ESA Config: ESA Analytics Mappings

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by RSA Information Design and Development on Oct 4, 2017
Version 5Show Document
  • View in full screen mode
 

In the ESA Analytics Mappings panel (ADMIN > System > ESA Analytics), you define how the RSA Automated Threat Detection functionality should automatically detect advanced threats. You can analyze the data that resides on one or more Concentrators by selecting a preconfigured ESA Analytics module.

To better utilize your network resources and reduce unnecessary data flow, you can map multiple data sources, such as Concentrators, to available ESA Analytics services in order to process data more efficiently and take advantage of additional capacity.

Workflow

This workflow shows the process for creating and enabling an ESA Analytics mapping to start automatically detecting advanced threats.

Before you create an ESA Analytics mapping, ensure that the ESA hosts and services that you want to use for your mappings are online and available. All of the services need to be in sync with a consistent time source. Also ensure that the Concentrators are collecting the required data. When you create an ESA Analytics mapping, you select an ESA Analytics module to map, such as Suspicious Domains. Then you select the data sources, such as Concentrators, to use for that module along with an ESA Analytics service to process the data. When you are ready to start aggregating data, you deploy the mapping. Analysts can view detected threats for that module in the Respond view.

What do you want to do?

                                      
Role I want to ...Show me how
Administrator

Verify that the ESA hosts and services are online and available.

ADMIN > HOSTS and ADMIN > SERVICES
See Hosts and Services Getting Started Guide.

Administrator

Ensure that the Concentrators are collecting the required data.

See Broker and Concentrator Configuration Guide

AdministratorCreate ESA Analytics mappings*

Mapping ESA Data Sources to Analytics Modules

AdministratorDeploy ESA Analytics mappings*Mapping ESA Data Sources to Analytics Modules
Administrator,
Analyst
View detected threats

See NetWitness Respond User Guide.

*You can complete these tasks here (that is in the ESA Analytics Mappings panel).

Related Topics

Quick Look

The following example illustrates an ESA Analytics mapping. The configuration defines the data sources for the selected module and the ESA Analytics service that will process the events from those data sources.

ESA Analytics Mappings diagram

                                     
1Displays the ESA Analytics Mappings panel.
2Shows the status of the ESA Analytics mapping.
3The name of the module that is mapped.
4Data sources, such as Concentrators, assigned to the mapping.
5ESA Analytics service that processes the data for the mapping.
6Warm-up period configuration (in hours) on the data sources for the mapping.
7Lag configuration (in minutes) on the data sources for the mapping.
8Actions for changing module settings, deploying module mappings, and undeploying module mappings.

Toolbar

The following table describes the toolbar actions.

                        
Icon / ButtonDescription

Add.png

Opens the Create Mappings dialog where you can create an ESA Analytics mapping. Create a separate mapping for each module.
After creating and reviewing the mappings, you deploy them.

Delete.png

Deletes an ESA Analytics Mapping.

  • You can delete a mapping with a status of Undeployed at any time. Since a mapping in the Undeployed state is not deployed and is not running, it does not affect data aggregation.

  • Deleting a deployed mapping clears the configuration on the ESA server, reverts the deployment for that mapping, and stops pulling data from the data source for that module. You should undeploy a mapping with a status of Deployed before deleting it.

Deploy Now

After you create your mappings, you need to deploy them in order to start aggregating data for the modules. You can select one or more mappings with a status of Undeployed to deploy.

Note: If you want to make changes to a deployed mapping, such as adding or removing Concentrators or changing the service, you must undeploy and delete the existing mapping and then create and deploy a new mapping for that module.

ESA Analytics Mappings

The following table describes the listed ESA Analytics mappings.

                                           
TitleDescription
Select icon To select an individual mapping, select the checkbox next to the mapping.

Status

Shows the status of the mapping. There are two statuses:

Undeployed - An undeployed mapping maps an ESA Analytics module to sources and an ESA Analytics service. It does not start aggregating data for the module until you deploy the mapping.

Deployed - A deployed mapping is deployed and running. In a deployed mapping, the selected ESA Analytics service uses query-based aggregation to collect the appropriate filtered events for the selected module from the Concentrators.

Module

Indicates the selected ESA Analytics module. An ESA Analytics module is a pipeline composed of activity objects that enrich an event with additional information through mathematical computations. The module resides within the ESA Analytics service.

Sources

Sources are the data sources, such as Concentrators, from which ESA will aggregate the data for the specified module.

Service

Indicates the ESA Analytics service that will process the data for the specified module. The selected service needs to be in sync with a consistent time source.

Warm-Up Period (Hours)

Specifies a warm-up duration (in hours). A warm-up period is required to allow Automated Threat Detection to "learn" your traffic. The warm-up period should run when typical traffic is running. During this time, alerting for your module mapping is suppressed. The Warm-up Period primes the module with historical data and guarantees that the specified number of hours of data collection completes before sending alerts.

RSA provides preconfigured ESA Analytics modules. Each module type has a default warm-up period defined, which you can adjust to your environment, if necessary. After this warm-up period, alerts can be viewed.

For more information about Warm-up Period and Lag time, see Module Settings.

Lag Time (Minutes)

Specifies a constant time delay in minutes, which is added to avoid losing events being processed by the data sources during periods of heavy activity. For example, Concentrator performance varies depending on factors such as incoming load, ongoing queries, and indexing. Due to these factors, a Concentrator may not aggregate events in real-time, which leads to the delay.

The Lag parameter gives the Concentrator a chance to finish aggregating all of the data.

After the warm-up period completes, data aggregation continues at Current (System) Time - Lag Time. This is useful when a Concentrator is slow in aggregating data. The Lag time guarantees that the module does not process data that arrives to the Concentrator within the Lag time window so there is adequate delay to ensure all events that get generated in the enterprise can be processed by the module.

For example, if Lag time is 30 minutes, and the current time is 2:00 PM, the Concentrator starts pulling records at 1:30 PM. The Lag time window, 30 minutes in this example, remains constant as time advances. When the current time advances to 2:01 PM, the Concentrator pulls the next minute of data at 1:31 PM, and so on.

Important: The Lag time defines the buffer between the current time and the time when the module ingests the data.

Caution: RSA recommends that Administrators adjust the Lag parameter dynamically based on the performance of each of the individual Concentrators to avoid missing any events during aggregation.

For more information about Warm-up Period and Lag time, see Module Settings.

Actions icon

Enables you to select additional actions for the selected module mapping:

  • Edit Module - Enables you to configure the warm-up period and lag time for the selected module mapping.

  • Deploy - Deploys the selected module mapping. The specified ESA Analytics service starts pulling data from the data sources for that module.

  • Undeploy - Undeploys the selected module mapping. The specified ESA Analytics service stops pulling data from the data sources for that module.

Caution: Undeploying a mapping with a status of Deployed will affect data aggregation for that module.

Next Topic:Module Settings
You are here
Table of Contents > References > ESA Analytics Mappings

Attachments

    Outcomes