Alerting: Additional ESA Rule Deployment Procedures

Document created by RSA Information Design and Development on Sep 12, 2017Last modified by RSA Information Design and Development on Jul 8, 2019
Version 9Show Document
  • View in full screen mode
 

In addition to deploying an ESA service and rules, you may want to perform other steps on your ESA rule deployment, such as replacing an ESA service, changing a data source, editing or deleting a rule from the deployment, renaming or deleting the deployment, or showing updates to an ESA rule deployment.

Note: You cannot edit or duplicate an Endpoint Risk Scoring Rules Bundle.

In NetWitness Platform version 11.3 and later, you can add or remove a data source from a deployment.

Each of the following procedures starts in the Rules tab (CONFIGURE > ESA Rules > Rules tab).

Anytime you make changes to an ESA rule deployment, you must redeploy it for the changes to take effect. To redeploy the deployment, click the Deploy Now button for that deployment.

Replace an ESA Service in an ESA Rule Deployment

An ESA rule deployment can have only one ESA service, but you can replace it at any time with another ESA service. You can use the same ESA service in multiple deployments.

Remove an ESA Service from an ESA Rule Deployment

  1. Go to CONFIGURE > ESA Rules > Rules tab.
    The Rules tab is displayed.
  2. In the options panel, under Deployments, select a deployment.
  3. In the ESA Services section, select a service and click Delete icon in the toolbar.
    A confirmation dialog is displayed.
  4. Click Yes.
    The service is removed from the deployment.

Add an ESA Service to an ESA Rule Deployment

To add an ESA Service to an ESA rule deployment, see Step 2. Add an ESA Service. For the ESA Correlation service in NetWitness Respond 11.3 and later, you must add at least one data source to the service. See Step 3. Add Data Sources.

After you finish making changes to the ESA rule deployment, click Deploy Now to redeploy it. The changes take effect on ESA after the ESA rule deployment is redeployed.

Add or Remove a Data Source

Note: This option is available in NetWitness Platform version 11.3 and later.

Remove a Data Source from an ESA Rule Deployment

  1. Go to CONFIGURE > ESA Rules > Rules tab.
    The Rules tab is displayed.
  2. In the Rules tab options panel, under Deployments, select a deployment.
  3. In the Data Sources section, select a rule and click Delete icon in the toolbar.
    The data source is removed from the deployment.

Add a Data Source to an ESA Rule Deployment

To add a data source, see Step 3. Add Data Sources.

After you finish making changes to the deployment, click Deploy Now to redeploy it. The changes take effect on ESA after the deployment is redeployed.

Edit or Delete a Rule in a Deployment

In an ESA rule deployment, you can edit and delete rules to customize the deployment.

Edit a Rule

  1. Go to CONFIGURE > ESA Rules > Rules tab.
    The Rules tab is displayed.
  2. In the Rules tab options panel, under Deployments, select a deployment.
  3. In the ESA Rules panel, double-click a rule to open it in a new tab.
  4. Modify the rule, then click Save.
    The rule is saved.
  5. Click Deploy Now to redeploy the deployment.
    The changes take effect on ESA after the deployment is redeployed.

Delete a Rule

  1. Go to CONFIGURE > ESA Rules > Rules tab.
    The Rules tab is displayed.
  2. In the options panel, under Deployments, select a deployment.
  3. In the ESA Rules panel, select a rule and click Delete icon in the toolbar.
    A confirmation dialog is displayed.
  4. Click Yes.
    The rule is deleted.
  5. Click Deploy Now to redeploy the deployment.
    The changes take effect on ESA after the deployment is redeployed.

Edit the ESA Rule Deployment Name or Delete a Deployment

To access the deployments:

  1. Go to CONFIGURE > ESA Rules.

    The Configure view is displayed with the Rules tab open.

  2. In the options panel, under Deployments, select a deployment.

    The Deployment view is displayed.

    Rules tab - Access a deployment

Edit the ESA Rule Deployment Name

  1. In the options panel, under Deployments, select a deployment.

    The Deployment view is displayed.

  2. Select Deployments drop-down list > Edit.

    The deployment name is made available for editing.

  3. Enter the new deployment name.
  4. Click Deploy Now to redeploy the deployment.
    The changes take effect on ESA after the ESA rule deployment is redeployed. In NetWitness Platform 11.3 and later, the deployment names that you choose appear on the deployment tabs in the ADMIN > ESA Rules > Services tab.

Delete an ESA Rule Deployment

  1. In the options panel, under Deployments, select a deployment.

    The Deployment view is displayed.

  2. Select Deployments drop-down list > Delete.

    A confirmation dialog is displayed.

  3. Click Yes.

    The deployment is deleted.

Show Updates to an ESA Rule Deployment

You can view changes to an ESA rule deployment, such as adding or removing rules. When there is a change to a deployment, the update icon (Update icon) appears next to the name of the deployment in the Rules tab options panel.

  1. Go to CONFIGURE > ESA Rules.
    The Rules tab is displayed.
  2. In the options panel, under Deployments click Show Updates on the far right.
    Rules Tab - Deployments showing updates button

    The Updates to the Deployments dialog opens and shows the changes to the deployment.
    Updates to the Deployment dialog
  3. Click Close.

You are here
Table of Contents > Deploy Rules to Run on ESA > Additional ESA Rule Deployment Procedures

Attachments

    Outcomes