This topic covers quick start topics for RSA NetWitness® Suite Event Stream Analysis (ESA) to help you get started in using ESA. The following topics are designed to assist you in working with ESA Correlation Rules.
- Best Practices helps you to understand how to best set up, deploy, and create rules.
- Troubleshoot ESA helps you to troubleshoot different aspects of ESA, including rule writing and deployment.
- View Memory Metrics for Rules helps you to work with memory metrics to understand memory usage for ESA services.
There are two ESA services that can run on an ESA host:
- Event Stream Analysis (ESA Correlation rules)
- Event Stream Analytics Server (ESA Analytics)
The first service is the Event Stream Analysis service that creates alerts from ESA rules, also known as ESA Correlation Rules, which you create manually or download from Live. This user guide covers alerting using ESA Correlation Rules. For information on configuring ESA Correlation Rules, see the "Configure ESA Correlation Rules" section of the ESA Configuration Guide.
The second service is the ESA Analytics service, which is used for Automated Threat Detection. Because the ESA Analytics service uses preconfigured ESA Analytics modules for Automated Threat Detection, you do not have to create or download rules to use it. For information on the ESA Analytics service, see the Automated Threat Detection Configuration Guide and the "Configure ESA Analytics" section of the ESA Configuration Guide.