter before you remove it and compare it with the new query.

  1. Go to (Configure) > ESA Rules > Rules tab.
    The Rules tab is displayed.
  2. In the Rules tab options panel, under Deployments, select a deployment.
  3. In the Data Source Filter (Optional) section, select the filter and click Delete icon in the toolbar.
    The filter is removed from the deployment.
  4. After you finish making changes to the deployment, click Deploy Now to redeploy it. The changes take effect on ESA after the deployment is redeployed.

Add a Data Source Filter to an ESA Rule Deployment

  1. To add a simple data source filter, see (Optional) Add a Data Source Filter. If necessary, you can use the advanced filter instead of the simple filter to add a data source query directly. The individual application rule queries must be separated by an "or" condition. For more information on creating and writing Decoder rules, see "Configure Application Rules" in the Decoder and Log Decoder Configuration Guide.
  2. After you finish making changes to the deployment, click Deploy Now to redeploy it. The changes take effect on ESA after the deployment is redeployed.

Adjust Maximum Sessions for the Data Source Filter

When filtering out a large portion of the traffic, you may see an "Invalid header size" error while communicating with Core services in the ESA Correlation log file. (You can use SSH to get in the system and go to: /var/log/netwitness/correlation-server/correlation-server.log). Lower the max-sessions parameter until you no longer see the error in the log. The more you filter out the traffic, the lower you should set the max-sessions parameter.

  1. In the Explore view node list for an ESA Correlation service, select correlation > stream.
    ESA Correlation Service Explore view showing correlation/stream max-sessions
  2. In max-sessions, lower the value until you no longer see the error in the ESA Correlation log file. The default value is 10000.
  3. Restart the ESA Correlation service. Go to (Admin) > Services, select the ESA Correlation service, and then select Actions icon > Restart.

Edit or Delete a Rule in a Deployment

In an ESA rule deployment, you can edit and delete rules to customize the deployment.

Edit a Rule

  1. Go to (Configure) > ESA Rules > Rules tab.
    The Rules tab is displayed.
  2. In the Rules tab options panel, under Deployments, select a deployment.
  3. In the ESA Rules panel, double-click a rule to open it in a new tab.
  4. Modify the rule, then click Save.
    The rule is saved.
  5. Click Deploy Now to redeploy the deployment.
    The changes take effect on ESA after the deployment is redeployed.

Delete a Rule

  1. Go to (Configure) > ESA Rules > Rules tab.
    The Rules tab is displayed.
  2. In the options panel, under Deployments, select a deployment.
  3. In the ESA Rules panel, select a rule and click Delete icon in the toolbar.
    A confirmation dialog is displayed.
  4. Click Yes.
    The rule is deleted.
  5. Click Deploy Now to redeploy the deployment.
    The changes take effect on ESA after the deployment is redeployed.

Edit the ESA Rule Deployment Name or Delete a Deployment

To access the deployments:

  1. Go to (Configure) > ESA Rules.

    The Configure view is displayed with the Rules tab open.

  2. In the options panel, under Deployments, select a deployment.

    The Deployment view is displayed.

    Rules tab - Access a deployment


Edit the ESA Rule Deployment Name

  1. In the options panel, under Deployments, select a deployment.

    The Deployment view is displayed.

  2. Select Deployments drop-down list > Edit.

    The deployment name is made available for editing.

  3. Enter the new deployment name.
  4. Click Deploy Now to redeploy the deployment.
    The changes take effect on ESA after the ESA rule deployment is redeployed. In NetWitness Platform 11.3 and later, the deployment names that you choose appear on the deployment tabs in the (Configure) > ESA Rules > Services tab.

Delete an ESA Rule Deployment

  1. In the options panel, under Deployments, select a deployment.

    The Deployment view is displayed.

  2. Select Deployments drop-down list > Delete.

    A confirmation dialog is displayed.

  3. Click Yes.

    The deployment is deleted.

Show Updates to an ESA Rule Deployment

You can view changes to an ESA rule deployment, such as adding or removing rules. When there is a change to a deployment, the update icon (Update icon) appears next to the name of the deployment in the Rules tab options panel.

  1. Go to (Configure) > ESA Rules.
    The Rules tab is displayed.
  2. In the options panel, under Deployments click Show Updates on the far right.

    Rules Tab - Deployments showing updates button


    The Updates to the Deployments dialog opens and shows the changes to the deployment.
    Updates to the Deployment dialog
  3. Click Close.

You are here
Table of Contents > Deploy Rules to Run on ESA > Additional ESA Rule Deployment Procedures

Attachments

    Outcomes