ESA Config: Event Stream Analysis Overview

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by Janice Krogh on Oct 12, 2017
Version 6Show Document
  • View in full screen mode
 

RSA NetWitness® Suite Event Stream Analysis (ESA) provides advanced stream analytics such as correlation and complex event processing at high throughputs and low latency. It is capable of processing large volumes of disparate event data from Concentrators.

ESA's advanced Event Processing Language allows you to express filtering, aggregation, joins, pattern recognition and correlation across multiple disparate event streams. Event Stream Analysis helps to perform powerful incident detection and alerting.

The following diagram shows the high-level data workflow:


High-level Alert Data Flow Diagram

There are two ESA services that can run on an ESA host:

  • Event Stream Analysis (ESA Correlation Rules)
  • Event Stream Analytics Server (ESA Analytics)

The first service is the Event Stream Analysis service that creates alerts from ESA rules, also known as ESA Correlation Rules, which you create manually or download from Live. The second service is the ESA Analytics service, which is used for Automated Threat Detection. Because the ESA Analytics service uses preconfigured ESA Analytics modules for Automated Threat Detection, you do not have to create or download rules to use Automated Threat Detection.

ESA Analytics services use query-based aggregation (QBA) to collect filtered events for the ESA Analytics modules from Concentrators. Only the data required by a module is transferred between the Concentrator and the ESA Analytics system. For example, using a Suspicious Domains ESA Analytics module, such as C2 for Packets (http-packet), an ESA Analytics service can examine your HTTP traffic to determine the probability that malicious activity is occurring in your environment.

 

You are here

Table of Contents > Event Stream Analysis Overview

Attachments

    Outcomes