Configure ESA Correlation Rules

This topic provides high-level tasks to configure NetWitness Event Stream Analysis (ESA) Correlation Rules using the ESA Correlation service.

IMPORTANT: Mixed mode is not supported for ESA hosts in NetWitness Platform version 11.5 and later. The NetWitness server, ESA primary host, and ESA secondary host must all be on the same NetWitness Platform version.

Data Source Configuration Changes

In NetWitness version 11.3 and later, the ESA Correlation service enables you to specify different data sources for different sets of rules. Instead of adding data sources, such as Concentrators, to the entire ESA Correlation service, you can specify different data sources for each ESA rule deployment. An ESA rule deployment includes an ESA Correlation service with its associated data sources and a set of ESA rules. For example, you may want to use Concentrators with HTTP packet data in one deployment and Concentrators with HTTP log data in another deployment. For more detailed information, see "Manage ESA Datasources" in Live Services Management Guide.

In NetWitness Platform 11.5 and later, you can add an optional data source filter to the data sources in your ESA rule deployments to improve performance. This allows your data sources to be filtered further so that only the data relevant to the deployment is forwarded to ESA. The filter is comprised of application rules, which are applied to the Decoders mapped to your selected data sources.

Caution: The data source filter is intended for advanced users familiar with Decoder application rules. Improper filtering can cause the required data to not be forwarded to and analyzed by ESA.

Using a data source filter can be performance intensive for data aggregation. A filter slows the event aggregation rate, but when you are filtering a large amount of traffic, it can have performance benefits on ESA Correlation server. However, if you use a complex filter and do not filter a large amount of traffic, the event aggregation rate may be lower than expected.

IMPORTANT: If an application rule linked to a data source filter is modified on a Decoder, the filter must be removed, added again, and redeployed. The changes take effect on ESA after the deployment is redeployed.

For more information, see “Create a Deployment” topic in Live Services Management Guide.

Endpoint Risk Scoring Rules Bundle

An Endpoint Risk Scoring Rules Bundle, which contains approximately 400 rules, comes with NetWitness 11.3 and later. Endpoint risk scoring rules only apply to NetWitness Endpoint. You can add the Endpoint Risk Scoring Rules Bundle to an ESA rule deployment in the same way that you would add any ESA rule. However, you must specify endpoint data sources (Concentrators) in the ESA Rule Deployment.

The ESA Correlation service can process endpoint risk scoring rules, which generate alerts that are used in risk scoring calculations to identify suspicious files and hosts. To turn on risk scoring for NetWitness Endpoint, you must deploy endpoint risk scoring rules on ESA. For instructions, see Deploy Endpoint Risk Scoring Rules on ESA. To configure NetWitness Endpoint, see the NetWitness Endpoint Configuration Guide. Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.

Note: You must keep the ESA rules with windows (enrichments, named windows) and Endpoint Risk Scoring Rule Bundle rules in separate deployments as the window contents of the window rules will be removed when Endpoint Risk Scoring Rule Bundle is added to the same deployment. This issue will not occur when Endpoint Risk Scoring Rule Bundle is added to the deployment which involves non - window Event Stream Analysis Rule.

ESA Correlation Rules Configuration Workflow

The following diagram shows the high-level workflow for configuring ESA Correlation Rules with the ESA Correlation service.

netwitness_esa_cfgesacorrwf_11.3_768x105.png

ESA Rule Deployments are groups of ESA Rules processed by an ESA service to create alerts. In NetWitness 11.3 and later, the ESA Correlation service processes the ESA rules and creates alerts.

Before you can configure ESA Correlation Rules, install and configure the data sources (Concentrators) to use for the ESA rules. For example, you may have a Concentrator with HTTP packet data and another with Windows Log data. Next, configure the global notification methods that content experts can use for the ESA rules. For example, they may want to send an email notification when a rule creates an alert.

The NetWitness Live Content Management System (known as Live) is a valuable source of the latest internet security resources for NetWitness customers. RSA Live contains an extensive library of ESA rules to detect threats that you can use to save time. Download the rules for the events that you want to detect in your network to the ESA Rule Library and adjust them as needed for your network environment.

After you prepare your data sources and download Live ESA rules, you can create one or more ESA rule deployments. An ESA rule deployment contains an ESA service, one or more data sources, and a set of ESA rules. For example, you can create an ESA rule deployment that contains an ESA Correlation service, a Concentrator with HTTP packet data, and a set of ESA rules for HTTP packet data. When you are ready to have the ESA service run the rule set, you deploy the ESA rule deployment, which places the rules on ESA.

After you deploy an ESA rule deployment, verify that you can view the ESA alerts in the Respond view (Respond > Alerts).

Prerequisites

Make sure that you:

Procedure

The following table shows the high level tasks required to configure ESA Correlation Rules.

Tasks Reference
  1. Prepare data sources, such as Concentrators, to use for your ESA Correlation Rules.
Refer to Broker and Concentrator Configuration Guide.
  1. Configure notifications for the ESA Correlation service.
Refer to Notification Methods.
  1. Working with Event Stream Analysis rules using Live. Configure the Live ESA Rule parameters for your environment.
Refer to Working with RSA ESA Live Rules.
  1. Create ESA rule deployments*: Choose ESA Rules and the appropriate ESA service to use in the ESA rule deployment.
Refer to Create a Deployment topic in Live Services Management Guide.
  1. Deploy ESA rule deployments.*
Refer to Create a Deployment topic in Live Services Management Guide.
  1. View ESA alerts in the Respond view.
Refer to the NetWitness Respond User Guide.

*ESA rule deployments are groups of ESA Rules that are processed by an ESA service, such as the ESA Correlation service in NetWitness version 11.3 and later.

For additional optional advanced ESA Correlation Rules configuration procedures, see Additional ESA Correlation Rules Procedures.

For more information on alerting with ESA Correlation rules best practices, creating rules, working with trial rules, adding data enrichment sources, viewing statistics for an ESA service, and troubleshooting, see the Alerting with ESA Correlation Rules User Guide.

ESA Correlation Health and Wellness Monitoring

In NetWitness version 11.5 and later, New Health and Wellness provides improved and intuitive dashboards, monitors, and visualizations. The ESA Correlation Overview dashboard provides health statistics and trends on ESA rule deployments.

netwitness_newhw_esacorr_2427x1047.png

For more information, see "Monitor New Health and Wellness" and "Appendix A: New Health and Wellness Dashboards / ESA Correlation Overview Dashboard" in the System Maintenance Guide.

Upgrade Considerations for ESA Hosts

Mixed mode is not supported for ESA hosts in NetWitness Platform version 11.5 and later.

IMPORTANT: The NetWitness server (Admin server), ESA primary host, and ESA secondary host must all be on the same NetWitness Platform version.

Trial Rule Status Changes

In NetWitness Platform 11.4 and later, ESA trial rules no longer change status after an upgrade or deployment. For example, if you change the status of a trial rule to disabled [ netwitness_configureicon_24x21.png (Configure) > ESA Rules > Services tab] and redeploy the ESA rule deployment [ netwitness_configureicon_24x21.png (Configure) > ESA Rules > Rules tab], the trial rule remains disabled. Previously, ESA trial rules could change status after an upgrade or when they were redeployed.

Upgrade Considerations for ESA Rule Deployments for version 12.1 and later

Before upgrading to the 12.1 version, NetWitness recommends that all the ESA deployments maintain an error-free state and remove any unused ESA deployments, as ESA deployments will be migrated to policies and groups after upgrading to the 12.1 version.

Note: Make sure that you plan the upgrade process so that correlation servers are upgraded immediately after the Admin Server is done. The deployments will not be accessible until the corresponding correlation servers are upgraded. This action will not affect the events and alerts processing by correlation servers.

IMPORTANT: If there is any need to import ESA Rules and Enrichments. NetWitness recommends importing those missing rules and enrichments before the upgrade.

The pre-upgrade and post-upgrade states of deployments are represented in the following table.

SlNo Pre-upgrade Deployment State Post-upgrade Deployment State
Creates Policy Creates Group The policy will be Published
1 Healthy deployment

Yes

Yes

Yes

2 Deployment with errors Yes Yes Yes
3 Deployment with only rules

Yes

No

No

4 Deployment with no rules No No No

After upgrading to the 12.1 version, all the ESA deployments will be migrated to netwitness_configureicon_14x12.png (CONFIGURE) > Policies page. Each deployment will be converted into a policy and group and will be available to manage only after the upgrade of the correlation server to the 12.1 version. Verify if all the ESA deployments are in a healthy state. For more information, see View a Deployment topic in the Live Services Management Guide.

Note: Analysts must have appropriate permissions to view the ESA rules under netwitness_configureicon_13x11.png (CONFIGURE) > ESA Rules and netwitness_configureicon_12x10.png (CONFIGURE) > Policies pages. For more information, see the Source-server section in the "Role Permissions" topic in the System Security and User Management Guide.

(Optional) Using the Merge Policy button, you can merge a policy having ESA content with a policy with no ESA content.. For more information, see "Merge Policy with ESA Content" topic in the Live Services Management Guide.

To support Endpoint and UEBA content as well as changes to ESA rules from Live, a data change from single-value (string) to multi-value (string array) is required for several meta keys within the ESA Correlation service. Some single-value meta keys are also required. See Update Your ESA Rules for the Required Multi-Value and Single-Value Meta Keys.