Additional ESA Rule Deployment Procedures

In addition to deploying an ESA service and rules, you may want to perform other steps on your ESA rule deployment, such as replacing an ESA service, changing a data source, editing or deleting a rule from the deployment, renaming or deleting the deployment, or showing updates to an ESA rule deployment.

Note: You cannot edit or duplicate an Endpoint Risk Scoring Rules Bundle.

In NetWitness version 11.3 and later, you can add or remove a data source from a deployment. In NetWitness 11.3.0.2 and later, you can edit a data source in an ESA rule deployment. This enables you to change the data source password, SSL, port, and compression settings.

Each of the following procedures starts in the Rules tab [ netwitness_configureicon_24x21.png (Configure) > ESA Rules > Rules tab].

Anytime you make changes to an ESA rule deployment, you must redeploy it for the changes to take effect. To redeploy the deployment, click the Deploy Now button for that deployment.

Replace an ESA Service in an ESA Rule Deployment

An ESA rule deployment can have only one ESA service, but you can replace it at any time with another ESA service. You can use the same ESA service in multiple deployments.

Remove an ESA Service from an ESA Rule Deployment

  1. Go to netwitness_configureicon_24x21.png (Configure) > ESA Rules > Rules tab.
    The Rules tab is displayed.
  2. In the options panel, under Deployments, select a deployment.
  3. In the ESA Services section, select a service and click netwitness_ic-delete.png in the toolbar.
    A confirmation dialog is displayed.
  4. Click Yes.
    The service is removed from the deployment.
  5. After you finish making changes to the deployment, click Deploy Now to redeploy it. The changes take effect on ESA after the deployment is redeployed.

Add an ESA Service to an ESA Rule Deployment

  1. To add an ESA Service to an ESA rule deployment, see Step 2. Add an ESA Service. For the ESA Correlation service in NetWitness Respond 11.3 and later, you must add at least one data source to the service. See Step 3. Add Data Sources.
  2. After you finish making changes to the ESA rule deployment, click Deploy Now to redeploy it. The changes take effect on ESA after the ESA rule deployment is redeployed.

Edit a Data Source in an ESA Rule Deployment

Note: This procedure applies to NetWitness Platform 11.3.0.2 and later versions.

You can change the configuration of a data source in an ESA rule deployment. You can change the data source password, SSL, port, and compression settings. When a data source password changes, it is important to change the password on the data source so that ESA can continue to communicate with the data source.

Note: If you make any ESA service, data source, or ESA rule changes to an ESA rule deployment, you need to redeploy the deployment. For example, if you change the configuration of a data source in an ESA rule deployment, you must redeploy all the ESA rule deployments that contain that data source.

  1. Go to netwitness_configureicon_24x21.png (Configure) > ESA Rules > Rules tab.
    The Rules tab is displayed.
  2. In the Rules tab options panel, under Deployments, select a deployment.
  3. In the Data Sources section, select a data source and click netwitness_ic-edit_21x21.png in the toolbar.
  4. In the Edit Service dialog, type the Administrator username and password for the data source. If the password changed on the data source, enter the new password here.
    netwitness_11.3.0.2_editdatasource1.png

  5. To enable the SSL or Compression options, select the corresponding checkboxes.
  6. (Optional) You have the option to adjust the Compression Level for Concentrators on ESA in NetWitness 11.3 and later. To enable compression, select the Compression checkbox. You can set the Compression Level for a Concentrator from 0-9:
    • Compression Level = 0 (If compression is enabled, it allows Core Services to control the amount of compression.)
    • Compression Level = 1 (It uses the lowest amount of compression and has the highest performance.)
    • Compression Level = 9 (It uses the highest amount of compression and has the worst performance.)

    Somewhere in the middle between 1 and 9 is usually the best setting, which is what you get when you select a compression level of 0. For more detailed information, see the Core Database Tuning Guide.

    Note: When you set the compression level for a Concentrator on ESA, it sets the same compression level for that Concentrator for ESA Correlation Rules.

  7. Click Test Connection to make sure that it can communicate with the ESA service.
    netwitness_11.3.0.2_editdatasource2.png

  8. Click OK.
  9. After you finish making changes to the deployment, click Deploy Now to redeploy the ESA rule deployment. The changes take effect on ESA after the deployment is redeployed. You can view the update information in the Updates to the Deployments dialog. See Show Updates to an ESA Rule Deployment.

Add or Remove a Data Source

Note: This option is available in NetWitness version 11.3 and later.

Remove a Data Source from an ESA Rule Deployment

  1. Go to netwitness_configureicon_24x21.png (Configure) > ESA Rules > Rules tab.
    The Rules tab is displayed.
  2. In the Rules tab options panel, under Deployments, select a deployment.
  3. In the Data Sources section, select the data source and click netwitness_ic-delete.png in the toolbar.
    The data source is removed from the deployment.
  4. After you finish making changes to the deployment, click Deploy Now to redeploy it. The changes take effect on ESA after the deployment is redeployed.

Add a Data Source to an ESA Rule Deployment

  1. To add a data source, see Step 3. Add Data Sources.
  2. After you finish making changes to the deployment, click Deploy Now to redeploy it. The changes take effect on ESA after the deployment is redeployed.

(Optional) Add or Remove a Data Source Filter

To improve performance, you can add an optional data source filter to your ESA rule deployment so that only the data relevant to the deployment is forwarded to ESA. The filter is comprised of application rules, which are applied to the Decoders mapped to your selected data sources.

You cannot edit a data source filter. To modify a data source filter, you must remove the filter, add a new filter, and then redeploy the ESA rule deployment.

Note: This option is available in NetWitness version 11.5 and later.

Caution: The data source filter is intended for advanced users familiar with Decoder application rules. Improper filtering can cause the required data to not be forwarded to and analyzed by ESA.

Using a data source filter can be performance intensive for data aggregation. A filter slows the event aggregation rate, but when you are filtering a large amount of traffic, it can have performance benefits on ESA Correlation server. However, if you use a complex filter and do not filter a large amount of traffic, the event aggregation rate may be lower than expected.

IMPORTANT: If an application rule linked to a data source filter is modified on a Decoder, the filter must be removed, added again, and redeployed. The changes take effect on ESA after the deployment is redeployed.

Remove a Data Source Filter from an ESA Rule Deployment

If you plan to replace your data source filter with an adjusted filter, you may want to copy the filter query in the data source filter before you remove it and compare it with the new query.

  1. Go to netwitness_configureicon_24x21.png (Configure) > ESA Rules > Rules tab.
    The Rules tab is displayed.
  2. In the Rules tab options panel, under Deployments, select a deployment.
  3. In the Data Source Filter (Optional) section, select the filter and click netwitness_ic-delete.png in the toolbar.
    The filter is removed from the deployment.
  4. After you finish making changes to the deployment, click Deploy Now to redeploy it. The changes take effect on ESA after the deployment is redeployed.

Add a Data Source Filter to an ESA Rule Deployment

  1. To add a simple data source filter, see (Optional) Add a Data Source Filter. If necessary, you can use the advanced filter instead of the simple filter to add a data source query directly. The individual application rule queries must be separated by an "or" condition. For more information on creating and writing Decoder rules, see "Configure Application Rules" in the Decoder and Log Decoder Configuration Guide.
  2. After you finish making changes to the deployment, click Deploy Now to redeploy it. The changes take effect on ESA after the deployment is redeployed.

Adjust Maximum Sessions for the Data Source Filter

11.5 Adjust Maximum Sessions for the ESA Data Source Filter

When filtering out a large portion of the traffic, you may see an "Invalid header size" error while communicating with Core services in the ESA Correlation log file. (You can use SSH to get in the system and go to: /var/log/netwitness/correlation-server/correlation-server.log). Lower the max-sessions parameter until you no longer see the error in the log. The more you filter out the traffic, the lower you should set the max-sessions parameter.

  1. In the Explore view node list for an ESA Correlation service, select correlation > stream.
    netwitness_esamaxsessions_672x395.png
  2. In max-sessions, lower the value until you no longer see the error in the ESA Correlation log file. The default value is 10000.
  3. Restart the ESA Correlation service. Go to netwitness_adminicon_25x22.png (Admin) > Services, select the ESA Correlation service, and then select netwitness_ic-actns.png > Restart.

Edit or Delete a Rule in a Deployment

In an ESA rule deployment, you can edit and delete rules to customize the deployment.

Edit a Rule

  1. Go to netwitness_configureicon_24x21.png (Configure) > ESA Rules > Rules tab.
    The Rules tab is displayed.
  2. In the Rules tab options panel, under Deployments, select a deployment.
  3. In the ESA Rules panel, double-click a rule to open it in a new tab.
  4. Modify the rule, then click Save.
    The rule is saved.
  5. Click Deploy Now to redeploy the deployment.
    The changes take effect on ESA after the deployment is redeployed.

Delete a Rule

  1. Go to netwitness_configureicon_24x21.png (Configure) > ESA Rules > Rules tab.
    The Rules tab is displayed.
  2. In the options panel, under Deployments, select a deployment.
  3. In the ESA Rules panel, select a rule and click netwitness_ic-delete.png in the toolbar.
    A confirmation dialog is displayed.
  4. Click Yes.
    The rule is deleted.
  5. Click Deploy Now to redeploy the deployment.
    The changes take effect on ESA after the deployment is redeployed.

Stop Deployment

  1. Go to netwitness_configureicon_24x21.png (Configure) > ESA Rules > Rules tab.
    The Rules tab is displayed.
  2. In the options panel, under Deployments, select a deployment.
  3. In the ESA Rules panel, select a rule and click netwitness_ic-delete.png in the toolbar.
    A confirmation dialog is displayed.
  4. Click Yes.
    The rule is to stopped.
  5. Click Stop Deployment to stop the deployment.

Edit the ESA Rule Deployment Name or Delete a Deployment

To access the deployments:

  1. Go to netwitness_configureicon_24x21.png (Configure) > ESA Rules.

    The Configure view is displayed with the Rules tab open.

  2. In the options panel, under Deployments, select a deployment.

    The Deployment view is displayed.

    netwitness_deployvw_esacorr_672x445.png

Edit the ESA Rule Deployment Name

  1. In the options panel, under Deployments, select a deployment.

    The Deployment view is displayed.

  2. Select netwitness_ic-depdd.png > Edit.

    The deployment name is made available for editing.

  3. Enter the new deployment name.
  4. Click Deploy Now to redeploy the deployment.
    The changes take effect on ESA after the ESA rule deployment is redeployed. In NetWitness 11.3 and later, the deployment names that you choose appear on the deployment tabs in the netwitness_configureicon_24x21.png (Configure) > ESA Rules > Services tab.

Delete an ESA Rule Deployment

  1. In the options panel, under Deployments, select a deployment.

    The Deployment view is displayed.

  2. Select netwitness_ic-depdd.png > Delete.

    A confirmation dialog is displayed.

  3. Click Yes.

    The deployment is deleted.

Show Updates to an ESA Rule Deployment

You can view changes to an ESA rule deployment, such as adding or removing rules. When there is a change to a deployment, the update icon (netwitness_exclpt.png) appears next to the name of the deployment in the Rules tab options panel.

  1. Go to netwitness_configureicon_24x21.png (Configure) > ESA Rules.
    The Rules tab is displayed.
  2. In the options panel, under Deployments click Show Updates on the far right.
    netwitness_deployvwupdates_esacorr_672x430.png
    The Updates to the Deployments dialog opens and shows the changes to the deployment.
    netwitness_uptodepldg_480x308.png
  3. Click Close.

Fast Deployment and Full Deployment of ESA Rules

Only changes to an ESA rule is eligible for a fast deployment. This means if an ESA rule has been added, modified or deleted only then you can perform a fast deployment. In case, along with rules, if anything else has been changed such as a data source has been added, then the Fast Deployment option will not be displayed as it will not be eligible. The Fast Deployment option can be used to quickly load the latest rule that runs entirely on the Esper Engine hence reducing the need to redeploy the engine again in a shorter time where all the related settings of the selected deployment are deleted and the deployment is recreated from scratch.

The Full Re-Deploy can be used if:

  • The previously deployed rules failed, and the analyst wants to redeploy the same rules again.

  • There are other changes made to the ESA Services, the Data Sources along with the ESA Rules.

  • If the analyst wants to tear down the entire engine and recreate it.

To perform Fast Deployment:

  1. Go to netwitness_configureicon.png (Configure) > ESA Rules.
    The Rules tab is displayed.

    netwitness_fd-1.jpg

  2. Under ESA Rules, click netwitness_ic-add.png to deploy a new rule.

  3. Select a rule you want to deploy from the list and click Save.

    netwitness_fd-2.jpg

  4. Click Deploy Now.
    A confirmation message is displayed.
    netwitness_fd-3.jpg
  5. Click Fast Deploy to begin the deployment of the new ESA Rule.

Note: The Fast Deploy button will be displayed only if the ESA rule has been added, deleted or updated, not if you have made updated to the ESA Services or Data Sources.