2017-09-04 12:30 PM
Hello,
currently I am trying to configure rule based incident generation ( e.g. create incident if there is more than X events from source Y during time period Z) on RSA Security Analytics AIO 10.6.2.1. As far as I understand ESA component is fundamental for such function.
Is it possible to install ESA component on AIO appliance server? Eventually, is there any workaround to achieve mentioned goal without ESA?
Best Regards,
Ondrej Zuffa
2017-09-05 12:13 AM
Hi Ondrej,
You need ESA to have Incident Management as IM database stays on ESA.
2017-09-05 08:36 AM
ESA will continue to be a requirement for NetWitness as there will be more functions added to it in the V11.x code
currently the ESA engine, C2 detection, Incident Management, Context Hub all require the ESA service with more coming in V11.
ESA can be provided either as an appliance or VM image depending on your environment and there may be benefits to leveraging the consumption model rather than appliance model for licensing if you are a low linerate shop (AIO would indicate that). Talk to your local RSA SE about options.
2017-09-06 04:46 AM
Hi Eric,
thank you for clarification.
Best Regards,
Ondrej Zuffa