000039263 - ESA Alerts Not Working After Updating Application Rules and Using ESA Data Source Filtering on NetWitness Platform 11.5 and later

Document created by RSA Customer Support Employee on Sep 20, 2020Last modified by RSA Customer Support Employee on Sep 22, 2020
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000039263
Applies ToRSA Product Set: NetWitness Platform
RSA Product/Service Type: ESA host/ESA Correlation service
RSA Version/Condition: 11.5 
IssueIn NetWitness Platform 11.5 and later, an optional ESA data source filter can be applied to the data sources in ESA rule deployments to improve performance. With an appropriate ESA data source filter in place, only the data relevant to the deployment is processed by ESA. 

The filter is comprised of application rules, which are applied to the Decoders mapped to selected data sources. Modifications to these application rules may impact the ESA data source filters and cause the ESA to not process alerts correctly.
CauseAn Application Rule on one or more Decoders that produces meta being used by the ESA Data Source filter may have been modified or removed. This modification or deletion has caused the ESA Data Source filter to stop functioning correctly due to the change in the Application Rule.

If an Application Rule linked to an ESA Data Source Filter is modified/removed on one or more Decoders, the ESA Data Source Filter must be removed, rebuilt, and redeployed to the ESA to reflect the changes made. The changes will take effect on the ESA only after the ESA rule deployment is finished.

Caution: The data source filter is for advanced users familiar with Decoder Application Rules. Improper filtering can cause the required data to not be forwarded to or analyzed by ESA.

Note: Since the data source filter cannot be edited once created, copy the filter query in the data source filter before removing it. This allows for a comparison between the original query and the new query that will be created in the new filter.

  1. Go to Configure >l ESA Rules > Rules tab
  2. In the Rules tab options panel on the left, under Deployments, select a deployment.
  3. Scroll down to the Data Source Filter (Optional) section.
User-added image
  1. To save the exiting filter query for future reference, copy the contents of the Filter Query field.
  2. To remove the data source filter from the deployment, select the filter, click the minus (-) button at the top of the section, and then click Yes to acknowledge the removal.
  3. To add a new filter, click the plus (+) at the top of the section.
  4. In the Create Data Source Filter dialog, create a new filter, and click Save. For information about how to create a data source filter, see "Data Source Filter (Optional) Section" in the Alerting with ESA Correlation Rules User Guide
  5. After all changes to the deployment are complete, click Deploy Now to push the deployment to the ESA. The changes take effect on the ESA once the deployment is complete.