When you create a deployment, you need to select a policy, ESA service, and data sources. An ESA rule deployment consists of an ESA service, one or more data sources, and a set of ESA rules. When you deploy rules, the ESA service runs them to detect suspicious or undesirable activity in your network. Each ESA rule detects a different event, such as when a user account is created and deleted within one hour.

For more information on data sources, see Data Source

In 12.1 and later versions, you must create a policy with the ESA rule content type and associate the policy with the group having a correlation service to create a deployment.

For more information on policies, see Policies

You can create deployments in the following ways:

  • Using the ESA Deployments tab. The ESA Deployments tab provides a consolidated view of all the available deployments within CCM. You can create deployments.

  • Using a specific policy. In this method, you cannot view other deployments. You need to go to each policy and create a deployment.

Prerequisites

  • The group is assigned to a policy.

  • The Correlation server service is available in the groups assigned.

  • A minimum of one ESA rule is added to the policy.

  • ESA data source must be configured.

    For more information about groups, see Groups

To create a deployment using the ESA Deployments tab

  1. Go to Configure.png (CONFIGURE) > Policies > Content.

  1. Under Settings, click Event Stream Analysis > ESA Deployments.

The available deployments are displayed.

  1. Click + Create

ESADEP_Create_12.3.png

The Create Deployment dialog is displayed.

Createdeployment.png

  1. Select an eligible policy from the policy list.

Note: All the policies that meet the criteria mentioned above are listed in the policy drop-down. It is required to select a policy to proceed further.

If required, you can click on View ESA Rules to search for rules associated with selected policy.

121_ViewESARules_1222.png

  1. Enter a name for the deployment.

  2. Select a service from the ESA Service drop-down list.

Note: Once the deployment is saved, the selected policy, name and ESA service cannot be modified.

  1. Under Data Sources, click + to add a data source.

    The Add Data Source dialog is displayed.

    122_adddatasource_0123.png

If required, you can add a new data source by selecting + Add New Datasource tab in the dialog-box.

122_addnewdatasource_0123.png

  1. Select one or more data sources and click Done.

IMPORTANT: If the data sources are not listed, you can add the required datasource. For more information, see the topic Add an ESA Datasource.

  1. To delete the data source, select the data source and click deletedeploymenticon_19x16.png.

  1. (Optional) Select the required data source and click Set Position Tracking Information to process specific or ignore certain sessions.

    The Set Position Tracking Information dialog is displayed.

    Set_position_tracking.png

    1. In the Position Tracking Information dialog, perform the following:

      1. If you want to set the position tracking information based on date and time stamp:

        In the Go To drop-down menu, select Date and Time and enter the date and time.

      2. If you want to set the position tracking information, based on the session ID:

        In the Go To drop-down menu, select Session ID and enter the session ID in the Session ID field.

        The ESA Correlation service starts processing the events from the session ID that you entered.

    2. Click Calculate Sessions to calculate the number of sessions that will be processed to the existing position of the data source, if any.

    3. To save the edited position tracking data source, click Save.

      For more information on Position Tracking Information, see Appendix B: Position Tracking Information.

  1. (Optional) To filter out specific session data coming into ESA, under Data Source Filter, click + Create Data Source Filter.

Caution: The data source filter is for advanced users familiar with Decoder application rules. Improper filtering can cause the required data not to be forwarded to and analyzed by ESA.

The Create Data Source Filter dialog is displayed.

create_data_source_filter.png

  1. Specify the filter query in the below format as shown in the following example:

Select *where service = 443

Based on the query processed, it will filter out only HTTPS logs-related sessions and will be forwarded to the ESA.

  1. Click Add.

  1. If you want to delete the existing data sources filter, click Clear Data Source Filter, and Save to remove it permanently.

  1. To save the deployment, click Save.

  2. Select the created deployment and click Deploy.

ESADEP_deploy_12.3.png

To create a deployment from a selected policy

  1. Go to Configure.png (CONFIGURE) > Policies.
  2. In the policies panel, click Content.

    The available policies are displayed.

  3. Click a Policy.

    The selected policy view is displayed and by default Application Rule is selected.

  4. Click Event Stream Analysis Rule > Deployments.

    The available deployments for the selected policy are displayed.

  5. Click + Create Deployment.

    The Create Deployment dialog is displayed.

    createesadeployment.png

  6. Enter a name for the deployment.

    Note: The policy is preselected as the user creates the deployment from the policy details view.

  7. Select a service from the ESA Service drop-down list.

  8. Under Data Sources, click + to add a data source.

    The Add Data Source dialog is displayed.

  9. Select one or more data sources and click Done.

    IMPORTANT: If the data sources are not listed, you can add the required datasource. For more information, see the topic Add an ESA Datasource.

  10. To delete the data source, select the data source and click deletedeploymenticon_19x16.png.

  11. (Optional) the required data source and click Set Position Tracking Information to reprocess specific sessions or ignore certain sessions.

    The Set Position Tracking Information dialog is displayed.

    Set_position_tracking.png

    1. In the Position Tracking Information dialog, perform the following:

      1. If you want to set the position tracking information based on date and time stamp:

        In the Go To drop-down menu, select Date and Time and enter the date and time.

      2. If you want to set the position tracking information, based on the session ID:

        In the Go To drop-down menu, select Session ID and enter the session ID in the Session ID field.

        The ESA Correlation service starts processing the events from the session ID that you entered.

    1. Click Calculate Sessions to calculate the number of sessions that will be processed with respect to the existing position of the data source, if any.

    2. To save the edited position tracking data source, click Save.

    1. The tracking position information will be deployed to the ESA Correlation service, only when the deployment is successfully completed.

      For more information on Position Tracking Information, see Appendix B: Position Tracking Information.

  12. (Optional) To filter out certain session data coming into ESA, under Data Source Filter, click + Create Data Source Filter.

    Caution: The data source filter is for advanced users familiar with Decoder application rules. Improper filtering can cause the required data to not be forwarded to and analyzed by ESA.

    The Create Data Source Filter dialog is displayed.

    create_data_source_filter.png

    1. Specify the filter query in the below format as shown in the following example:

      Select *where service = 443

      Based on the query processed, it will filter out only HTTPS logs related sessions and will be forwarded to the ESA.

    1. Click Add.

    1. If you want to delete the existing data sources filter, click Clear Data Source Filter and click Save to remove it permanently.

  1. To save deployment, click Save.

  2. Select the created deployment and click Deploy.