Deployment Panel

ESA rule deployments map rules from your rule library to the appropriate ESA Services and data sources. The Deployment panel ( netwitness_configureicon_24x21.png (Configure) > ESA Rules > Rules tab) enables you to create and configure ESA rule deployments that specify:

  • ESA Services
  • Data Sources (This is available in NetWitness version 11.3 and later.)
  • ESA Rules

When you are ready to start aggregating data and generating alerts from an ESA rule deployment, you deploy the ESA rule deployment to activate it.

Note: An ESA rule deployment can have only one ESA service. You can, however, use the same ESA service in multiple deployments.
In NetWitness Platform version 11.2 and earlier, the ESA service is the Event Stream Analysis service. In version 11.3 and later, it is the ESA Correlation service.

What do you want to do?

Role I want to ... Show me how
Content Expert Add an ESA rule deployment. ESA Rule Deployment Steps
Content Expert Manage deployments. Additional ESA Rule Deployment Procedures

Related Topics

Quick Look

The following figure shows the Deployment panel.

Rules Tab Deployment Panel diagram

1 Shows the options panel. Click the deployment in the options panel to view the deployment in the Deployment panel on the right.
2 Shows the Deployment panel.
3 Shows the ESA rule deployment name.
4 The ESA Services section shows the ESA Correlation service that processes the ESA rules and creates alerts.
5 The Data Sources section shows the data sources, such as Concentrators, that provide the data for the deployment.
6 The deployment options enable you to view the changes to the deployment (Show Updates) and deploy the ESA rule deployment on ESA (Deploy Now). The netwitness_configureicon_24x21.png (Configure) > ESA Rules > Services tab shows the status of the deployment after it is deployed.
7 The ESA Rules section shows the rules that are used to trigger alerts in the deployment.
8 The Data Source Filter (Optional) section enables you to add a filter query to forward only the data relevant to this deployment to ESA. The data source filter is for advanced users familiar with Decoder application rules.

ESA Services Section

In the ESA Services section, you can manage each ESA service in the deployment.

The following table describes the actions you can perform in the ESA Services section.

Task Description
netwitness_ic-add_16x16.png Adds an ESA service to the deployment.
netwitness_ic-delete_21x25.png Removes the selected ESA service from the deployment.

The following table describes the columns in the ESA Services section.

Title Description
Status Indicates if the deployment status is Added, Deployed, Updated, or Failed.
Name Name of the ESA service.
Address IP address of the host where the ESA service is installed.
Version Version of the ESA service.
Last Deployment Date The date and time when the ESA service was last deployed.

Data Sources Section

Note: This option is available in NetWitness Platform version 11.3 and later.

In the Data Sources section, you can select one or more data sources, such as Concentrators, to use for your selected ESA Service.

The following table describes the actions you can perform in the Data Sources section.

Task Description
netwitness_ic-add_16x16.png Adds a data source for the selected ESA service to the deployment.
netwitness_ic-delete_21x25.png Removes a data source for the selected ESA service from the deployment.
netwitness_ic-edit.png (This option is available in NetWitness Platform version 11.3.0.2 and later.) Enables you to change the configuration of a data source in an ESA rule deployment. You can change the data source password, SSL, port, and compression settings. When a data source password changes, it is important to change the password on the data source so that ESA can continue to communicate with the data source.

Note: If you make any ESA service, data source, or ESA rule changes to an ESA rule deployment, you need to redeploy the deployment. For example, if you change the configuration of a data source in an ESA rule deployment, you must redeploy all the ESA rule deployments that contain that data source.
When you set the compression level for a Concentrator on ESA, it sets the same compression level for that Concentrator for ESA Correlation Rules.

The following table describes the columns in the Data Sources section.

Title Description
(Status) Shows the status of the data source. A solid colored green circle indicates a running service and a white circle indicates a stopped service.
Name Shows the name of the data sources used by the selected ESA service. You can specify the data sources separately for each ESA rule deployment.
Type Shows the type of the data sources. Data sources can be Concentrators or Decoders. It is important that you choose data sources that have the appropriate data for the rules in the deployment. For example, if you have NetWitness Endpoint and you want to deploy the Endpoint Risk Scoring Rules Bundle, you must choose endpoint data sources.

Note: You can add a Log Decoder as a data source for ESA, but it is better to add a Concentrator to take advantage of undivided aggregation as the Decoder may have other processes aggregating from it.

Position Tracking Information

The ESA Correlation service continuously streams data from the data sources like decoders (log and network), and concentrators. ESA retrieves events from the data sources, and applies rules to generate alerts to detect malicious activities. When you deploy a data source, ESA starts processing information from the latest available session, by default. Position Tracking Information enables you to visualize the progress of the sessions that ESA has processed, and provides information on the session IDs and the time/date when the events were processed.

Edit Position Tracking Information enables you to:

  • Visualize the number of sessions that a particular ESA data source has already analyzed, review the number of sessions ESA would process after you edit the position tracking, and plan your work.

  • Edit the tracking position information based on:
    • Date and Time (Collection Time)
    • Session ID

  • Edit position tracking for multiple data sources before you deploy them.
  • Calculate the number of sessions that the ESA Correlation Service is scheduled to process for a particular data source to either process, reprocess, or skip sessions with respect to the current position of the data source.

Note: The Edit Position tracking feature with the Date and Time option works based on the profile time settings in the NetWitness UI. This time-zone based time from the UI is converted to UTC, and is sent to the core, to retrieve the corresponding session ID for that time stamp.
Example: If the UI follows IST, the UI converts it to UTC and sends it to the core. The session ID is fetched for the specific UTC time stamp, and set to position tracking at deployment.

Editing Position Tracking Information

The following figure shows the Edit Position Tracking window.

netwitness_positiontracking-1.png

To edit position tracking information:


1. Select the specific data source from the Data Source menu.

2. Click netwitness_ic-edit.png .
The Edit Service window is displayed.

3. Select the Trusted Authentication check-box, or enter your administrative credentials (username and password).

4. In the Position Tracking Information menu, click the Edit Tracking check-box to select it.
a. If you want to edit the position tracking information based on date and time stamp:
In the Go To text field, select Date and Time and enter the date and time.
The ESA Correlation service starts processing the events from the date and time that you entered.

b. If you want to edit the position tracking information, based on the session ID:
In the Go To text field, select Session ID and enter the session ID.
The ESA Correlation service starts processing the events from the session ID that you entered.

5. Click Calculate Sessions to calculate the number of sessions that will be processed with respect to the existing position of the data source, if any.

6. Click OK.

7. Click Deploy Now.
The tracking position information will be deployed to the ESA Correlation service, only when the deployment is successfully completed.

Note: After you deploy, in the Data Sources menu, click on netwitness_ic-edit.png, to view the edit tracking information. The default time-out associated with this information is 1 minute.

Use Case Scenario

This section provides information about how you can use position tracking information in a real world scenario.

If you have deployed a data source with a total of 72 sessions that ESA has already processed, and if you want to start processing the events from the beginning, or go back with respect to the time or sessions ID.

1. Click Edit Tracking.

2. Enter 1 in the Session ID text box.

3. Click Calculate Sessions.
All the 72 sessions will be reprocessed.

The following image shows the use case scenario.

netwitness_positiontracking-2.png

4. Enter a future Session ID.
The No sessions remaining to be processed message is displayed.

netwitness_positiontracking-3.png

Note: Editing the tracking information is optional. If you add a new data source to an existing ESA deployment, and you do not edit the tracking information, ESA follows the default behavior to process events.

Importing Position Tracking Information

You can migrate the settings of position tracking for one or more data sources at the same time from an existing deployment, using the import function.

To import position tracking information from an existing deployment:

1. Go to Configure > ESA Rules > Deployment tab.

2. Create a new deployment. See ESA Rule Deployment Steps

3. Add ESA Services. See Step 2. Add an ESA Service

The Data Sources panel will be enabled.

4. Add Data Sources. See Step 3. Add Data Sources

5. In the Data Sources tab, click netwitness_ic-add_16x16.png to add a configured data source.
The Available Configured Data Sources window appears.

6. Select the Data Sources and click Save.The Data Sources window displays the data sources that are already in use by the other deployments.

The following figure shows the Import functionality.

netwitness_import_position_1.png

7. Select the Import check-box.

8. In the Deployment dropdown box, select the deployment from which you want to import the position tracking attributes from an existing deployment. The dropdown menu lists all of the deployments with which data sources are shared. Review the list of data sources in the Data Sources menu, and click OK.

9. Add an ESA Rule. See Step 4. Add and Deploy Rules

10. In the Data Sources tab, click Deploy Now.
The deployment retrieves the position tracking information from the selected pre-existing deployment, and applies it to the new deployment.

Note: Ensure that you do not delete the deployment from where you imported the position tracking information, before you perform Deploy Now on the newly created or edited deployment. The import position tracking information function is disabled by default. Sharing data sources between multiple deployments can lead to performance issues.

Deployment Options

There are two deployment options below the Data Sources section. These options apply to the entire ESA rule deployment.

The following table describes these deployment options.

Task Description
Show Updates Enables you to view a history of updates to the deployment.
Deploy Now Activates the ESA rule deployment. The selected ESA service starts aggregating data and generating alerts using the specified ESA rules in the deployment. You need to add ESA Rules to the deployment before deploying the ESA rule deployment.

ESA Rules Section

In the ESA Rules section, you manage rules in the deployment. This section lists all rules that are currently in the deployment.

The following table describes the actions you can perform in the ESA Rules section.

Task Description
netwitness_ic-add_16x16.png Opens the Deploy ESA Rules dialog, where you can select a rule.
netwitness_ic-delete_21x25.png Removes the selected ESA rules from the deployment.
netwitness_ic-filt_36x24.png Filters the list of rules.
netwitness_search.png Enables you to search for a rule.

The following table describes the columns in the ESA Rules section.

Title Description
Status Indicates the rule status:
  • Deployed - the rule is deployed.
  • Updated - the rule has been updated since the last deployment.
  • Added - the rule has been added since the last deployment.
  • Disabled - the rule is disabled due to an error in the rule or an error during the deployment of the rule.

In NetWitness Platform version 11.3.0.2 and later, if a disabled rule has an error message, it shows netwitness_depupdicon.png in the Status field. Hover over the rule to view the error message tooltip.
netwitness_rule-error-message_480x112.png
Rule Name Describes the purpose of the ESA rule.
Trial Rule Indicates whether the rule is Deployment mode to see if the rule runs efficiently.
Severity Shows the threat level of alert triggered by the rule.
Type Shows the type of the ESA rule. For more information, see ESA Rule Types.
Email, SNMP, Syslog, Script Indicates which notification types are used for alerts generated by the rules. (ESA SNMP notifications are not supported in NetWitness version 11.3 and later.)
Last Modified Shows the date and time when the ESA rule was last modified.

Data Source Filter (Optional) Section

Note: This option is available in NetWitness version 11.5 and later.

The data source filter is optional. If you have a medium to large NetWitness Platform deployment and you have high throughputs, you can add a filter query to forward only the data relevant to this deployment to ESA. This helps to filter out certain types of traffic that does not add value to the analysis of the data in the ESA rule deployment.

Caution: The data source filter is intended for advanced users familiar with Decoder application rules. Improper filtering can cause the required data to not be forwarded to and analyzed by ESA.

Using a data source filter can be performance intensive for data aggregation. A filter slows the event aggregation rate, but when you are filtering a large amount of traffic, it can have performance benefits on ESA Correlation server. However, if you use a complex filter and do not filter a large amount of traffic, the event aggregation rate may be lower than expected.

IMPORTANT: If an application rule linked to a data source filter is modified on a Decoder, the filter must be removed, added again, and redeployed. The changes take effect on ESA after the deployment is redeployed.

netwitness_addfilter4.png

The following table describes the columns in the Data Source Filter (Optional) section.

Title Description
netwitness_ic-checkbox4.png Enables you to select and remove a data source filter.
Status Indicates the data source filter status:
  • Added - the filter is added to the deployment, but it is not yet deployed.
  • Deployed - the filter is actively streaming only the relevant data as defined in the filter query.
Filter Query Shows the query that contains the application rules. Each application rule query is separated by an "or" condition. You can use either the simple or advanced option to create the data source filter. You can only have one data source filter per deployment for your selected data sources.
Last Modified Shows the date that the filter was added to the ESA rule deployment.

Create Data Source Filter Dialog - Simple

When you create the data source filter, you select application rules to be included in the filter query. The application rules that you select must be enabled on the Decoders that feed the data sources in this deployment. ESA Correlation uses the filtered event data to process the ESA rules.

Caution: The data source filter is for advanced users familiar with Decoder application rules. Improper filtering can cause the required data to not be forwarded to and analyzed by ESA.

netwitness_addevaggrfilter.png

The following table describes the columns in the Create Data Source Filter dialog.

Title Description
netwitness_search.png Enables you to search for a rule. For example, you can type "account" to search for application rules that contain that word.
Application Rule Name Shows the names of the application rules on the Decoders mapped to the data sources in this deployment.
Alert Field Shows the meta key used in the alert.
Present On Shows the number of Decoders mapped to the data sources in this deployment that have the listed application rule. If the rule is not present on all of the Decoders, you can hover over the netwitness_ic-info_14x14.png icon to view the names of the Decoders that contain the rule.
Absent On Shows the number of Decoders mapped to the data sources in this deployment that do not have the listed application rule. If a rule is not present on all of the Decoders, you can hover over the netwitness_ic-info_14x14.png icon to view the names of the Decoders that do not contain the rule.

For more information, see "Configure Application Rules" in the Decoder and Log Decoder Configuration Guide.

Create Data Source Filter - Advanced

If necessary, you can use the advanced filter instead of the simple filter to add your data source filter query directly. The individual application rule queries must be separated by an "or" condition. For more information on creating and writing Decoder rules, see "Configure Application Rules" in the Decoder and Log Decoder Configuration Guide.

Caution: The data source filter is for advanced users familiar with Decoder application rules. Improper filtering can cause the required data to not be forwarded to and analyzed by ESA.

netwitness_advfilter7.png