This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

RSA NetWitness® Platform Discussions

Discussions about the RSA NetWitness Platform.
RSAAdmin
Beginner
Beginner
‎2015-12-08 03:51 PM

Correlation

Jump to solution

Has anyone done correlation within SA?

 

I was under the impression that correlation can be done in SA within the Concentrator?

 

But, I was also told you need the ESA to do some correlation as well?

0 Likes
Reply
1 Solution

Accepted Solutions
ChristopherAhea
Employee
Employee
‎2015-12-09 09:10 AM

Jump to solution

Basic correlation rules can be created in the concentrator, but they are very basic.  The better way to do it would be using ESA.

View solution in original post

0 Likes
Reply
4 Replies
ChristopherAhea
Employee
Employee
‎2015-12-09 09:10 AM

Jump to solution

Basic correlation rules can be created in the concentrator, but they are very basic.  The better way to do it would be using ESA.

View solution in original post

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to ChristopherAhea
‎2015-12-10 12:14 PM

Jump to solution

Hi, thanks for the reply

 

What would you consider "basic" in terms of correlations with the concentrator?

 

And, what would be considered more advanced with ESA?

 

Do you have any examples?

 

Thanks.

0 Likes
Reply
SeanKoniarz
Beginner
Beginner
In response to RSAAdmin
‎2015-12-17 10:13 AM

Jump to solution

Basic is, this IP with this event hit 10 times. 

 

Advanced is, This IP connected with a TCP ACK, then we saw this event on the server, followed by an admin user being created. 

0 Likes
Reply
JonathanSaxon
Employee
Employee
‎2015-12-17 10:31 AM

Jump to solution

I just worked with a customer on creating a very basic correlation rule on a Concentrator.

 

The customer created a correlation rule that looked for large file transfers (<50MB) over a 5 minute window on the downstream Decoder.

 

In the test lab, I created a similar rule that set the threshold to 1000KB (1MB) so it would trigger more often for testing purposes.

 

The rule looks like:

 

pastedImage_2.png

 

When you investigate against that Concentrator you will see:

 

pastedImage_4.png

 

RSA published several correlation rules in Live content and you can download and modify these rules if they don't do exactly what you want.

 

pastedImage_5.png

You can find additional information on correlation rules at https://sadocs.emc.com/0_en-us/089_105InfCtr/120_AppSerCon/DeLdCon/10_ReqProc/30_ConfDecRul/ConfCorr... 

 

Hope this helps.

Reply
© 2021 RSA Security LLC or its affiliates.
All rights reserved.