This section provides high-level tasks to configure ESA Analytics services for RSA NetWitness® Platform Automated Threat Detection. The Automated Threat Detection functionality enables you to analyze the data that resides on one or more Concentrators by using preconfigured ESA Analytics modules, such as Suspicious Domains. For example, using a Suspicious Domains module, an ESA Analytics service can examine your HTTP traffic to determine the probability that malicious activity is occurring in your environment.
There are two ESA services that can run on an ESA host:
- Event Stream Analysis (ESA Correlation Rules)
- Event Stream Analytics Server (ESA Analytics)
The first service is the Event Stream Analysis service that creates alerts from ESA rules, also known as ESA Correlation Rules, which you create manually or download from Live. The second service is the ESA Analytics service, which is used for Automated Threat Detection and is configured in this section. Because the ESA Analytics service uses preconfigured ESA Analytics modules for Automated Threat Detection, you do not have to create or download rules to use it.
There are currently two ESA Analytics modules available and they are both for Suspicious Domains:
- C2 for Packets (http-packet)
- C2 for Logs (http-log)