ESA Config: Configure ESA Correlation Rules

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by RSA Information Design and Development on Apr 11, 2019
Version 9Show Document
  • View in full screen mode
 

This topic provides high-level tasks to configure RSA NetWitness Platform Event Stream Analysis (ESA) Correlation Rules using the ESA Correlation service.

Data Source Configuration Changes

In NetWitness Platform version 11.3 and later, the ESA Correlation service enables you to specify different data sources for different sets of rules. Instead of adding data sources, such as Concentrators, to the entire ESA Correlation service, you can specify different data sources for each ESA rule deployment. An ESA rule deployment includes an ESA Correlation service with its associated data sources and a set of ESA rules. For example, you may want to use Concentrators with HTTP packet data in one deployment and Concentrators with HTTP log data in another deployment. For more detailed information, see "Deploy Rules to Run on ESA" in the Alerting with ESA Correlation Rules User Guide.

An Endpoint Risk Scoring Rules Bundle is Available

An Endpoint Risk Scoring Rules Bundle, which contains approximately 400 rules, comes with NetWitness Platform 11.3 and later. Endpoint risk scoring rules only apply to NetWitness Endpoint. You can add the Endpoint Risk Scoring Rules Bundle to an ESA rule deployment in the same way that you would add any ESA rule. However, you must specify endpoint data sources (Concentrators) in the ESA Rule Deployment.

The ESA Correlation service can process endpoint risk scoring rules, which generate alerts that are used in risk scoring calculations to identify suspicious files and hosts. To turn on risk scoring for NetWitness Endpoint, you must deploy endpoint risk scoring rules on ESA. For instructions, see Deploy Endpoint Risk Scoring Rules on ESA. To configure NetWitness Endpoint, see the NetWitness Endpoint Configuration Guide.

Upgrade Considerations for ESA Rule Deployments

Caution: After upgrading to NetWitness Platform version 11.3 or later, due to the ESA Correlation service data source changes, there are necessary data changes to migrated ESA rule deployments.

After the upgrade to version 11.3 or later, migrated ESA rule deployments change as follows:

  1. If an ESA rule deployment contains two services before 11.3, the deployment splits into two deployments. You can only have one ESA Correlation service in an ESA rule deployment in version 11.3 or later.
  2. If an ESA service has multiple ESA rule deployments before 11.3, they combine into one deployment in version 11.3 or later. You can still access your old deployments. For a detailed example, see ESA Rule Deployments Upgrade Example.

ESA Correlation Rules Configuration Workflow

The following diagram shows the high-level workflow for configuring ESA Correlation Rules with the ESA Correlation service.

ESA Correlation Rules Configuration Workflow for the ESA Correlation Service

ESA Rule Deployments are groups of ESA Rules processed by an ESA service to create alerts. In NetWitness Platform 11.3 and later, the ESA Correlation service processes the ESA rules and creates alerts.

Before you can configure ESA Correlation Rules, install and configure the data sources (Concentrators) to use for the ESA rules. For example, you may have a Concentrator with HTTP packet data and another with Windows Log data. Next, configure the global notification methods that content experts can use for the ESA rules. For example, they may want to send an email notification when a rule creates an alert.

The NetWitness Platform Live Content Management System (known as Live) is a valuable source of the latest internet security resources for NetWitness Platform customers. RSA Live contains an extensive library of ESA rules to detect threats that you can use to save time. Download the rules for the events that you want to detect in your network to the ESA Rule Library and adjust them as needed for your network environment.

After you prepare your data sources and download Live ESA rules, you can create one or more ESA rule deployments. An ESA rule deployment contains an ESA service, one or more data sources, and a set of ESA rules. For example, you can create an ESA rule deployment that contains an ESA Correlation service, a Concentrator with HTTP packet data, and a set of ESA rules for HTTP packet data. When you are ready to have the ESA service run the rule set, you deploy the ESA rule deployment, which places the rules on ESA.

After you deploy an ESA rule deployment, verify that you can view the ESA alerts in the Respond view (Respond > Alerts).

Prerequisites

Make sure that you:

  • Install the ESA Correlation service in your network environment.
  • Install and configure one or more Concentrators in your network environment.
  • Download or ensure that you have access to the Alerting with Correlation Rules User Guide for version 11.3 or later. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.

Procedure

The following table shows the high level tasks required to configure ESA Correlation Rules.

                                 
TasksReference
  1. Prepare data sources, such as Concentrators, to use for your ESA Correlation Rules.
Refer to Broker and Concentrator Configuration Guide.
  1. Configure notifications for the ESA Correlation service.
Refer to "Notification Methods" in the Alerting with ESA Correlation Rules User Guide.
  1. Download Event Stream Analysis rules using Live. Configure the Live ESA Rule parameters for your environment.
Refer to "Download Configurable RSA Live Rules" in the Alerting with ESA Correlation Rules User Guide.
  1. Create ESA rule deployments*: Choose ESA Rules and the appropriate ESA service to use in the ESA rule deployment. For NetWitness Platform 11.3 and later, you must also choose the data sources to use for these rules.
Refer to "Deployment Steps" in the Alerting with ESA Correlation Rules User Guide.
  1. Deploy ESA rule deployments.*
Refer to "Deployment Steps" in the Alerting with ESA Correlation Rules User Guide.
  1. View ESA alerts in the Respond view.
Refer to the NetWitness Respond User Guide.

*ESA rule deployments are groups of ESA Rules that are processed by an ESA service, such as the ESA Correlation service in NetWitness Platform version 11.3 and later.

For additional optional advanced ESA Correlation Rules configuration procedures, see Additional ESA Correlation Rules Procedures.

For more information on alerting with ESA Correlation rules best practices, creating rules, working with trial rules, adding data enrichment sources, viewing statistics for an ESA service, and troubleshooting, see the Alerting with ESA Correlation Rules User Guide.

ESA Rule Deployments Upgrade Example

After you upgrade or update to 11.3, verify your ESA rule deployments. For every ESA host, a new deployment is created in the format <ESA Host name> – ESA Correlation.

  • Verify that a new deployment was created.
  • The new deployment should contain an ESA Correlation service, data sources, and rules for all previous deployments on that ESA host.
  • The ESA Correlation service should have a status of “Deployed”.

The following example shows the changes to NetWitness Platform 10.6.6 ESA rule deployments before and after the upgrade to version 11.3. In this example, before the upgrade there are six 10.6.6 ESA rule deployments. Four deployments have both ESA primary and ESA secondary Event Stream Analysis services. One deployment has only the ESA primary service and another one has only the ESA secondary service. Each 10.6.6 ESA rule deployment before the upgrade has a set of rules as shown in the following table:

                                                         

10.6.6 ESA Rule Deployment

(Before Upgrade)

# of Rules

ESA Primary

ESA Secondary

Basic Rules Advanced16 x x
Basic Rules BRB10 x x
Enrichment Rules2 x x
Notification2  x
RSA Persist1 x 
Threat Content3 x x

Total # of Rules

 

32

33

The following figure shows the 10.6.6 ESA rule deployments before the upgrade.

10.6.6 ESA Rule Deployments before the upgrade

In this example, after the upgrade to 11.3, there are only two functional ESA rule deployments; one has the ESA primary (ESAP) ESA Correlation service and the other has the ESA secondary (ESAS) ESA Correlation service. The ESAP - ESA Correlation service deployment contains 32 rules, which is the total of all of the rules in the 10.6.6 deployments that contained the ESA primary service (16 + 10 + 2 + 1 + 3). The ESA secondary ESA Correlation service contains 33 rules, which is the total of all the rules in the 10.6.6 deployments that contained the ESAS Service (16 + 10 + 2 + 2 + 3). Since the RSA Persist deployment only contained one ESA primary service in 10.6.6, that rule was added to the ESAP 11.3 deployment. Since the Notification 10.6.6 deployment contained one ESA secondary service, the rule was added to the 11.3 ESAS deployment.

The following table shows the 11.3 ESA rule deployments after upgrade, the number of rules in each deployment, and which deployments have the ESA primary and ESA secondary ESA Correlation services.

                                                                     

11.3 ESA Rule Deployment

(After Upgrade)

# of Rules

ESA Primary

ESA Secondary

Basic Rules Advanced16 
Basic Rules BRB10  

ESAP - ESA Correlation

32

x

 

ESAS - ESA Correlation

33

 

x

Enrichment Rules2  
Notification2  
RSA Persist1  
Threat Content3  

Total # of Rules

 

32

33

In this example, all of the 10.6.6 ESA rule deployments were moved to 11.3, but they have no services after the upgrade. The only functional 11.3 ESA rule deployments are ESAP and ESAS. The 10.6.6 ESA rule deployments are preserved in case you want to use them.

The following figure shows the 11.3 ESA rule deployments after the upgrade. Notice that the Basic Rules Advanced deployment from 10.6.6 does not have any ESA services, but it still contains the original 16 rules.

 ESA Rule Deployments after the upgrade to 11.3

The 10.6.6 ESA rule deployments show update messages detailing the changes as shown in the following figure.

ESA Rule Deployment from 10.6.6 showing update message after update to 11.3

The following figure shows the ESA primary rule deployment after the upgrade (ESAP - ESA Correlation). Notice that the ESAP - ESA Correlation deployment has only the ESA primary ESA Correlation service.

11.3 ESAP - ESA Correlation Rule Deployment after the upgrade

In NetWitness Platform 11.3 and later, you can only have one ESA Correlation service per deployment, but an ESA Correlation service can be in more than one ESA rule deployment.

You are here
Table of Contents > Configure ESA Correlation Rules

Attachments

    Outcomes