ESA Analytics Mappings (11.1.x to 11.4.x)ESA Analytics Mappings (11.1.x to 11.4.x)
Note: The information in this topic applies ONLY to NetWitness versions 11.1.x to 11.4.x.
ESA Analytics is not supported in NetWitness 11.5 and later versions.
In the ESA Analytics Mappings panel (Admin > System > ESA Analytics), you define how the RSA Automated Threat Detection functionality should automatically detect advanced threats. You can analyze the data that resides on one or more Concentrators by selecting a preconfigured ESA Analytics module.
To better utilize your network resources and reduce unnecessary data flow, you can map multiple data sources, such as Concentrators, to available ESA Analytics services in order to process data more efficiently and take advantage of additional capacity.
Workflow
This workflow shows the process for creating and enabling an ESA Analytics mapping to start automatically detecting advanced threats.
Before you create an ESA Analytics mapping, ensure that the ESA hosts and services that you want to use for your mappings are online and available. All of the services need to be in sync with a consistent time source. Also ensure that the Concentrators are collecting the required data. When you create an ESA Analytics mapping, you select an ESA Analytics module to map, such as Suspicious Domains. Then you select the data sources, such as Concentrators, to use for that module along with an ESA Analytics service to process the data. When you are ready to start aggregating data, you deploy the mapping. Analysts can view detected threats for that module in the Respond view.
What do you want to do?
Role | I want to ... | Show me how |
---|---|---|
Administrator |
Verify that the ESA hosts and services are online and available. |
Admin > Hosts and Admin > Services |
Administrator |
Ensure that the Concentrators are collecting the required data. |
See Broker and Concentrator Configuration Guide |
Administrator | Create ESA Analytics mappings.* |
See "Mapping ESA Data Sources to Analytics Modules" in the ESA Configuation Guide for NetWitness Platform 11.4. |
Administrator | Deploy ESA Analytics mappings.* |
See "Mapping ESA Data Sources to Analytics Modules" in the ESA Configuation Guide for NetWitness Platform 11.4. |
Administrator, Analyst |
View detected threats. |
See NetWitness Respond User Guide. |
*You can complete these tasks here (that is in the ESA Analytics Mappings panel).
Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.
Related Topics
- "Configure ESA Analytics" in the ESA Configuation Guide for NetWitness Platform 11.4
- "Update a Mapping" in the ESA Configuation Guide for NetWitness Platform 11.4
- "Undeploy a Mapping" in the ESA Configuation Guide for NetWitness Platform 11.4
- "Delete a Mapping" in the ESA Configuation Guide for NetWitness Platform 11.4
- "Change the Warm-up Period and Lag Time" in the ESA Configuation Guide for NetWitness Platform 11.4
- Module Settings (11.1.x to 11.4.x)
Quick Look
The following example illustrates an ESA Analytics mapping. The configuration defines the data sources for the selected module and the ESA Analytics service that will process the events from those data sources.
1 | Displays the ESA Analytics Mappings panel. |
2 | Shows the status of the ESA Analytics mapping. |
3 | The name of the module that is mapped. |
4 | Data sources, such as Concentrators, assigned to the mapping. |
5 | ESA Analytics service that processes the data for the mapping. |
6 | Warm-up period configuration (in hours) on the data sources for the mapping. |
7 | Lag configuration (in minutes) on the data sources for the mapping. |
8 | Actions for changing module settings, deploying module mappings, and undeploying module mappings. |
Toolbar Toolbar
The following table describes the toolbar actions.
Icon / Button | Description |
---|---|
|
Opens the Create Mappings dialog where you can create an ESA Analytics mapping. Create a separate mapping for each module. |
|
Deletes an ESA Analytics Mapping.
|
Deploy Now |
After you create your mappings, you need to deploy them in order to start aggregating data for the modules. You can select one or more mappings with a status of Undeployed to deploy. |
Note: If you want to make changes to a deployed mapping, such as adding or removing Concentrators or changing the service, you must undeploy and delete the existing mapping and then create and deploy a new mapping for that module.
ESA Analytics MappingsESA Analytics Mappings
The following table describes the listed ESA Analytics mappings.
Title | Description |
---|---|
To select an individual mapping, select the checkbox next to the mapping. | |
Status |
Shows the status of the mapping. There are two statuses: Undeployed - An undeployed mapping maps an ESA Analytics module to sources and an ESA Analytics service. It does not start aggregating data for the module until you deploy the mapping. Deployed - A deployed mapping is deployed and running. In a deployed mapping, the selected ESA Analytics service uses query-based aggregation to collect the appropriate filtered events for the selected module from the Concentrators. |
Module |
Indicates the selected ESA Analytics module. An ESA Analytics module is a pipeline composed of activity objects that enrich an event with additional information through mathematical computations. The module resides within the ESA Analytics service. |
Sources |
Sources are the data sources, such as Concentrators, from which ESA will aggregate the data for the specified module. |
Service |
Indicates the ESA Analytics service that will process the data for the specified module. The selected service needs to be in sync with a consistent time source. |
Warm-Up Period (Hours) |
Specifies a warm-up duration (in hours). A warm-up period is required to allow Automated Threat Detection to "learn" your traffic. The warm-up period should run when typical traffic is running. During this time, alerting for your module mapping is suppressed. The Warm-up Period primes the module with historical data and guarantees that the specified number of hours of data collection completes before sending alerts. NetWitness provides preconfigured ESA Analytics modules. Each module type has a default warm-up period defined, which you can adjust to your environment, if necessary. After this warm-up period, alerts can be viewed. For more information about Warm-up Period and Lag time, see Module Settings (11.1.x to 11.4.x). |
Lag Time (Minutes) |
Specifies a constant time delay in minutes, which is added to avoid losing events being processed by the data sources during periods of heavy activity. For example, Concentrator performance varies depending on factors such as incoming load, ongoing queries, and indexing. Due to these factors, a Concentrator may not aggregate events in real-time, which leads to the delay. The Lag parameter gives the Concentrator a chance to finish aggregating all of the data. After the warm-up period completes, data aggregation continues at Current (System) Time - Lag Time. This is useful when a Concentrator is slow in aggregating data. The Lag time guarantees that the module does not process data that arrives to the Concentrator within the Lag time window so there is adequate delay to ensure all events that get generated in the enterprise can be processed by the module. For example, if Lag time is 30 minutes, and the current time is 2:00 PM, the Concentrator starts pulling records at 1:30 PM. The Lag time window, 30 minutes in this example, remains constant as time advances. When the current time advances to 2:01 PM, the Concentrator pulls the next minute of data at 1:31 PM, and so on. Important: The Lag time defines the buffer between the current time and the time when the module ingests the data. Caution: NetWitness recommends that Administrators adjust the Lag parameter dynamically based on the performance of each of the individual Concentrators to avoid missing any events during aggregation. For more information about Warm-up Period and Lag time, see Module Settings (11.1.x to 11.4.x). |
Enables you to select additional actions for the selected module mapping:
Caution: Undeploying a mapping with a status of Deployed will affect data aggregation for that module. |