ATD: Troubleshooting Automated Threat Detection

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by RSA Information Design and Development on Mar 27, 2018
Version 4Show Document
  • View in full screen mode

NetWitness Suite Automated Threat Detection is an analytics engine that examines your HTTP data. It also makes use of other components, such as the Whois and Context Hub services, which can add complexity to your installation. This topic provides suggestions to help you find issues if your Automated Threat Detection deployment does not provide the results that you expect.

Possible Issues

ProblemPossible CausesSolutions
I'm seeing too many alerts (false positives).Several

One possible cause is that the Whois Lookup service is failing or is not configured. The Whois lookup is helpful in determining whether a URL is valid, and if the connection fails or is not properly configured, it can result in false positives. See the "Configure Whois Lookup Service" topic in the ESA Confguration Guide.

  You may need to whitelist URLs. Sometimes the legitimate behavior for a URL triggers an alert. One way to prevent this from occurring is to add the URL to the whitelist. See the "Add an Entity to a Whitelist" topic in the NetWitness Respond User Guide.
I'm not seeing any alerts.The ESA host requires a "warm-up" period when you deploy an ESA Analytics Module Mapping for Automated Threat Detection. When you deploy an ESA analytics module mapping for Automated Threat Detection, there is a "warm-up" period, during which no alerts are viewable. Each module type has a default warm-up period and you need to wait until the warm-up period is complete. For more information, see the "Mapping ESA Data Sources to Analytics Modules" topic in the ESA Configuration Guide.
I'm seeing performance issues (more resource usage or a drop in throughput).SeveralIf you are having performance issues on an ESA host that is running both Automated Threat Detection (ESA Analytics) and ESA rules, follow the troubleshooting steps for rules. For these troubleshooting steps, go to "Troubleshoot ESA" in the Alerting with ESA Correlation Rules User Guide.
You are here
Table of Contents > Troubleshooting Automated Threat Detection