ESA Config: Event Stream Analysis Overview

Document created by RSA Information Design and Development Employee on Sep 13, 2017Last modified by RSA Information Design and Development Employee on Jan 30, 2020
Version 11Show Document
  • View in full screen mode

RSA NetWitness Platform Event Stream Analysis (ESA) provides advanced stream analytics such as correlation and complex event processing at high throughputs and low latency. It is capable of processing large volumes of disparate event data from Concentrators.

ESA's advanced Event Processing Language allows you to express filtering, aggregation, joins, pattern recognition, and correlation across multiple disparate event streams. Event Stream Analysis helps perform powerful incident detection and alerting.

The following diagram shows the high-level data workflow:

High-level Alert Data Flow Diagram

There are two ESA services that can run on an ESA host:

  • ESA Correlation (ESA Correlation rules)
  • Event Stream Analytics Server (ESA Analytics)

The first service is the ESA Correlation service that creates alerts from ESA rules, also known as ESA Correlation Rules, which you create manually or download from Live.

For NetWitness Platform 11.3 and later, the ESA Correlation service replaces the Event Stream Analysis service and is also known as ESA Correlation Server. The ESA Correlation service provides the same services as the Event Stream Analysis service with the added benefit of enabling you to specify different data sources for your ESA correlation rules. Like the Event Stream Analysis service, the ESA Correlation service installs on the ESA Primary and ESA Secondary host types.

The second service is the ESA Analytics service, which is used for Automated Threat Detection. Because the ESA Analytics service uses preconfigured ESA Analytics modules for Automated Threat Detection, you do not have to create or download rules to use Automated Threat Detection.

ESA Analytics services use query-based aggregation (QBA) to collect filtered events for the ESA Analytics modules from Concentrators. Only the data required by a module is transferred between the Concentrator and the ESA Analytics system. For example, using a Suspicious Domains ESA Analytics module, such as C2 for Packets (http-packet), an ESA Analytics service can examine your HTTP traffic to determine the probability that malicious activity is occurring in your environment.

Note: The Contexthub Server service, which provides enrichment lookup capability in the Respond and Investigate views, runs only on an ESA Primary host. For information, see the Context Hub Configuration Guide.

You are here
Table of Contents > Event Stream Analysis Overview