ESA Config: Configure ESA Correlation Rules

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by RSA Information Design and Development on Mar 27, 2018
Version 7Show Document
  • View in full screen mode

This topic provides high-level tasks to configure RSA NetWitness Suite Event Stream Analysis (ESA) Correlation Rules using the Event Stream Analysis service.


Make sure that you:

  • Install the Event Stream Analysis service in your network environment.
  • Install and configure one or more Concentrators in your network environment.


Note: You can configure ESA using an SSL port (50030) only. There is no option to configure a Non-SSL port.

To configure Event Stream Analysis:

  1. Add a Concentrator as data source to the Event Stream Analysis service. 
Refer to Step 1. Add a Data Source to an ESA Service
  1. Configure notifications for the Event Stream Analysis service.
Refer to "Notification Methods" in the Alerting with ESA Correlation Rules User Guide.
  1. Download Event Stream Analysis content using Live.
Refer to "Live Search View" in the Live Resource Managment Guide.
  1. (Optional) Advanced configuration for Event Stream Analysis service.
Refer to Step 2. Configure Advanced Settings for an ESA Service.


The Event Stream Analysis service is configured and you can now add ESA Rules for event processing and alerting. For information on adding ESA Rules, see "Add Rules to the Rule Library" in the Alerting with ESA Correlation Rules User Guide.

You are here
Table of Contents > Configure ESA Correlation Rules