Module Settings (11.1.x to 11.4.x)

Note: The information in this topic applies ONLY to NetWitness versions 11.1.x to 11.4.x.
ESA Analytics is not supported in NetWitness 11.5 and later versions.

After you create or deploy a module mapping in the ESA Analytics Mappings panel (Admin > System > ESA Analytics), you have the option to change some module configurations for that mapping.

What do you want to do?

Role I want to ... Show me how
Administrator Change the warm-up period for an undeployed module mapping.

"Change the Warm-up Period and Lag Time" in the ESA Configuation Guide for NetWitness Platform 11.4
Administrator Change the warm-up period for a module mapping during the warm-up period. "Change the Warm-up Period and Lag Time" in the ESA Configuation Guide for NetWitness Platform 11.4
Administrator Change the warm-up period for a module mapping after the warm-up period is complete. "Change the Warm-up Period and Lag Time" in the ESA Configuation Guide for NetWitness Platform 11.4

Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.

Related Topics

Quick Look

To access the module settings, in the ESA Analytics Mappings panel, select the mapping that you want to change and in the Actions column, select netwitness_ic-actns.png > Edit Module. The Module Settings dialog has a Configurations section and a Warm-Up State section.

netwitness_modulesettings_576x499.png

Configurations

The Configurations section enables you to change the Warm-Up Period and Lag Time configurations.

The following table describes the settings available for an ESA Analytics module mapping.

Field Description

Module

Shows the name of the mapped module.

Service

Shows the ESA Analytics service that processes the data for the mapping.

Sources

Shows the mapped data sources and the URLs used to communicate with ESA.

Warm-Up Period (Hours)

Specifies a warm-up duration in hours. A warm-up period is required to allow Automated Threat Detection to "learn" your traffic. The warm-up period should run when typical traffic is running. During this time, alerting for your module mapping is suppressed. The Warm-up Period primes the module with historical data and guarantees that the specified number of hours of data collection completes before sending alerts.

NetWitness provides preconfigured ESA Analytics modules. Each module type has a default warm-up period defined, which you can adjust to your environment, if necessary. After this warm-up period, alerts can be viewed.

You can update the Warm-Up Period of a deployed module mapping depending on whether or not the warm-up period is complete:

  • During the warm up period - You can add hours to the warm-up period or subtract any remaining warm-up time.

  • The warm-up period is complete - You can add hours to the warm-up period by adding the difference between the current time and the First Event Time to the hours that you want to add.
    For example, a warm-up period of 10 hours is complete and the First Event Time shows 12:00:00. The current (system) time is 16:00:00 (4 hours later) and you want to add 5 more hours to the warm-up time. To do this, you need to add 9 hours (4+5=9) to the warm-up period of 10, so you would set the new warm-up period to 19 hours.
    You cannot decrease the warm-up period if it is complete, unless you delete the mapping and create a new one.

The Warm-up Period value is specific to a particular mapping and it applies to all Concentrators within that mapping after you deploy it. If a Concentrator is shared between two modules with different warm-up times, the Concentrator uses separate Warm-up Period values for each module mapping.
Lag Time (Minutes)

Specifies a constant time delay in minutes, which is added to avoid losing events being processed by the data sources during periods of heavy activity. For example, Concentrator performance varies depending on factors such as incoming load, ongoing queries, and indexing. Due to these factors, a Concentrator may not aggregate events in real-time, which leads to the delay.

The Lag parameter gives the Concentrator a chance to finish aggregating all of the data. When you specify a Lag time, the first time the module deploys, data aggregation starts at Current (System) Time - Lag Time - Warm-Up Time. For example, if the current time is 2:00 PM, Lag time is 30 minutes, and Warm-up time is 4 hours, when the module deploys for the first time, data collection starts at 9:30 AM (2:00 PM - .5 hour - 4 hours).

After the warm-up period completes, data aggregation continues at Current (System) Time - Lag Time. This is useful when a Concentrator is slow in aggregating data. The Lag time guarantees that the module does not process data that arrives to the Concentrator within the Lag time window so there is adequate delay to ensure all events that get generated in the enterprise can be processed by the module.

For example, if Lag time is 30 minutes, and the current time is 2:00 PM, the Concentrator starts pulling records at 1:30 PM. The Lag time window, 30 minutes in this example, remains constant as time advances. When the current time advances to 2:01 PM, the Concentrator pulls the next minute of data at 1:31 PM, and so on.

Important: The Lag time defines the buffer between the current time and the time when the module ingests the data.

The Lag time value is specific to a particular mapping and it applies to all Concentrators within that mapping after you deploy it. If a Concentrator is shared between two modules with different Lag times, the Concentrator uses separate Lag values for each module mapping.

Caution: NetWitness recommends that Administrators adjust the Lag parameter dynamically based on the performance of each of the individual Concentrators to avoid missing any events during aggregation.

To determine the correct Lag Time, add together the following to get an environmental lag time:

1. Log or Packet Latency - This is the time it takes for the Log Decoder to receive the logs or the (Packet) Decoder to receive packets. For example, the Log Decoder may get logs every 20 minutes. In this case, you would want to set Lag time to at least 20 minutes, preferably 25 minutes, so that you do not miss events.

2. Aggregation Latency - This is the time it takes to get the data from the Log Decoder to the Concentrator.

3. Other Buffer - Add in any additional time delay specific to your environment.

Warm-Up State

The Warm-Up State section provides information about the warm-up state, which you can use to determine the appropriate adjustments to the warm-up period.

Field Description

Warmup Started At

The time when the first event was processed by the ESA Analytics module from the data source.

First Event Time

The time that the first event occurred. The warm-up time is based on this time.

Latest Event Time

The time that the latest event occurred.

Remaining Warm-Up Time

The number of hours remaining in the warm-up period.

Is Completed?

Indicates whether the warm-up period is complete. If it is true, the warm-up period is complete. If it is false, the module is still warming up and you can view the number of hours remaining in the Remaining Warm Up Time field.