|Applies To||RSA Product Set: NetWitness Platform|
RSA Product/Service Type: ESA host/ESA Correlation service
RSA Version/Condition: 11.5
|Issue||In NetWitness Platform 11.5 and later, an optional ESA data source filter can be applied to the data sources in ESA rule deployments to improve performance. With an appropriate ESA data source filter in place, only the data relevant to the deployment is processed by ESA. |
The filter is comprised of application rules, which are applied to the Decoders mapped to selected data sources. Modifications to these application rules may impact the ESA data source filters and cause the ESA to not process alerts correctly.
|Cause||An Application Rule on one or more Decoders that produces meta being used by the ESA Data Source filter may have been modified or removed. This modification or deletion has caused the ESA Data Source filter to stop functioning correctly due to the change in the Application Rule.|
If an Application Rule linked to an ESA Data Source Filter is modified/removed on one or more Decoders, the ESA Data Source Filter must be removed, rebuilt, and redeployed to the ESA to reflect the changes made. The changes will take effect on the ESA only after the ESA rule deployment is finished.
Caution: The data source filter is for advanced users familiar with Decoder Application Rules. Improper filtering can cause the required data to not be forwarded to or analyzed by ESA.
Note: Since the data source filter cannot be edited once created, copy the filter query in the data source filter before removing it. This allows for a comparison between the original query and the new query that will be created in the new filter.