Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Respond Config: Configure Analyst UI for Respond Server Alert Normalization

Document created by RSA Information Design and Development Employee on Jan 30, 2020Last modified by RSA Information Design and Development Employee on Sep 2, 2020
Version 3Show Document
  • View in full screen mode
 

This procedure is optional. Administrators can use it to change Respond Server alert normalization on the Analyst UI.

Note: This option is available in NetWitness Platform version 11.4 and later.

The Analyst UI (Analyst User Interface) enhances the performance of investigations for analysts who work in locations geographically separated from the NetWitness Server host. Respond Server alert normalization is disabled by default on the Analyst UI, but with enough bandwidth you can configure the Respond Server on the Analyst UI to normalize alerts for potential performance gains.

Respond Server alert normalization at the Analyst UI should be very carefully considered. If the Analyst UI is deployed in an environment that is geographically separated from the NetWitness Server (NW Server) and ESA services, depending on available bandwidth, normalizing alerts at the Analyst UI can generate large volumes of traffic, potentially impacting other services on the network. Potential gains from normalizing alerts at the Analyst UI can result in a performance decrease on the NW Server and ESA services.

You can configure whether to normalize alerts for any Respond Server (NW Server or Analyst UI) by enabling or disabling alert normalization.

  • Normalization is enabled by default for the Respond Server running on the NW Server host.
  • Normalization is disabled by default for the Respond Server running on the Analyst UI.

To change the alert normalization settings for the Respond Server running on the Analyst UI:

  1. Log in to NetWitness Platform on the NW Server host as administrator.

  2. Go to (Admin) > Services, select the Respond Server service running on the Analyst UI, and then select Actions icon > View > Explore.
  3. In the Explore view node list, select respond/normalization.
    Respond Server Explore view showing respond/normalization parameters on Analyst UI
    1. To turn on alert normalization for ESA and other alert generating sources, in the indicator-normalization-enabled field, enter true. To turn it off, enter false.
    2. To turn on alert normalization coming from event correlation for risk scoring alerts, in the transient-indicator-normalization-enabled field, enter true. To turn it off, enter false.
  4. Restart the Respond Server service on the Analyst UI for the new settings to take effect. To do this, go to (Admin) > Services, select the Respond Server service on the Analyst UI, and then select Actions icon > Restart.

You are here
Table of Contents > Additional Procedures for Respond Configuration > Configure Analyst UI for Respond Server Alert Normalization

Attachments

    Outcomes