Alerting: Deployment Panel

Document created by RSA Information Design and Development on Sep 12, 2017Last modified by RSA Information Design and Development on Jan 30, 2020
Version 13Show Document
  • View in full screen mode
 

ESA rule deployments map rules from your rule library to the appropriate ESA Services and data sources. The Deployment panel (Configure > ESA Rules > Rules tab) enables you to create and configure ESA rule deployments that specify:

  • ESA Services
  • Data Sources (This is available in NetWitness Platform version 11.3 and later.)
  • ESA Rules

When you are ready to start aggregating data and generating alerts from an ESA rule deployment, you deploy the ESA rule deployment to activate it.

Note: An ESA rule deployment can have only one ESA service. You can, however, use the same ESA service in multiple deployments.
In NetWitness Platform version 11.2 and earlier, the ESA service is the Event Stream Analysis service. In version 11.3 and later, it is the ESA Correlation service.

What do you want to do?

                       
Role I want to ...Show me how
Content Expert

Add an ESA rule deployment.

ESA Rule Deployment Steps

Content Expert

Manage deployments.

Additional ESA Rule Deployment Procedures

Related Topics

Quick Look

The following figure shows the Deployment panel.

Rules Tab Deployment Panel

ESA Services

In the ESA Services section, you can manage each ESA service in the deployment.

The following table describes the actions you can perform in the ESA Services section.

                    
TaskDescription
Add icon Adds an ESA service to the deployment. 
Delete icon Removes the selected ESA service from the deployment.

The following table describes the columns in the ESA Services section.

                               
TitleDescription
StatusIndicates if the deployment status is AddedDeployedUpdated, or Failed.
NameName of the ESA service.
AddressIP address of the host where the ESA service is installed.
VersionVersion of the ESA service.
Last Deployment DateThe date and time when the ESA service was last deployed.

Data Sources

Note: This option is available in NetWitness Platform version 11.3 and later.

In the Data Sources section, you can select one or more data sources, such as Concentrators, to use for your selected ESA Service.

The following table describes the actions you can perform in the Data Sources section.

                          
TaskDescription
Add icon Adds a data source for the selected ESA service to the deployment. 
Delete icon Removes a data source for the selected ESA service from the deployment.
Edit icon

(This option is available in NetWitness Platform version 11.3.0.2 and later.) Enables you to change the configuration of a data source in an ESA rule deployment. You can change the data source password, SSL, port, and compression settings. When a data source password changes, it is important to change the password on the data source so that ESA can continue to communicate with the data source.

Note: If you make any ESA service, data source, or ESA rule changes to an ESA rule deployment, you need to redeploy the deployment. For example, if you change the configuration of a data source in an ESA rule deployment, you must redeploy all the ESA rule deployments that contain that data source.
When you set the compression level for a Concentrator on ESA, it sets the same compression level for that Concentrator for ESA Analytics and ESA Correlation Rules.

The following table describes the columns in the Data Sources section.

                     
TitleDescription
(Status)Shows the status of the data source. A solid colored green circle indicates a running service and a white circle indicates a stopped service.
NameShows the name of the data sources used by the selected ESA service. You can specify the data sources separately for each ESA rule deployment.
TypeShows the type of the data sources. Data sources can be Concentrators or Decoders. It is important that you choose data sources that have the appropriate data for the rules in the deployment. For example, if you have NetWitness Endpoint and you want to deploy the Endpoint Risk Scoring Rules Bundle, you must choose endpoint data sources.

Note: You can add a Log Decoder as a data source for ESA, but it is better to add a Concentrator to take advantage of undivided aggregation as the Decoder may have other processes aggregating from it.

Deployment Options

There are two deployment options below the Data Sources section. These options apply to the entire ESA rule deployment.

The following table describes these deployment options.

                    
TaskDescription
Show UpdatesEnables you to view a history of updates to the deployment.
Deploy NowActivates the ESA rule deployment. The selected ESA service starts aggregating data and generating alerts using the specified ESA rules in the deployment. You need to add ESA Rules to the deployment before deploying the ESA rule deployment.

ESA Rules

In the ESA Rules section, you manage rules in the deployment. This section lists all rules that are currently in the deployment. 

The following table describes the actions you can perform in the ESA Rules section.

                            
TaskDescription
Add icon Opens the Deploy ESA Rules dialog, where you can select a rule.
Delete icon Removes the selected ESA rules from the deployment.
Filter icon Filters the list of rules.
Search field Enables you to search for a rule.

The following table describes the columns in the ESA Rules section.

                                     
TitleDescription
StatusIndicates the rule status:
  • Deployed - the rule is deployed.
  • Updated - the rule has been updated since the last deployment.
  • Added - the rule has been added since the last deployment.
  • Disabled - the rule is disabled due to an error in the rule or an error during the deployment of the rule.

In NetWitness Platform version 11.3.0.2 and later, if a disabled rule has an error message, it shows ESA disabled rule error message icon in the Status field. Hover over the rule to view the error message tooltip.

Disabled rule tooltip showing an error message

Rule NameDescribes the purpose of the ESA rule.
Trial RuleIndicates whether the rule is Deployment mode to see if the rule runs efficiently.
SeverityShows the threat level of alert triggered by the rule.
TypeShows the type of the ESA rule. For more information, see ESA Rule Types.
Email, SNMP, Syslog, ScriptIndicates which notification types are used for alerts generated by the rules. (ESA SNMP notifications are not supported in NetWitness Platform version 11.3 and later.)
Last ModifiedShows the date and time when the ESA rule was last modified.

 

Previous Topic:Rule Syntax Dialog
You are here
Table of Contents > ESA Alert References > Deployment Panel

Attachments

    Outcomes