Alerting: ESA Rule Deployment Steps

Document created by RSA Information Design and Development on Sep 12, 2017Last modified by RSA Information Design and Development on Apr 11, 2019
Version 9Show Document
  • View in full screen mode
 

This topic explains how to add an ESA rule deployment, which includes an ESA service with its associated data sources and a set of ESA rules. You can add an ESA rule deployment to organize and manage ESA services and rules. Think of the deployment as a container for these components:

  1. An ESA service
  2. One or more data sources (This is available in version 11.3 and later.)
  3. A set of ESA rules

For example, if you add a Spam Activity deployment it could include an ESA London service, Concentrators with the appropriate data, and a set of ESA rules to detect suspicious email activity. 

Note: An ESA rule deployment can have only one ESA service. You can, however, use the same ESA service in multiple deployments.
In NetWitness Platform version 11.2 and earlier, the ESA service is the Event Stream Analysis service. In version 11.3 and later, it is the ESA Correlation service.

To add an ESA rule deployment, you need to complete the following procedures:

Step 1. Add an ESA Rule Deployment

Prerequisites

The following are required to add an ESA rule deployment:

To add an ESA rule deployment:

  1. Go to CONFIGURE > ESA Rules.
    The Rules tab is displayed.
  2. In the options panel on the left, next to Deployments, select Add deployment icon > Add and type a name for the deployment. The naming convention is up to you. For example, it could indicate the purpose or identify an owner.
    Rules tab Options panel - Adding a deployment
  3. In NetWitness Platform 11.3 and later, the deployment names that you choose appear on the deployment tabs in the ADMIN > ESA Rules > Services tab.
  4. Press Enter.
    The deployment is added. The Deployment view is displayed on the right.
    Deployment added

Step 2. Add an ESA Service

The ESA service in an ESA rule deployment gathers data in your network and runs ESA rules against the data. The goal is to capture events that match rule criteria, then generate an alert for the captured event.

An ESA rule deployment can have only one ESA service. You can, however, use the same ESA service in multiple deployments. For example, ESA London could be in these deployments simultaneously:

  • Deployment EUR, which includes one set of rules
  • Deployment CORP, which includes another set of rules.

Changes made to an ESA rule deployment do not take effect until you click Deploy Now. For example, Deployment EUR could include the ESA London service and a set of 25 rules. If you replace the ESA London service with the ESA Paris service, the next time you deploy Deployment EUR, the 25 rules will be removed from ESA London and added to ESA Paris.

Deleting an ESA rule deployment immediately removes the rules from the ESA service. If an ESA service is not part of any deployment, the ESA service does not have any rules.

To add an ESA service:

  1. Go to CONFIGURE > ESA Rules > Rules tab.
  2. In the options panel, select a deployment:
    Deployment view showing a selected deployment
  3. In the Deployment view, click Add icon in ESA Services.
    The Deploy ESA Services dialog lists each configured ESA.
    Deploy ESA Services dialog
  4. Select an ESA service and click Save.
    The Deployment view is displayed. The ESA service is listed in the ESA Services section, with the status Added.
    Service added

Step 3. Add Data Sources

Note: This option is available in version 11.3 and later.

You can select one or more data sources, such as Concentrators, to use for your selected ESA Service. This enables you to specify different data sources for each deployment. For example, you may want to use Concentrators with HTTP packet data in one deployment and Concentrators with HTTP log data in another deployment.

  1. Go to CONFIGURE > ESA Rules > Rules tab.
  2. In the options panel, select a deployment.
  3. Configure one or more data sources for your deployment. Do the following for each data source:
    1. In the Deployment view Data Sources section, click Add icon.
      The Available Configured Data Sources dialog lists the services that have been configured for use as a data source.
      Available Configured Data Sources dialog
    2. To add a data source configuration, click Add icon.
      The Available Services dialog lists the available data sources from the ADMIN > Services view, such as Concentrators.
      Available Services dialog

      Note: You can add a Log Decoder as a data source for ESA, but it is better to add a Concentrator to take advantage of undivided aggregation as the Decoder may have other processes aggregating from it.

    3. In the Available Services dialog, select a data source, such as a Concentrator, and click OK.
    4. In the Add Service dialog, type the Administrator username and password for the data source.
      Add Service dialog for adding a Concentrator data source
    5. To enable the SSL or Compression options, select the corresponding checkboxes.
    6. (Optional) You have the option to adjust the Compression Level for Concentrators on ESA in NetWitness Platform 11.3 and later. To enable compression, select the Compression checkbox. You can set the Compression Level for a Concentrator from 0-9:
      • Compression Level = 0 (If compression is enabled, it allows Core Services to control the amount of compression.)
      • Compression Level = 1 (It uses the lowest amount of compression and has the highest performance.)
      • Compression Level = 9 (It uses the highest amount of compression and has the worst performance.)

      Somewhere in the middle between 1 and 9 is usually the best setting, which is what you get when you select a compression level of 0. For more detailed information, see the Core Database Tuning Guide.

      Note: When you set the compression level for a Concentrator on ESA, it sets the same compression level for that Concentrator for ESA Correlation Rules and ESA Analytics.

    7. Click Test Connection to make sure that it can communicate with the ESA service.
      Add Service dialog for adding a Concentrator - Successful test
    8. Click OK.
      After you configure your data sources and they appear in the Available Configured Data Sources dialog, you can use them for your deployment.
  4. In the Available Configured Data Sources dialog, select at least one data source to use for the deployment.
    Available Configured Data Sources dialog with a data source selected
    A solid colored green circle indicates a running service and a white circle indicates a stopped service.
  5. Click Save.
    In the Deployment view Data Sources section, the selected data sources are added to the deployment. The Deploy Now button activates after an ESA service, a data source, and rules are added to an ESA rule deployment.
    Deployment view Data Sources section with a data source added

Step 4. Add and Deploy Rules

This topic explains how to add ESA rules to an ESA rule deployment and then deploy the rules on ESA. Each ESA rule has unique criteria. The ESA rules in an ESA rule deployment determine which events ESA captures, which in turn determine the alerts you receive.

For example, Deployment A includes ESA Paris and, among others, a rule to detect file transfer using a non-standard port. When ESA Paris detects a file transfer that matches the rule criteria, it captures the event and generates an alert for it. If you remove this rule from Deployment A, ESA will no longer generate an alert for such an occurrence.

To add and deploy rules:

  1. Go to CONFIGURE > ESA Rules > Rules tab.
  2. In the options panel, select a deployment.
  3. In the Deployment view, click Add icon in ESA Rules.
    The Deploy ESA Rules dialog is displayed and shows each rule in your Rule Library:
    Deploy ESA Rules dialog
  4. Select rules and click Save.
    The Deployment view is displayed and the Deploy Now button is enabled.
    Deployment view showing rules added to a deployment
  5. The rules are listed in the ESA Rules section.
  • In the Status column, Added is next to each new rule.
  • In the Deployments section, Deployment Update icon indicates there are updates to the deployment.
  • The total number of rules in the deployment is on the right.
    Deployments section showing the number of events on the right
  1. Click Deploy Now.
    The ESA service runs the rule set. After the ESA service completes the processing of each rule in the deployment, the status changes to Deployed.
    Deployment view showing an ESA rule deployment with a Deployed status

Deploy the Endpoint Risk Scoring Rules Bundle

An Endpoint Risk Scoring Rules Bundle, which contains approximately 400 rules, comes with NetWitness Platform 11.3 and later. Endpoint risk scoring rules only apply to NetWitness Endpoint. You can add the Endpoint Risk Scoring Rules Bundle to an ESA rule deployment in the same way that you would add any ESA rule. However, you must specify endpoint data sources (Concentrators) in the ESA Rule Deployment.

The ESA Correlation service can process endpoint risk scoring rules, which generate alerts that are used in risk scoring calculations to identify suspicious files and hosts. To turn on risk scoring for NetWitness Endpoint, you must deploy endpoint risk scoring rules on ESA. For instructions, see "Deploy Endpoint Risk Scoring Rules on ESA" in the ESA Configuration Guide. For complete information on configuring NetWitness Endpoint, see the NetWitness Endpoint Configuration Guide.

Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.

You are here
Table of Contents > Deploy Rules to Run on ESA > ESA Rule Deployment Steps

Attachments

    Outcomes