Position Tracking Information

The ESA Correlation service continuously streams data from the data sources like decoders (log and network), and concentrators. ESA retrieves events from the data sources, and applies rules to generate alerts to detect malicious activities. When you deploy a data source, ESA starts processing information from the latest available session, by default. Position Tracking Information enables you to visualize the progress of the sessions that ESA has processed, and provides information on the session IDs and the date and time when the events were processed.

Set Position Tracking Information enables you to:

  • Visualize the number of sessions that a particular ESA data source has already analyzed, review the number of sessions ESA would process after you edit the position tracking, and plan your work.

  • Set the tracking position information based on:

    • Session ID

    • Date and Time (Collection Time)

  • Set position tracking for multiple data sources before you deploy them.

  • Calculate the number of sessions that the ESA Correlation Service is scheduled to process for a particular data source to either process, reprocess, or skip sessions with respect to the current position of the data source.

Note: The Position tracking feature with the Date and Time option works based on the profile time settings in the NetWitness Platform XDR UI. This time-zone based time from the UI is converted to UTC, and is sent to the core, to retrieve the corresponding session ID for that time stamp.
Example: If the UI follows IST, the UI converts it to UTC and sends it to the core. The session ID is fetched for the specific UTC time stamp, and set to position tracking at deployment.

Use Case Scenario

This section provides information about how you can use position tracking information in a real-world scenario.

Case 1: If you have deployed a data source with a total of 400 sessions that ESA has already processed, and if you want to start processing the events from the beginning, perform the following steps to reprocess the sessions.

Edit the position Tracking Information

  1. Select the deployment and click Edit Deployment.

  2. Select the datasource and click Set Position Tracking Information.

    The Set Position Tracking Information dialog is displayed.

  3. In the Go To drop-down menu, select the Session ID and enter the session number as 1 in the Session ID text field.

    You can also set the position tracking information based on date and time and the sessions will be calculated using data and time.

  4. Click Calculate Sessions.

  5. Click Save twice.

  6. Select the Deployment and click Deploy.

    All the 400 sessions will be reprocessed.

    The following image shows the use case scenario.

    netwitness_position_tracking_1_588x477.png

Case 2: If you have deployed a data source with a total of 700 sessions available and the current position of the data source is at 100 and if you set the sessions ID to 250. In this case, 150 sessions will be skipped. You can also set the sessions based on the date and time.

The following image shows the use case scenario.

netwitness_position_tracking_2_539x439.png

Case 3: If you have deployed a data source that has a total of 1921237 sessions available and if you set the session ID higher than the available sessions for the data source. In this case, no remaining sessions will be processed. You can also set the sessions based on date and time.

The following image shows the use case scenario.

netwitness_position_tracking_3_768x627.png

Note: Editing the tracking information is optional. If you add a new data source to an existing ESA deployment, and you do not edit the tracking information, ESA follows the default behavior to process events.