ESA Config: Services Config View Advanced Tab

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by RSA Information Design and Development on Apr 11, 2019
Version 9Show Document
  • View in full screen mode
 

Note: The information in this topic applies ONLY to RSA NetWitness® Platform version 11.2 and earlier. For version 11.3 and later, see Configure Advanced Settings for an ESA Correlation Service.

The Services Config view > Advanced tab of an ESA service enables you to configure advanced settings. In the Advanced view, you can configure advanced settings to improve performance, to preserve events for rules with multiple events, to buffer events in memory, and to set the number of events to be stored on the ESA.

Workflow

This workflow shows the overall process for configuring ESA. It also shows where configuring advanced settings is located in the process.

Shows the ESA Configuration Workflow and shows where you are in the process: (Optional) Configure Advanced Settings

In NetWitness Platform 11.2 and earlier, ESA has two services, the Event Stream Analysis service (ESA Correlation Rules) and the Event Stream Analytics Server service (ESA Analytics). The first four procedures shown pertain to configuring the Event Stream Analysis service:

  • Add Data Source to ESA Service
  • Configure Notifications
  • Download Live Content
  • (Optional) Configure Advanced Settings*

The last procedure is separate from the others and pertains to creating mappings for the ESA Analytics services to start automatically detecting advanced threats:

  • (Optional) Create and Deploy ESA Analytics Mappings

What do you want to do?

                                 
Role I want to ...Show me how
AdministratorAdd a Concentrator as a data source to the Event Stream Analysis Service

See "Configure ESA Correlation Rules" and "Step 1. Add a Data Source to an ESA Service" in the ESA Configuration Guide for version 11.2.

AdministratorConfigure Notifications

See "Notification Methods" in the Alerting with ESA Correlation Rules User Guide for version 11.2.

AdministratorDownload Live Content

See "Download Configurable RSA Live Rules" in the Alerting with ESA Correlation Rules User Guide for version 11.2.

AdministratorConfigure Advanced Settings *

See "Step 2. Configure Advanced Settings for an ESA Service" in the ESA Configuration Guide for version 11.2.

*You can complete these tasks here (that is in the Services Config view Advanced tab).

Related Topics

  • See "Add or Update a Host" in the Host and Services Getting Started Guide

Quick Look

To access the Advanced tab, go to ADMIN > Services > (Select an ESA service) > Actions icon > View > Config.

The following figure shows the Services Config view Advanced tab for an ESA service.

Services Config View Advanced tab for an ESA service

Alert Engine Settings

In the Alert Engine section, you specify values to preserve events for rules that choose multiple events. The following figure shows the Alert Engine section.

Alert Engine Section

The following table lists the parameters in the Alert Engine section and their descriptions.

                     
ParameterDescription
Max Constituent Events

For rules that contain multiple events, this configuration value determines how many of the associated events are preserved. For example, if a rule fires an alert with 200 associated events and this parameter is set to 100, only the first 100 are preserved by ESA, the rest are dropped. The default value is 100.

Forward Alerts On Message Bus

To forward ESA alerts for NetWitness Respond, you must select this option. The ESA alerts generated will be sent to the Message Bus and subsequently to Respond. This option is selected by default. You may want to ensure that the Respond Server service is running.

Debug Rules?

Selecting enables debugging rules.

Event Stream Engine Settings

In the Event Stream Engine section, you specify details to improve performance. The following figure shows the Event Stream Engine section.

Event Stream Engine Section

The following table lists the parameter in the Event Stream Engine section and its description.

              
ParameterDescription
Max Pattern Subexpressions

Certain rules require ESPER to maintain subexpressions in memory before deciding to fire them or not. These subexpressions consume memory and if left unchecked may cause the service to go down with memory exhaustion. This parameter is a safety measure that keeps such memory hogging rules under check. If a rule exceeds the specified number of subexpressions, its processing is delayed. The default value is 0, which means this setting is disabled. You must set a value if there are service stability issues.

You are here
Table of Contents > References > Services Config View Advanced Tab

Attachments

    Outcomes