Alerting: Additional ESA Rule Deployment Procedures

Document created by RSA Information Design and Development Employee on Jan 30, 2020Last modified by RSA Product Team on May 4, 2020
Version 3Show Document
  • View in full screen mode

In addition to deploying an ESA service and rules, you may want to perform other steps on your ESA rule deployment, such as replacing an ESA service, changing a data source, editing or deleting a rule from the deployment, renaming or deleting the deployment, or showing updates to an ESA rule deployment.

Note: You cannot edit or duplicate an Endpoint Risk Scoring Rules Bundle.

In NetWitness Platform version 11.3 and later, you can add or remove a data source from a deployment. In NetWitness Platform 11.3.0.2 and later, you can edit a data source in an ESA rule deployment. This enables you to change the data source password, SSL, port, and compression settings.

Each of the following procedures starts in the Rules tab (Configure > ESA Rules > Rules tab).

Anytime you make changes to an ESA rule deployment, you must redeploy it for the changes to take effect. To redeploy the deployment, click the Deploy Now button for that deployment.

Replace an ESA Service in an ESA Rule Deployment

An ESA rule deployment can have only one ESA service, but you can replace it at any time with another ESA service. You can use the same ESA service in multiple deployments.

Remove an ESA Service from an ESA Rule Deployment

  1. Go to Configure > ESA Rules > Rules tab.
    The Rules tab is displayed.
  2. In the options panel, under Deployments, select a deployment.
  3. In the ESA Services section, select a service and click Delete icon in the toolbar.
    A confirmation dialog is displayed.
  4. Click Yes.
    The service is removed from the deployment.

Add an ESA Service to an ESA Rule Deployment

To add an ESA Service to an ESA rule deployment, see Step 2. Add an ESA Service. For the ESA Correlation service in NetWitness Respond 11.3 and later, you must add at least one data source to the service. See Step 3. Add Data Sources.

After you finish making changes to the ESA rule deployment, click Deploy Now to redeploy it. The changes take effect on ESA after the ESA rule deployment is redeployed.

Edit a Data Source in an ESA Rule Deployment

Note: This procedure applies to NetWitness Platform 11.3.0.2 and later versions.

You can change the configuration of a data source in an ESA rule deployment. You can change the data source password, SSL, port, and compression settings. When a data source password changes, it is important to change the password on the data source so that ESA can continue to communicate with the data source.

Note: If you make any ESA service, data source, or ESA rule changes to an ESA rule deployment, you need to redeploy the deployment. For example, if you change the configuration of a data source in an ESA rule deployment, you must redeploy all the ESA rule deployments that contain that data source.

  1. Go to Configure > ESA Rules > Rules tab.
    The Rules tab is displayed.
  2. In the Rules tab options panel, under Deployments, select a deployment.
  3. In the Data Sources section, select a data source and click Edit icon in the toolbar.
  4. In the Edit Service dialog, type the Administrator username and password for the data source. If the password changed on the data source, enter the new password here.
    Edit Service dialog for editing a data source

  5. To enable the SSL or Compression options, select the corresponding checkboxes.
  6. (Optional) You have the option to adjust the Compression Level for Concentrators on ESA in NetWitness Platform 11.3 and later. To enable compression, select the Compression checkbox. You can set the Compression Level for a Concentrator from 0-9:
    • Compression Level = 0 (If compression is enabled, it allows Core Services to control the amount of compression.)
    • Compression Level = 1 (It uses the lowest amount of compression and has the highest performance.)
    • Compression Level = 9 (It uses the highest amount of compression and has the worst performance.)

    Somewhere in the middle between 1 and 9 is usually the best setting, which is what you get when you select a compression level of 0. For more detailed information, see the Core Database Tuning Guide.

    Note: When you set the compression level for a Concentrator on ESA, it sets the same compression level for that Concentrator for ESA Correlation Rules and ESA Analytics.

  7. Click Test Connection to make sure that it can communicate with the ESA service.
    Edit Service dialog for editing a data source - Successful test

  8. Click OK.
  9. After you finish making changes to the deployment, click Deploy Now to redeploy the ESA rule deployment. The changes take effect on ESA after the deployment is redeployed. You can view the update information in the Updates to the Deployments dialog. See Show Updates to an ESA Rule Deployment.

Add or Remove a Data Source

Note: This option is available in NetWitness Platform version 11.3 and later.

Remove a Data Source from an ESA Rule Deployment

  1. Go to Configure > ESA Rules > Rules tab.
    The Rules tab is displayed.
  2. In the Rules tab options panel, under Deployments, select a deployment.
  3. In the Data Sources section, select a rule and click Delete icon in the toolbar.
    The data source is removed from the deployment.

Add a Data Source to an ESA Rule Deployment

To add a data source, see Step 3. Add Data Sources.

After you finish making changes to the deployment, click Deploy Now to redeploy it. The changes take effect on ESA after the deployment is redeployed.

Edit or Delete a Rule in a Deployment

In an ESA rule deployment, you can edit and delete rules to customize the deployment.

Edit a Rule

  1. Go to Configure > ESA Rules > Rules tab.
    The Rules tab is displayed.
  2. In the Rules tab options panel, under Deployments, select a deployment.
  3. In the ESA Rules panel, double-click a rule to open it in a new tab.
  4. Modify the rule, then click Save.
    The rule is saved.
  5. Click Deploy Now to redeploy the deployment.
    The changes take effect on ESA after the deployment is redeployed.

Delete a Rule

  1. Go to Configure > ESA Rules > Rules tab.
    The Rules tab is displayed.
  2. In the options panel, under Deployments, select a deployment.
  3. In the ESA Rules panel, select a rule and click Delete icon in the toolbar.
    A confirmation dialog is displayed.
  4. Click Yes.
    The rule is deleted.
  5. Click Deploy Now to redeploy the deployment.
    The changes take effect on ESA after the deployment is redeployed.

Edit the ESA Rule Deployment Name or Delete a Deployment

To access the deployments:

  1. Go to Configure > ESA Rules.

    The Configure view is displayed with the Rules tab open.

  2. In the options panel, under Deployments, select a deployment.

    The Deployment view is displayed.

    Rules tab - Access a deployment

Edit the ESA Rule Deployment Name

  1. In the options panel, under Deployments, select a deployment.

    The Deployment view is displayed.

  2. Select Deployments drop-down list > Edit.

    The deployment name is made available for editing.

  3. Enter the new deployment name.
  4. Click Deploy Now to redeploy the deployment.
    The changes take effect on ESA after the ESA rule deployment is redeployed. In NetWitness Platform 11.3 and later, the deployment names that you choose appear on the deployment tabs in the Configure > ESA Rules > Services tab.

Delete an ESA Rule Deployment

  1. In the options panel, under Deployments, select a deployment.

    The Deployment view is displayed.

  2. Select Deployments drop-down list > Delete.

    A confirmation dialog is displayed.

  3. Click Yes.

    The deployment is deleted.

Show Updates to an ESA Rule Deployment

You can view changes to an ESA rule deployment, such as adding or removing rules. When there is a change to a deployment, the update icon (Update icon) appears next to the name of the deployment in the Rules tab options panel.

  1. Go to Configure > ESA Rules.
    The Rules tab is displayed.
  2. In the options panel, under Deployments click Show Updates on the far right.

    Rules Tab - Deployments showing updates button


    The Updates to the Deployments dialog opens and shows the changes to the deployment.
    Updates to the Deployment dialog
  3. Click Close.

 

You are here

Table of Contents > Deploy Rules to Run on ESA > Additional ESA Rule Deployment Procedures

Attachments

    Outcomes