The ESA service in a deployment gathers data in your network and runs ESA rules against the data. The goal is to capture events that match rule criteria, then generate an alert for the captured event.
You can add the same ESA to multiple deployments. For example, ESA London could be in the these deployments simultaneously:
- Deployment EUR, which includes one set of ESA rules
- Deployment CORP, which includes another set of ESA rules
When you remove an ESA from a deployment, the rules are also removed from the ESA. For example, Deployment EUR could include ESA London and a set of 25 rules. If you remove ESA London from Deployment EUR, the 25 rules are also removed from ESA London. Consequently, if an ESA is not part of any deployment the ESA does not have any rules.
To add an ESA service:
- In the Security Analytics menu, select Alerts > Configure.
The Rules tab is displayed.
- In the options panel, select a deployment:
- In the Deployment view, click in ESA Services.
The Deploy ESA Services dialog lists each configured ESA.
- Select an ESA and click Save.
The Deployment view is displayed. The ESA is listed in the ESA Services section, with the status Added.