In the ESA Analytics Mappings panel (Admin > System > ESA Analytics), you define how the RSA Automated Threat Detection functionality should automatically detect advanced threats. You can analyze the data that resides on one or more Concentrators by selecting a preconfigured ESA Analytics module.
To better utilize your network resources and reduce unnecessary data flow, you can map multiple data sources, such as Concentrators, to available ESA Analytics services in order to process data more efficiently and take advantage of additional capacity.
This workflow shows the process for creating and enabling an ESA Analytics mapping to start automatically detecting advanced threats.
Before you create an ESA Analytics mapping, ensure that the ESA hosts and services that you want to use for your mappings are online and available. All of the services need to be in sync with a consistent time source. Also ensure that the Concentrators are collecting the required data. When you create an ESA Analytics mapping, you select an ESA Analytics module to map, such as Suspicious Domains. Then you select the data sources, such as Concentrators, to use for that module along with an ESA Analytics service to process the data. When you are ready to start aggregating data, you deploy the mapping. Analysts can view detected threats for that module in the Respond view.
*You can complete these tasks here (that is in the ESA Analytics Mappings panel).
- Configure ESA Analytics
- Update a Mapping
- Undeploy a Mapping
- Delete a Mapping
- Change the Warm-up Period and Lag Time
- Module Settings
The following example illustrates an ESA Analytics mapping. The configuration defines the data sources for the selected module and the ESA Analytics service that will process the events from those data sources.
|1||Displays the ESA Analytics Mappings panel.|
|2||Shows the status of the ESA Analytics mapping.|
|3||The name of the module that is mapped.|
|4||Data sources, such as Concentrators, assigned to the mapping.|
|5||ESA Analytics service that processes the data for the mapping.|
|6||Warm-up period configuration (in hours) on the data sources for the mapping.|
|7||Lag configuration (in minutes) on the data sources for the mapping.|
|8||Actions for changing module settings, deploying module mappings, and undeploying module mappings.|
The following table describes the toolbar actions.
ESA Analytics Mappings
The following table describes the listed ESA Analytics mappings.