ESA rule deployments map rules from your rule library to the appropriate ESA Services and data sources. The Deployment panel ( (Configure) > ESA Rules > Rules tab) enables you to create and configure ESA rule deployments that specify:
- ESA Services
- Data Sources (This is available in NetWitness Platform version 11.3 and later.)
- ESA Rules
When you are ready to start aggregating data and generating alerts from an ESA rule deployment, you deploy the ESA rule deployment to activate it.
Note: An ESA rule deployment can have only one ESA service. You can, however, use the same ESA service in multiple deployments.
In NetWitness Platform version 11.2 and earlier, the ESA service is the Event Stream Analysis service. In version 11.3 and later, it is the ESA Correlation service.
What do you want to do?
Role | I want to ... | Show me how |
---|---|---|
Content Expert | Add an ESA rule deployment. | ESA Rule Deployment Steps |
Content Expert | Manage deployments. | Additional ESA Rule Deployment Procedures |
Related Topics
Quick Look
The following figure shows the Deployment panel.
ESA Services Section
In the ESA Services section, you can manage each ESA service in the deployment.
The following table describes the actions you can perform in the ESA Services section.
Task | Description |
---|---|
![]() | Adds an ESA service to the deployment. |
![]() | Removes the selected ESA service from the deployment. |
The following table describes the columns in the ESA Services section.
Title | Description |
---|---|
Status | Indicates if the deployment status is Added, Deployed, Updated, or Failed. |
Name | Name of the ESA service. |
Address | IP address of the host where the ESA service is installed. |
Version | Version of the ESA service. |
Last Deployment Date | The date and time when the ESA service was last deployed. |
Data Sources Section
Note: This option is available in NetWitness Platform version 11.3 and later.
In the Data Sources section, you can select one or more data sources, such as Concentrators, to use for your selected ESA Service.
The following table describes the actions you can perform in the Data Sources section.
The following table describes the columns in the Data Sources section.
Title | Description |
---|---|
(Status) | Shows the status of the data source. A solid colored green circle indicates a running service and a white circle indicates a stopped service. |
Name | Shows the name of the data sources used by the selected ESA service. You can specify the data sources separately for each ESA rule deployment. |
Type | Shows the type of the data sources. Data sources can be Concentrators or Decoders. It is important that you choose data sources that have the appropriate data for the rules in the deployment. For example, if you have NetWitness Endpoint and you want to deploy the Endpoint Risk Scoring Rules Bundle, you must choose endpoint data sources. |
Note: You can add a Log Decoder as a data source for ESA, but it is better to add a Concentrator to take advantage of undivided aggregation as the Decoder may have other processes aggregating from it.
Deployment Options
There are two deployment options below the Data Sources section. These options apply to the entire ESA rule deployment.
The following table describes these deployment options.
Task | Description |
---|---|
Show Updates | Enables you to view a history of updates to the deployment. |
Deploy Now | Activates the ESA rule deployment. The selected ESA service starts aggregating data and generating alerts using the specified ESA rules in the deployment. You need to add ESA Rules to the deployment before deploying the ESA rule deployment. |
ESA Rules Section
In the ESA Rules section, you manage rules in the deployment. This section lists all rules that are currently in the deployment.
The following table describes the actions you can perform in the ESA Rules section.
Task | Description |
---|---|
![]() | Opens the Deploy ESA Rules dialog, where you can select a rule. |
![]() | Removes the selected ESA rules from the deployment. |
![]() | Filters the list of rules. |
![]() | Enables you to search for a rule. |
The following table describes the columns in the ESA Rules section.
Title | Description |
---|---|
Status | Indicates the rule status:
![]() ![]() |
Rule Name | Describes the purpose of the ESA rule. |
Trial Rule | Indicates whether the rule is Deployment mode to see if the rule runs efficiently. |
Severity | Shows the threat level of alert triggered by the rule. |
Type | Shows the type of the ESA rule. For more information, see ESA Rule Types. |
Email, SNMP, Syslog, Script | Indicates which notification types are used for alerts generated by the rules. (ESA SNMP notifications are not supported in NetWitness Platform version 11.3 and later.) |
Last Modified | Shows the date and time when the ESA rule was last modified. |
Data Source Filter (Optional) Section
Note: This option is available in NetWitness Platform version 11.5 and later.
The data source filter is optional. If you have a medium to large NetWitness Platform deployment and you have high throughputs, you can add a filter query to forward only the data relevant to this deployment to ESA. This helps to filter out certain types of traffic that does not add value to the analysis of the data in the ESA rule deployment.
Caution: The data source filter is intended for advanced users familiar with Decoder application rules. Improper filtering can cause the required data to not be forwarded to and analyzed by ESA.
Using a data source filter can be performance intensive for data aggregation. A filter slows the event aggregation rate, but when you are filtering a large amount of traffic, it can have performance benefits on ESA Correlation server. However, if you use a complex filter and do not filter a large amount of traffic, the event aggregation rate may be lower than expected.
IMPORTANT: If an application rule linked to a data source filter is modified on a Decoder, the filter must be removed, added again, and redeployed. The changes take effect on ESA after the deployment is redeployed.
The following table describes the columns in the Data Source Filter (Optional) section.
Create Data Source Filter Dialog - Simple
When you create the data source filter, you select application rules to be included in the filter query. The application rules that you select must be enabled on the Decoders that feed the data sources in this deployment. ESA Correlation uses the filtered event data to process the ESA rules.
Caution: The data source filter is for advanced users familiar with Decoder application rules. Improper filtering can cause the required data to not be forwarded to and analyzed by ESA.
The following table describes the columns in the Create Data Source Filter dialog.
For more information, see "Configure Application Rules" in the Decoder and Log Decoder Configuration Guide.
Create Data Source Filter - Advanced
If necessary, you can use the advanced filter instead of the simple filter to add your data source filter query directly. The individual application rule queries must be separated by an "or" condition. For more information on creating and writing Decoder rules, see "Configure Application Rules" in the Decoder and Log Decoder Configuration Guide.
Caution: The data source filter is for advanced users familiar with Decoder application rules. Improper filtering can cause the required data to not be forwarded to and analyzed by ESA.