Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

AnsweredAssumed Answered

ESA Delay in alerting

Question asked by Anas Bdeir on Sep 13, 2017
Latest reply on Sep 13, 2017 by Sravan Koneti

Like • Show 0 Likes0
Comment • 3

some rules alerting events past 2 days and others for more 20 days. appreciate your advice

No one else has this question

Outcomes

3 Replies

Sravan Koneti Sep 13, 2017 5:31 AM
Mark Correct
Correct Answer
Hi Anas,

Please check if ESA aggregation falling behind using 000032858 - How to check if Event Stream Analysis (ESA) is falling behind concentrators in RSA NetWitness Platform

If Sessions behind is high, try 000029735 - How to aggregate ESA events from the current time in the RSA NetWitness Platform (Version 11.2 and below) to real-time alerts.
Like • Show 0 Likes0
Actions
Anas Bdeir Sep 13, 2017 7:17 AM
Mark Correct
Correct Answer
thanks, Sravan Koneti

solved for now, how to prevent from occurring again.
Like • Show 0 Likes0
Actions
- Sravan Koneti @ Anas Bdeir on Sep 14, 2017 12:06 AM
  Mark Correct
  Correct Answer
  Hi Anas,
  
  Glad to hear that problem solved now.
  
  Generally, the rules which holds huge memory with more time window would cause ESA slowness or crash. Please try to use best practices to fine-tune rules. RSA Security Analytics Alerting using ESA Guide for Version 10.6.4
  
  000033036 - Helpful information for developing ESA rules in RSA Security Analytics
  Like • Show 0 Likes0
  Actions