ATD: Troubleshooting Automated Threat Detection

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by RSA Information Design and Development on Sep 11, 2018
Version 5Show Document
  • View in full screen mode
 

NetWitness Platform Automated Threat Detection is an analytics engine that examines your HTTP data. It also makes use of other components, such as the Whois and Context Hub services, which can add complexity to your installation. This topic provides suggestions to help you find issues if your Automated Threat Detection deployment does not provide the results that you expect.

Possible Issues

                                 
ProblemPossible CausesSolutions

I'm seeing too many alerts (false positives).

Several

One possible cause is that the Whois Lookup service is failing or is not configured. The Whois lookup is helpful in determining whether a URL is valid, and if the connection fails or is not properly configured, it can result in false positives. See "Configure Whois Lookup Service" in the ESA Confguration Guide.

  

You may need to whitelist URLs. Sometimes the legitimate behavior for a URL triggers an alert. One way to prevent this from occurring is to add the URL to the whitelist. See "Add an Entity to a Whitelist" in the NetWitness Respond User Guide.

I'm not seeing any alerts.

The ESA host requires a "warm-up" period when you deploy an ESA Analytics Module Mapping for Automated Threat Detection. 

When you deploy an ESA analytics module mapping for Automated Threat Detection, there is a "warm-up" period, during which no alerts are viewable. Each module type has a default warm-up period and you need to wait until the warm-up period is complete. For more information, see "Mapping ESA Data Sources to Analytics Modules" in the ESA Configuration Guide.

I'm seeing performance issues (more resource usage or a drop in throughput).

Several

If you are having performance issues on an ESA host that is running both Automated Threat Detection (ESA Analytics) and ESA rules, follow the troubleshooting steps for rules. For these troubleshooting steps, see "Troubleshoot ESA" in the Alerting with ESA Correlation Rules User Guide.

You are here
Table of Contents > Troubleshooting Automated Threat Detection

Attachments

    Outcomes