ESA Config: Configure ESA Analytics

Document created by RSA Information Design and Development Employee on Sep 13, 2017Last modified by RSA Information Design and Development Employee on Jan 30, 2020
Version 10Show Document
  • View in full screen mode

This section provides high-level tasks to configure ESA Analytics services for RSA NetWitness Platform Automated Threat Detection. The Automated Threat Detection functionality enables you to analyze the data that resides on one or more Concentrators by using preconfigured ESA Analytics modules, such as Suspicious Domains. For example, using a Suspicious Domains module, an ESA Analytics service can examine your HTTP traffic to determine the probability that malicious activity is occurring in your environment.

There are two ESA services that can run on an ESA host:

  • ESA Correlation (ESA Correlation Rules)
  • Event Stream Analytics Server (ESA Analytics)

The first service is the ESA Correlation service that creates alerts from ESA rules, also known as ESA Correlation Rules, which you create manually or download from Live. The second service is the ESA Analytics service, which is used for Automated Threat Detection and is configured in this section. Because the ESA Analytics service uses preconfigured ESA Analytics modules for Automated Threat Detection, you do not have to create or download rules to use it.

There are currently two ESA Analytics modules available and they are both for Suspicious Domains:

  • C2 for Packets (http-packet)
  • C2 for Logs (http-log)

Note: The Contexthub Server service, which provides enrichment lookup capability in the Respond and Investigate views, runs only on an ESA Primary host. For information, see the Context Hub Configuration Guide.

You are here
Table of Contents > Configure ESA Analytics