You can edit a deployment to change the data source, create a data source filter, and view ESA rules that are associated with this deployment. A data source filter can improve performance by only aggregating relevant data to an ESA rule deployment. For the filter to work, application rules must be enabled on the mapped decoders to apply the meta keys required for this filter. After saving the filter, it must be deployed to take effect.

However, you cannot change the deployment name, or ESA service that are associated with the deployment.

NetWitness Platform XDR provides two methods to manage deployments.

You can edit deployments in the following ways:

  • Using the ESA Deployments tab. The ESA Deployments tab provides a consolidated view of all the available deployments within CCM. You can edit deployments.

  • Using a specific policy. In this method, you cannot view other deployments. You need to go to each policy and edit a deployment.

To edit a deployment from the ESA Deployments tab

  1. Go to Configure.png (CONFIGURE) > Policies > Content.

  1. Under Settings, click Event Stream Analysis > ESA Deployments.

The available deployments are displayed.

  1. Select a deployment and click Edit or Edit Deployment.

    1. When you select the checkbox and click Edit.


    2. When you select or click a row of the deployment, a right panel is displayed to click Edit Deployment.


      The Edit Deployment dialog is displayed.


  1. (Optional) you can click on View ESA Rules to search for rules associated with selected policy. To save current changes to the deployment and modify the policy, select click here and navigate to the Edit Content Policy page.


  2. Make the required changes in the deployment. Policy, deployment name, and ESA service are pre-populated and cannot be modified.
  3. Under Data Sources, click + to add a data source. The Add Data Source dialog is displayed.122_adddatasource_0123.png
  4. If required, you can add a new data source by selecting + Add New Datasource tab in the dialog-box.


IMPORTANT: If the data sources are not listed, you can add the required datasource. For more information, see the topic Add an ESA Datasource.

  1. Click Save.

  2. Select the deployment and click Deploy.

To edit a deployment from a selected policy

  1. Go to Configure.png (CONFIGURE) > Policies.
  2. In the policies panel, click Content.

    The available policies are displayed.

  3. Click a Policy.

    The selected policy view is displayed and by default Application Rule is selected.

  4. Click Event Stream Analysis Rule > Deployments.

    The available deployments for the selected policy are displayed.

  5. Select a deployment to edit and click Edit Deployment.

    The Edit Deployment dialog is displayed.


  6. Make the required changes in the deployment.

  7. Click Save.

  8. Select the deployment and click Deploy.

    Note: You can deploy the changes either by performing a Deploy action on selected deployment or by publishing the policy. Publishing a policy with deployment in stopped state, will not deploy the deployment.


                                                      Previous Page                                            Next Page