This topic explains how to add a deployment, which includes an ESA service with its associated data sources and a set of ESA rules. You can add a deployment to organize and manage ESA services and rules. Think of the deployment as a container for these components:
- An ESA service
- A set of ESA rules
For example, if you add a Spam Activity deployment it could include an ESA London service, Concentrators with the appropriate data, and a set of ESA rules to detect suspicious email activity.
To add a deployment, you need to complete the following procedures:
Step 1. Add a Deployment
Prerequisites
The following are required to add a deployment:
- The ESA service must be configured on the host.
- Rules must be in the Rule Library. See Add Rules to the Rule Library.
Add a Deployment
- Go to CONFIGURE > ESA Rules.
The Rules tab is displayed. - In the options panel on the left, next to Deployments, select
> Add and type a name for the deployment. The naming convention is up to you. For example, it could indicate the purpose or identify an owner.
- Press Enter.
The deployment is added. The Deployment view is displayed on the right.
Step 2. Add an ESA Service
The ESA service in a deployment gathers data in your network and runs ESA rules against the data. The goal is to capture events that match rule criteria, then generate an alert for the captured event.
You can add the same ESA service to multiple deployments. For example, ESA London could be in these deployments simultaneously:
- Deployment EUR, which includes one set of rules
- Deployment CORP, which includes another set of rules.
Changes made to a deployment do not take effect until you click Deploy. For example, Deployment EUR could include the ESA London service and a set of 25 rules. If you replace the ESA London service with the ESA Paris service, the next time you deploy Deployment EUR, the 25 rules will be removed from ESA London and added to ESA Paris.
Deleting a deployment immediately removes the rules from the ESA service. If an ESA service is not part of any deployment, the ESA service does not have any rules.
To add an ESA service:
- Go to CONFIGURE > ESA Rules.
The Rules tab is displayed. - In the options panel, select a deployment:
- In the Deployment view, click
in ESA Services.
The Deploy ESA Services dialog lists each configured ESA. - Select an ESA service and click Save.
The Deployment view is displayed. The ESA service is listed in the ESA Services section, with the status Added.
Step 3. Add and Deploy Rules
This topic explains how to add ESA rules to a deployment and then deploy the rules on ESA. Each ESA rule has unique criteria. The ESA rules in a deployment determine which events ESA captures, which in turn determine the alerts you receive.
For example, Deployment A includes ESA Paris and, among others, a rule to detect file transfer using a non-standard port. When ESA Paris detects a file transfer that matches the rule criteria, it captures the event and generates an alert for it. If you remove this rule from Deployment A, ESA will no longer generate an alert for such an occurrence.
To add and deploy rules:
- Go to Configure > ESA Rules.
The Rules tab is displayed. - In the options panel, select a deployment.
- In the Deployment view, click
in ESA Rules.
The Deploy ESA Rules dialog is displayed and shows each rule in your Rule Library: - Select rules and click Save.
The Deployment view is displayed. - The rules are listed in the ESA Rules section.
- In the Status column, Added is next to each new rule.
- In the Deployments section,
indicates there are updates to the deployment.
- The total number of rules in the deployment is on the right.
- Click Deploy Now.
The ESA service runs the rule set.