Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > 2016 > April > 08

Security Analytics 10.6 has new feature that will allow you to significantly reduce your storage footprint for long term log retention on the Archiver.  Selective Log Retention allows you to create 'buckets' for your logs and specify differing retention periods for those buckets.  This will allow you to create a bucket, or collection, for your compliance logs to keep, for example, for years.  You could create a bucket for your security relevant logs to keep for six months.  You could create a bucket for copious, low value logs to keep for weeks.


Previously, if you needed to keep compliance logs for years you had to keep all logs for years, whether you needed them or not.  By aging out less valuable logs in shorter time frames if frees up space for your important logs allowing you to significantly extend the retention period for those logs without adding storage.  You still have the options for Hot, Warm, and Cold storage with individually configurable settings per collection.




The easiest way to set up Selective Log Retention is configure rules to separate out your compliance regulation logs, such as with Event Source Groups or Device IP (device.ip), and set the appropriate, required retention period.  Next, find the bulk of the low value logs by either Event Source Type (device.type) or Message ID ( and give those the lowest acceptable retention period.  Lastly, configure the retention period on the default collection, which will contain all of the remaining logs.  Further configuration refinement can optimize storage even more.


Let us know what you think and how it works for you!


More information can be found on RSA Security Analytics Documentation under Security Analytics 10.6 > Data Privacy Management > References > Data Retention Tab - Archiver or Security Analytics 10.6 > Host and Services Configuration Guides > Archiver Configuration Guide > Configure Archiver > Step 3. Configure Archiver Storage and Log Retention > Configure Log Storage Collections.

Security Analytics 10.6 has a new beta feature that will allow SA to monitor your event sources collection and alarm or notify you when an event source falls below or exceeds a rate that is normal for that event source.  The goal is to take away the need to manually determine which event sources have similar rates, group those event sources, and create monitoring policies to match, significantly reducing the burden on system administrators.  It is enabled by default to alarm but not send notifications.


It takes about 5 days to build the baseline and will then start generating alarms whenever a device deviates from that baseline.  In the case in the screenshot below, this cisco router normally generates 333 events during 6:00 PM to 7:00 PM but we haven't received any events, which is 2.657 standard deviations below the normal.  The alarm shows up on the Administration -> Event Sources -> Alarms page.



You can enable email, syslog, or SNMP notifications once you determine the alarms aren't giving you false positives.  You can also tweak the Low and High standard deviations settings in order to tune it better to your environment.  Raising the standard deviations will make it less likely for an alarm to be generated.



Let us know what you think and how it works for you!


More information can be found on RSA Security Analytics Documentation under Security Analytics 10.6 > Event Source Management > Procedures > Configure Automatic Alerting

What if you could find hosts in your network that are actively communicating with previously unknown malicious domains? Using the new behavior analytics module introduced in Security Analytics (SA) 10.6 you can. This new threat detection module is actually the first of many behavior analytics modules RSA will be delivering within SA. This new capability powerfully leverages the industry leading network, log and endpoint data collection SA is known for. Our goal is to dramatically expand the value SA delivers by automating common hunting activities and detecting threats that would be very difficult and time consuming to find manually.


With this release RSA has developed a brand new threat detection analytics solution hosted within the Event Stream Analysis (ESA) component. This new capability consumes network meta data and identifies behaviors indicative of command and control communications. This new detection service delivers prioritized alerts for analysts to investigate so they may find infected hosts much more quickly.


Customers that have SA network packet capture and the ESA component deployed can upgrade to 10.6 and follow a short list of steps to enable this new detection module. Once enabled, the module will automatically “warm up” for 24 hrs then start generating prioritized alerts. These alerts are enriched with context including domain registration information and details of the behaviors that were determined to be suspect. As analysts triage and investigate alerts the solution uses their feedback to further train the detection module, improving future accuracy.


We encourage you to upgrade to SA 10.6 and start utilizing this new capability to help defend your organization. If you are interested in seeing a short video of this feature in action click here.


Documentation on this capability may be found here.

Filter Blog

By date: By tag: