Deploy Rules to Run on ESA

This section explains how an ESA Rule Deployment works and how to set up a deployment to run a group of ESA rules. Administrator, SOC Manager, or Data Privacy Officer role permissions are required for all procedures in this section.

To create an ESA rule deployment, you need to perform the steps described in Managing ESA Rules, Data Sources and Deployments

How an ESA Rule Deployment Works

An ESA rule deployment consists of an ESA service, one or more data sources, and a set of ESA rules. When you deploy rules, the ESA service runs them to detect suspicious or undesirable activity in your network. Each ESA rule detects a different event, such as when a user account is created and deleted within one hour.

The ESA service performs the following functions:

  1. Gathers data in your network
  2. Runs ESA rules against the data
  3. Applies rule criteria to data
  4. Generates an alert for the captured event

The following graphic shows this workflow:

In addition, you may want to perform other steps on your deployment, such as replacing an ESA service, changing a data source, editing or deleting a rule from the deployment, renaming or deleting the deployment, or showing updates to the deployment. For descriptions of these procedures, Managing ESA Rules, Data Sources and Deployments.

Managing ESA Rules, Data Sources and Deployments

From 12.1 and later versions, the ESA deployments are managed by policies and groups on the netwitness_configureicon_24x21.png (Configure) > Policies page.

If you want to create any new ESA rules, add new data sources or perform any new ESA deployments, see the following sections in the Live Services Management guide:

  • To view, add, edit, or delete data sources, see section "Manage ESA Datasources".

  • To add, edit or delete an ESA rule, see the following topics, "Create an ESA Rule", "Edit, Duplicate or Delete a Rule", and "Delete an ESA Rule".

  • To view, create, edit, remove, deploy or stop a deployment, see section "Manage Deployments".