000039262 - Renaming or Removing a Context Hub List Used by ESA Correlation Breaks ESA Rules on NetWitness Platform 11.3 and Later

Document created by RSA Customer Support Employee on Sep 20, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000039262
Applies ToRSA Product Set: NetWitness Platform
RSA Product/Service Type: ESA host / ESA Correlation service
RSA Version/Condition: 11.3, 11.4, and 11.5 
IssueIn NetWitness Platform 11.3 and later, a Context Hub list can be configured as an enrichment source for ESA and used as a condition when creating an ESA rule. For example, a blacklist of IP addresses can be created in Context Hub and used as part of a correlation rule condition. Changes to the list items are reflected in real-time and used by ESA Correlation rules. 

In NetWitness Platform 11.5 and later, in Advanced EPL rules, the @RSAContext annotation can be used to dynamically add or remove data from a Context Hub list after a rule fires. For example, a rule is created that automatically adds an IP address to a blacklist and removes it from a whitelist.

If a Context Hub list that is being used by ESA is renamed or removed, ESA Correlation will not be able to communicate with that Context Hub list. In addition, in NetWitness 11.5 and later, if the @RSAContext annotation is used with Context Hub lists, depending on the error handling selection, it can cause ESA Correlation to stop working and not fire any alerts.  

Because ESA is not aware of the adjustments to the Context Hub lists, no notification that there is a problem will be received. 

CauseIf a Context Hub list that is used by ESA Correlation is renamed or deleted, ESA will not be able to access the list and may stop processing for all rules.

Do not rename or delete a Context Hub list that is used in a deployed ESA rule. ESA Correlation will also not be able to contact a Context Hub list if it is deleted and then added back again with the same name while the rule is deployed due to internal pointers being different.

If a Context Hub list is renamed or recreated with the same name, update the ESA rules that should reference the renamed/recreated Context Hub list. Once updated, redeploy the ESA rule deployments that contain the updated rules.

  1. Go to Configure > ESA Rules > Rules tab.
  2. In the Rules tab options panels on the left, under Deployments, select a deployment.
  3. In the ESA Rules section, double-click the rule that needs adjustments and make the changes to the rule.

Note: To help with knowing what Context Hub lists are associated with which rules, it is suggested to add the Context Hub list name to the rule description for future reference.

  1. (Optional in 11.5 and later) Test the rule. For more information, see the Alerting with ESA Correlation Rules User Guide for RSA NetWitness Platform 11.x.
  2. Save the rule changes.
  3. After all changes to the deployment are completed, click Deploy Now to redeploy the rules. The changes will take effect on the ESA after the deployment has completed.