This topic introduces prepackaged ESA rules available in NetWitness. RSA delivers Event Stream Analysis (ESA) rules through the Live Content Management System. Please refer to the Event Stream Analysis Guide for detailed instructions on how to enable, modify, and configure rules after you download them from Live.
Download ESA Rules
To download ESA rules:
Browse Live CMS for the ESA Rules you want. When browsing the Live CMS for ESA Rules, the Resource Type varies slightly based on your version:
- For NetWitness 11.x: Event Stream Analysis Rule.
- For Security Analytics 10.x: RSA Event Stream Analysis Rule
is Event Stream Analysis Rule.
- Deploy the rules.
Use ESA Rules in RSA NetWitness
After you deploy the rules, depending on your version:
- For NetWitness 11.x: Go to CONFIGURE > ESA Rules.
- For Security Analytics 10.x: In the Security Analytics menu, click Alerts > Configure .
NetWitness displays the ESA Rules view with the ESA Rules that you deployed.
Advanced and Basic ESA Rule Templates
In addition to the predefined ESA rules available from Live, you can download the Advanced Template and the Basic Template.
The Advanced Template (advanced_template.esaa) allows you to create and maintain the SQL syntax in the rule. This eliminates the need for Security Analytics to translate the syntax so Security Analytics directly inserts it into the FTL file.
In the system, the file is called advanced_template.esaa. Through Live, it is displayed as “Advanced Rule Template”. The Advanced Rule Template is not visible in the User Interface because it is only used behind the scenes by Advanced ESA Rule Creation feature.
Basic Templates RSA Content
Similar to Advanced Queries, the query is directly entered into the FTL. Since some query conditions are highly environment specific, the customers are able to configure portions of the query to their needs. A couple of typical examples would be being able to configure the number of events that must occur plus the time window they must occur within. Again, the XML stores the data for the FTL to translate.
Change Rule Parameters
Some ESA Rules can have parameters (for example, a time period) that you can modify using the Edit ESA rules view. For example, the Adapter in Promiscuous Mode after Multiple Login Attempts ESA rule has the Within this number of seconds parameter with the default time of 5 minutes (300 seconds). This is the time that needs to elapse before the rule goes into promiscuous mode.
In the following example, we change the default time of 300 seconds to 8 minutes (480 seconds) after which the adapter goes into promiscuous mode.
After you download the ESA rule, depending on your version:
- For NetWitness 11.x: Go to CONFIGURE > ESA Rules > Rules.
- For Security Analytics 10.x: In the Security Analytics menu, click Alerts > Configure > Rules.
The ESA Rules view displays.
A Rule Builder tab for this rule displays.
In the Parameters field, click on the value of the parameter (for example Within this number of seconds).
Change the existing value to the desired value (for example 30) and click Save.