Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

ESA Config: Configure ESA Correlation Rules

Document created by RSA Information Design and Development Employee on Sep 13, 2017Last modified by RSA Information Design and Development Employee on Sep 8, 2020
Version 12Show Document
  • View in full screen mode
 

This topic provides high-level tasks to configure RSA NetWitness Platform Event Stream Analysis (ESA) Correlation Rules using the ESA Correlation service.

IMPORTANT: Mixed mode is not supported for ESA hosts in NetWitness Platform version 11.5 and later. The NetWitness server, ESA primary host, and ESA secondary host must all be on the same NetWitness Platform version.

Data Source Configuration Changes

In NetWitness Platform version 11.3 and later, the ESA Correlation service enables you to specify different data sources for different sets of rules. Instead of adding data sources, such as Concentrators, to the entire ESA Correlation service, you can specify different data sources for each ESA rule deployment. An ESA rule deployment includes an ESA Correlation service with its associated data sources and a set of ESA rules. For example, you may want to use Concentrators with HTTP packet data in one deployment and Concentrators with HTTP log data in another deployment. For more detailed information, see Deploy Rules to Run on ESA.

In NetWitness Platform 11.5 and later, you can add an optional data source filter to the data sources in your ESA rule deployments to improve performance. This allows your data sources to be filtered further so that only the data relevant to the deployment is forwarded to ESA. The filter is comprised of application rules, which are applied to the Decoders mapped to your selected data sources.

Caution: The data source filter is intended for advanced users familiar with Decoder application rules. Improper filtering can cause the required data to not be forwarded to and analyzed by ESA.

Using a data source filter can be performance intensive for data aggregation. A filter slows the event aggregation rate, but when you are filtering a large amount of traffic, it can have performance benefits on ESA Correlation server. However, if you use a complex filter and do not filter a large amount of traffic, the event aggregation rate may be lower than expected.

IMPORTANT: If an application rule linked to a data source filter is modified on a Decoder, the filter must be removed, added again, and redeployed. The changes take effect on ESA after the deployment is redeployed.

For more information, see “(Optional) Add a Data Source Filter” in ESA Rule Deployment Steps.

Endpoint Risk Scoring Rules Bundle

An Endpoint Risk Scoring Rules Bundle, which contains approximately 400 rules, comes with NetWitness Platform 11.3 and later. Endpoint risk scoring rules only apply to NetWitness Endpoint. You can add the Endpoint Risk Scoring Rules Bundle to an ESA rule deployment in the same way that you would add any ESA rule. However, you must specify endpoint data sources (Concentrators) in the ESA Rule Deployment.

The ESA Correlation service can process endpoint risk scoring rules, which generate alerts that are used in risk scoring calculations to identify suspicious files and hosts. To turn on risk scoring for NetWitness Endpoint, you must deploy endpoint risk scoring rules on ESA. For instructions, see Deploy Endpoint Risk Scoring Rules on ESA. To configure NetWitness Endpoint, see the NetWitness Endpoint Configuration Guide. Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents.

ESA Correlation Rules Configuration Workflow

The following diagram shows the high-level workflow for configuring ESA Correlation Rules with the ESA Correlation service.

ESA Correlation Rules Configuration Workflow for the ESA Correlation Service

ESA Rule Deployments are groups of ESA Rules processed by an ESA service to create alerts. In NetWitness Platform 11.3 and later, the ESA Correlation service processes the ESA rules and creates alerts.

Before you can configure ESA Correlation Rules, install and configure the data sources (Concentrators) to use for the ESA rules. For example, you may have a Concentrator with HTTP packet data and another with Windows Log data. Next, configure the global notification methods that content experts can use for the ESA rules. For example, they may want to send an email notification when a rule creates an alert.

The NetWitness Platform Live Content Management System (known as Live) is a valuable source of the latest internet security resources for NetWitness Platform customers. RSA Live contains an extensive library of ESA rules to detect threats that you can use to save time. Download the rules for the events that you want to detect in your network to the ESA Rule Library and adjust them as needed for your network environment.

After you prepare your data sources and download Live ESA rules, you can create one or more ESA rule deployments. An ESA rule deployment contains an ESA service, one or more data sources, and a set of ESA rules. For example, you can create an ESA rule deployment that contains an ESA Correlation service, a Concentrator with HTTP packet data, and a set of ESA rules for HTTP packet data. When you are ready to have the ESA service run the rule set, you deploy the ESA rule deployment, which places the rules on ESA.

After you deploy an ESA rule deployment, verify that you can view the ESA alerts in the Respond view (Respond > Alerts).

Prerequisites

Make sure that you:

  • Install the ESA Correlation service in your network environment.
  • Install and configure one or more Concentrators in your network environment.
  • Download or ensure that you have access to the Alerting with Correlation Rules User Guide for version 11.3 or later. Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents.

Procedure

The following table shows the high level tasks required to configure ESA Correlation Rules.

                                 
TasksReference
  1. Prepare data sources, such as Concentrators, to use for your ESA Correlation Rules.
Refer to Broker and Concentrator Configuration Guide.
  1. Configure notifications for the ESA Correlation service.
Refer to Notification Methods.
  1. Download Event Stream Analysis rules using Live. Configure the Live ESA Rule parameters for your environment.
Refer to Download Configurable RSA Live Rules.
  1. Create ESA rule deployments*: Choose ESA Rules and the appropriate ESA service to use in the ESA rule deployment. For NetWitness Platform 11.3 and later, you must also choose the data sources to use for these rules.
Refer to ESA Rule Deployment Steps.
  1. Deploy ESA rule deployments.*
Refer to ESA Rule Deployment Steps.
  1. View ESA alerts in the Respond view.
Refer to the NetWitness Respond User Guide.

*ESA rule deployments are groups of ESA Rules that are processed by an ESA service, such as the ESA Correlation service in NetWitness Platform version 11.3 and later.

For additional optional advanced ESA Correlation Rules configuration procedures, see Additional ESA Correlation Rules Procedures.

For more information on alerting with ESA Correlation rules best practices, creating rules, working with trial rules, adding data enrichment sources, viewing statistics for an ESA service, and troubleshooting, see the Alerting with ESA Correlation Rules User Guide.

ESA Correlation Health and Wellness Monitoring

In NetWitness Platform version 11.5 and later, New Health and Wellness provides improved and intuitive dashboards, monitors, and visualizations. The ESA Correlation Overview dashboard provides health statistics and trends on ESA rule deployments.

New Health and Wellness - ESA Correlation Overview dashboard

For more information, see "Monitor New Health and Wellness" and "Appendix A: New Health and Wellness Dashboards / ESA Correlation Overview Dashboard" in the System Maintenance Guide.

Upgrade Considerations for ESA Hosts

Mixed mode is not supported for ESA hosts in NetWitness Platform version 11.5 and later.

IMPORTANT: The NetWitness server (Admin server), ESA primary host, and ESA secondary host must all be on the same NetWitness Platform version.

Trial Rule Status Changes

In NetWitness Platform 11.4 and later, ESA trial rules no longer change status after an upgrade or deployment. For example, if you change the status of a trial rule to disabled [ (Configure) > ESA Rules > Services tab] and redeploy the ESA rule deployment [ (Configure) > ESA Rules > Rules tab], the trial rule remains disabled. Previously, ESA trial rules could change status after an upgrade or when they were redeployed.

Upgrade Considerations for ESA Rule Deployments (from 11.2.x and Earlier only)

Caution: After upgrading to NetWitness Platform version 11.3 or later, due to the ESA Correlation service data source changes, there are necessary data changes to migrated ESA rule deployments.

After the upgrade to version 11.3 or later, migrated ESA rule deployments change as follows:

  1. If an ESA rule deployment contains two services before 11.3, the deployment splits into two deployments. You can only have one ESA Correlation service in an ESA rule deployment in version 11.3 or later.
  2. If an ESA service has multiple ESA rule deployments before 11.3, they combine into one deployment in version 11.3 or later. You can still access your old deployments. For a detailed example, see ESA Rule Deployments Upgrade Example (from 11.2.x and Earlier only).

To support Endpoint and UEBA content as well as changes to ESA rules from Live, a data change from single-value (string) to multi-value (string array) is required for several meta keys within the ESA Correlation service. Some single-value meta keys are also required. See Update Your ESA Rules for the Required Multi-Value and Single-Value Meta Keys.

Upgrade Considerations for ESA Rule Deployments (from 11.3.x)

Caution: Before upgrading from NetWitness Platform 11.3.x to 11.4 or later, it is important to delete ESA rule deployments that do not contain an ESA Correlation service. The remaining ESA rule deployments should have been deployed at least once with the ESA Correlation service.

ESA Rule Deployments Upgrade Example (from 11.2.x and Earlier only)

Note: This example applies only to upgrades from NetWitness Platform version 11.2.x and earlier to 11.3.x or 11.4.x.

to NetWitness Platform 10.6.6 ESA rule deployments before and after an upgrade to version 11.3 or later. In this example, before the upgrade there are six 10.6.6 ESA rule deployments. Four deployments have both ESA primary and ESA secondary Event Stream Analysis services. One deployment has only the ESA primary service and another one has only the ESA secondary service. Each 10.6.6 ESA rule deployment before the upgrade has a set of rules as shown in the following table:

                                                         

10.6.6 ESA Rule Deployment

(Before Upgrade)

# of Rules

ESA Primary

ESA Secondary

Basic Rules Advanced16 x x
Basic Rules BRB10 x x
Enrichment Rules2 x x
Notification2  x
RSA Persist1 x 
Threat Content3 x x

Total # of Rules

 

32

33

The following figure shows the 10.6.6 ESA rule deployments before the upgrade.

10.6.6 ESA Rule Deployments before the upgrade

In this example, after the upgrade to 11.3, there are only two functional ESA rule deployments; one has the ESA primary (ESAP) ESA Correlation service and the other has the ESA secondary (ESAS) ESA Correlation service. The ESAP - ESA Correlation service deployment contains 32 rules, which is the total of all of the rules in the 10.6.6 deployments that contained the ESA primary service (16 + 10 + 2 + 1 + 3). The ESA secondary ESA Correlation service contains 33 rules, which is the total of all the rules in the 10.6.6 deployments that contained the ESAS Service (16 + 10 + 2 + 2 + 3). Since the RSA Persist deployment only contained one ESA primary service in 10.6.6, that rule was added to the ESAP 11.3 deployment. Since the Notification 10.6.6 deployment contained one ESA secondary service, the rule was added to the 11.3 ESAS deployment.

The following table shows the 11.3 ESA rule deployments after upgrade, the number of rules in each deployment, and which deployments have the ESA primary and ESA secondary ESA Correlation services.

                                                                     

11.3 ESA Rule Deployment

(After Upgrade)

# of Rules

ESA Primary

ESA Secondary

Basic Rules Advanced16 
Basic Rules BRB10  

ESAP - ESA Correlation

32

x

 

ESAS - ESA Correlation

33

 

x

Enrichment Rules2  
Notification2  
RSA Persist1  
Threat Content3  

Total # of Rules

 

32

33

In this example, all of the 10.6.6 ESA rule deployments were moved to 11.3, but they have no services after the upgrade. The only functional 11.3 ESA rule deployments are ESAP and ESAS. The 10.6.6 ESA rule deployments are preserved in case you want to use them.

Caution: Before upgrading from NetWitness Platform 11.3.x to 11.4, it is important to delete ESA rule deployments that do not contain an ESA Correlation service. The remaining ESA rule deployments should have been deployed at least once with the ESA Correlation service.

The following figure shows the 11.3 ESA rule deployments after the upgrade. Notice that the Basic Rules Advanced deployment from 10.6.6 does not have any ESA services, but it still contains the original 16 rules.

 ESA Rule Deployments after the upgrade to 11.3

The 10.6.6 ESA rule deployments show update messages detailing the changes as shown in the following figure.

ESA Rule Deployment from 10.6.6 showing update message after update to 11.3

The following figure shows the ESA primary rule deployment after the upgrade (ESAP - ESA Correlation). Notice that the ESAP - ESA Correlation deployment has only the ESA primary ESA Correlation service.

11.3 ESAP - ESA Correlation Rule Deployment after the upgrade

In NetWitness Platform 11.3 and later, you can only have one ESA Correlation service per deployment, but an ESA Correlation service can be in more than one ESA rule deployment.

You are here
Table of Contents > Configure ESA Correlation Rules

Attachments

    Outcomes