This topic provides high-level tasks to configure RSA NetWitness Platform Event Stream Analysis (ESA) Correlation Rules using the ESA Correlation service.
Trial Rule Status Changes
In NetWitness Platform 11.4, ESA trial rules no longer change status after an upgrade or deployment. For example, if you change the status of a trial rule to disabled (Configure > ESA Rules > Services tab) and redeploy the ESA rule deployment (Configure > ESA Rules > Rules tab), the trial rule remains disabled. Previously, ESA trial rules could change status after an upgrade or when they were redeployed.
In NetWitness Platform version 11.3 and later, the ESA Correlation service enables you to specify different data sources for different sets of rules. Instead of adding data sources, such as Concentrators, to the entire ESA Correlation service, you can specify different data sources for each ESA rule deployment. An ESA rule deployment includes an ESA Correlation service with its associated data sources and a set of ESA rules. For example, you may want to use Concentrators with HTTP packet data in one deployment and Concentrators with HTTP log data in another deployment. For more detailed information, see "Deploy Rules to Run on ESA" in the Alerting with ESA Correlation Rules User Guide.
An Endpoint Risk Scoring Rules Bundle is Available
An Endpoint Risk Scoring Rules Bundle, which contains approximately 400 rules, comes with NetWitness Platform 11.3 and later. Endpoint risk scoring rules only apply to NetWitness Endpoint. You can add the Endpoint Risk Scoring Rules Bundle to an ESA rule deployment in the same way that you would add any ESA rule. However, you must specify endpoint data sources (Concentrators) in the ESA Rule Deployment.
The ESA Correlation service can process endpoint risk scoring rules, which generate alerts that are used in risk scoring calculations to identify suspicious files and hosts. To turn on risk scoring for NetWitness Endpoint, you must deploy endpoint risk scoring rules on ESA. For instructions, see Deploy Endpoint Risk Scoring Rules on ESA. To configure NetWitness Endpoint, see the NetWitness Endpoint Configuration Guide.
Upgrade Considerations for ESA Rule Deployments
After the upgrade to version 11.3 or later, migrated ESA rule deployments change as follows:
- If an ESA rule deployment contains two services before 11.3, the deployment splits into two deployments. You can only have one ESA Correlation service in an ESA rule deployment in version 11.3 or later.
- If an ESA service has multiple ESA rule deployments before 11.3, they combine into one deployment in version 11.3 or later. You can still access your old deployments. For a detailed example, see ESA Rule Deployments Upgrade Example.
To support Endpoint and UEBA content as well as changes to ESA rules from Live, a data change from single-value (string) to multi-value (string array) is required for several meta keys within the ESA Correlation service. Some single-value meta keys are also required. See Update Your ESA Rules for the Required Multi-Value and Single-Value Meta Keys.
ESA Correlation Rules Configuration Workflow
The following diagram shows the high-level workflow for configuring ESA Correlation Rules with the ESA Correlation service.
ESA Rule Deployments are groups of ESA Rules processed by an ESA service to create alerts. In NetWitness Platform 11.3 and later, the ESA Correlation service processes the ESA rules and creates alerts.
Before you can configure ESA Correlation Rules, install and configure the data sources (Concentrators) to use for the ESA rules. For example, you may have a Concentrator with HTTP packet data and another with Windows Log data. Next, configure the global notification methods that content experts can use for the ESA rules. For example, they may want to send an email notification when a rule creates an alert.
The NetWitness Platform Live Content Management System (known as Live) is a valuable source of the latest internet security resources for NetWitness Platform customers. RSA Live contains an extensive library of ESA rules to detect threats that you can use to save time. Download the rules for the events that you want to detect in your network to the ESA Rule Library and adjust them as needed for your network environment.
After you prepare your data sources and download Live ESA rules, you can create one or more ESA rule deployments. An ESA rule deployment contains an ESA service, one or more data sources, and a set of ESA rules. For example, you can create an ESA rule deployment that contains an ESA Correlation service, a Concentrator with HTTP packet data, and a set of ESA rules for HTTP packet data. When you are ready to have the ESA service run the rule set, you deploy the ESA rule deployment, which places the rules on ESA.
After you deploy an ESA rule deployment, verify that you can view the ESA alerts in the Respond view (Respond > Alerts).
Make sure that you:
- Install the ESA Correlation service in your network environment.
- Install and configure one or more Concentrators in your network environment.
- Download or ensure that you have access to the Alerting with Correlation Rules User Guide for version 11.3 or later. Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents.
The following table shows the high level tasks required to configure ESA Correlation Rules.
*ESA rule deployments are groups of ESA Rules that are processed by an ESA service, such as the ESA Correlation service in NetWitness Platform version 11.3 and later.
For additional optional advanced ESA Correlation Rules configuration procedures, see Additional ESA Correlation Rules Procedures.
For more information on alerting with ESA Correlation rules best practices, creating rules, working with trial rules, adding data enrichment sources, viewing statistics for an ESA service, and troubleshooting, see the Alerting with ESA Correlation Rules User Guide.
After you upgrade or update to 11.3 or later, verify your ESA rule deployments. For every ESA host, a new deployment is created in the format <ESA Host name> – ESA Correlation.
- Verify that a new deployment was created.
- The new deployment should contain an ESA Correlation service, data sources, and rules for all previous deployments on that ESA host.
- The ESA Correlation service should have a status of “Deployed”.
The following example shows the changes to NetWitness Platform 10.6.6 ESA rule deployments before and after an upgrade to version 11.3 or later. In this example, before the upgrade there are six 10.6.6 ESA rule deployments. Four deployments have both ESA primary and ESA secondary Event Stream Analysis services. One deployment has only the ESA primary service and another one has only the ESA secondary service. Each 10.6.6 ESA rule deployment before the upgrade has a set of rules as shown in the following table:
The following figure shows the 10.6.6 ESA rule deployments before the upgrade.
In this example, after the upgrade to 11.3, there are only two functional ESA rule deployments; one has the ESA primary (ESAP) ESA Correlation service and the other has the ESA secondary (ESAS) ESA Correlation service. The ESAP - ESA Correlation service deployment contains 32 rules, which is the total of all of the rules in the 10.6.6 deployments that contained the ESA primary service (16 + 10 + 2 + 1 + 3). The ESA secondary ESA Correlation service contains 33 rules, which is the total of all the rules in the 10.6.6 deployments that contained the ESAS Service (16 + 10 + 2 + 2 + 3). Since the RSA Persist deployment only contained one ESA primary service in 10.6.6, that rule was added to the ESAP 11.3 deployment. Since the Notification 10.6.6 deployment contained one ESA secondary service, the rule was added to the 11.3 ESAS deployment.
The following table shows the 11.3 ESA rule deployments after upgrade, the number of rules in each deployment, and which deployments have the ESA primary and ESA secondary ESA Correlation services.
In this example, all of the 10.6.6 ESA rule deployments were moved to 11.3, but they have no services after the upgrade. The only functional 11.3 ESA rule deployments are ESAP and ESAS. The 10.6.6 ESA rule deployments are preserved in case you want to use them.
The following figure shows the 11.3 ESA rule deployments after the upgrade. Notice that the Basic Rules Advanced deployment from 10.6.6 does not have any ESA services, but it still contains the original 16 rules.
The 10.6.6 ESA rule deployments show update messages detailing the changes as shown in the following figure.
The following figure shows the ESA primary rule deployment after the upgrade (ESAP - ESA Correlation). Notice that the ESAP - ESA Correlation deployment has only the ESA primary ESA Correlation service.
In NetWitness Platform 11.3 and later, you can only have one ESA Correlation service per deployment, but an ESA Correlation service can be in more than one ESA rule deployment.