After you create or deploy a module mapping in the ESA Analytics Mappings panel (Admin > System > ESA Analytics), you have the option to change some module configurations for that mapping.
|Role||I want to ...||Show me how|
|Administrator||Change the warm-up period for an undeployed module mapping.|| |
"Change the Warm-up Period and Lag Time" in the ESA Configuation Guide for RSA NetWitness Platform 11.4
|Administrator||Change the warm-up period for a module mapping during the warm-up period.||"Change the Warm-up Period and Lag Time" in the ESA Configuation Guide for RSA NetWitness Platform 11.4|
|Administrator||Change the warm-up period for a module mapping after the warm-up period is complete.||"Change the Warm-up Period and Lag Time" in the ESA Configuation Guide for RSA NetWitness Platform 11.4|
Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents.
- "Mapping ESA Data Sources to Analytics Modules" in the ESA Configuation Guide for RSA NetWitness Platform 11.4
- ESA Analytics Mappings (11.1.x to 11.4.x)
To access the module settings, in the ESA Analytics Mappings panel, select the mapping that you want to change and in the Actions column, select > Edit Module. The Module Settings dialog has a Configurations section and a Warm-Up State section.
The Configurations section enables you to change the Warm-Up Period and Lag Time configurations.
The following table describes the settings available for an ESA Analytics module mapping.
Shows the name of the mapped module.
Shows the ESA Analytics service that processes the data for the mapping.
Shows the mapped data sources and the URLs used to communicate with ESA.
Warm-Up Period (Hours)
Specifies a warm-up duration in hours. A warm-up period is required to allow Automated Threat Detection to "learn" your traffic. The warm-up period should run when typical traffic is running. During this time, alerting for your module mapping is suppressed. The Warm-up Period primes the module with historical data and guarantees that the specified number of hours of data collection completes before sending alerts.
RSA provides preconfigured ESA Analytics modules. Each module type has a default warm-up period defined, which you can adjust to your environment, if necessary. After this warm-up period, alerts can be viewed.
You can update the Warm-Up Period of a deployed module mapping depending on whether or not the warm-up period is complete:
The Warm-up Period value is specific to a particular mapping and it applies to all Concentrators within that mapping after you deploy it. If a Concentrator is shared between two modules with different warm-up times, the Concentrator uses separate Warm-up Period values for each module mapping.
|Lag Time (Minutes)|| |
Specifies a constant time delay in minutes, which is added to avoid losing events being processed by the data sources during periods of heavy activity. For example, Concentrator performance varies depending on factors such as incoming load, ongoing queries, and indexing. Due to these factors, a Concentrator may not aggregate events in real-time, which leads to the delay.
The Lag parameter gives the Concentrator a chance to finish aggregating all of the data. When you specify a Lag time, the first time the module deploys, data aggregation starts at Current (System) Time - Lag Time - Warm-Up Time. For example, if the current time is 2:00 PM, Lag time is 30 minutes, and Warm-up time is 4 hours, when the module deploys for the first time, data collection starts at 9:30 AM (2:00 PM - .5 hour - 4 hours).
After the warm-up period completes, data aggregation continues at Current (System) Time - Lag Time. This is useful when a Concentrator is slow in aggregating data. The Lag time guarantees that the module does not process data that arrives to the Concentrator within the Lag time window so there is adequate delay to ensure all events that get generated in the enterprise can be processed by the module.
For example, if Lag time is 30 minutes, and the current time is 2:00 PM, the Concentrator starts pulling records at 1:30 PM. The Lag time window, 30 minutes in this example, remains constant as time advances. When the current time advances to 2:01 PM, the Concentrator pulls the next minute of data at 1:31 PM, and so on.
Important: The Lag time defines the buffer between the current time and the time when the module ingests the data.
The Lag time value is specific to a particular mapping and it applies to all Concentrators within that mapping after you deploy it. If a Concentrator is shared between two modules with different Lag times, the Concentrator uses separate Lag values for each module mapping.
To determine the correct Lag Time, add together the following to get an environmental lag time:
1. Log or Packet Latency - This is the time it takes for the Log Decoder to receive the logs or the (Packet) Decoder to receive packets. For example, the Log Decoder may get logs every 20 minutes. In this case, you would want to set Lag time to at least 20 minutes, preferably 25 minutes, so that you do not miss events.
2. Aggregation Latency - This is the time it takes to get the data from the Log Decoder to the Concentrator.
3. Other Buffer - Add in any additional time delay specific to your environment.
The Warm-Up State section provides information about the warm-up state, which you can use to determine the appropriate adjustments to the warm-up period.
Warmup Started At
The time when the first event was processed by the ESA Analytics module from the data source.
First Event Time
The time that the first event occurred. The warm-up time is based on this time.
Latest Event Time
The time that the latest event occurred.
Remaining Warm-Up Time
The number of hours remaining in the warm-up period.
Indicates whether the warm-up period is complete. If it is true, the warm-up period is complete. If it is false, the module is still warming up and you can view the number of hours remaining in the Remaining Warm Up Time field.