Investigate-server Configuration

Document created by RSA Information Design and Development on Jan 31, 2020
Version 1Show Document
  • View in full screen mode
 

AliasesProperties

                             
NameDefault valueTypeDescription

rsa.investigate.aliases.cache-duration

24

seconds

Time it takes for the cache that stores aliases to expire

rsa.investigate.aliases.retrieval-timeout

30

seconds

Timeout to wait for aliases sdk response

ColumnGroupProperties

                       
NameDefault valueTypeDescription

rsa.investigate.column.group.number-of-visible-columns

15

integer

 

EventAnalysisProperties

                                   
NameDefault valueTypeDescription

rsa.investigate.eventanalysis.legacy-events-enabled

false

boolean

Flag to determine if legacy events tab and related links have to be enabled

rsa.investigate.eventanalysis.limit

 

integer

The default event limit

rsa.investigate.eventanalysis.role-event-limit

 

map

The per-role event limit

IncidentProperties

                       
NameDefault valueTypeDescription

rsa.investigate.incident.max-events-per-alert

60

long

Max. number of events that should be added to a single alert when creating incidents from events

KeyrefsProperties

                             
NameDefault valueTypeDescription

rsa.investigate.keyrefs.cache-duration

2

seconds

Time it takes for the cache that stores aliases to expire

rsa.investigate.keyrefs.retrieval-timeout

30

seconds

Timeout to wait for aliases sdk response

MetaKeyCacheProperties

                       
NameDefault valueTypeDescription

rsa.investigate.metakey.cache.cache-duration

7

seconds

Number of seconds a metakey should live in the cache. Default: 1 WEEK

ReconstructionProperties

                                                                                   
NameDefault valueTypeDescription

rsa.investigate.reconstruction.
clear-cache-older-than

24

seconds

Cache files which are older than this time interval would be cleared

rsa.investigate.reconstruction.
content-type-file-extractor-max-size

4

bytes

From NetWitness Core documentation <p> The max number of bytes to return, zero means no limit. This parameter is used to control the maximum bytes that a large network session should return and is mainly meant to prevent an extraordinary large network session from consuming a large number of resources during the transfer. Be careful setting this parameter to zero.

rsa.investigate.reconstruction.
email-attachment-hash-provider

 

reconstructionproperties$
emailattachmenthashprovider

The calculated hash type for any email attachments

rsa.investigate.reconstruction.
email-full-render

true

boolean

Flag to enable/disable full rendering of email messages. When set to true email bodies will be fully reconstructed which will benefit email’s with HTML body content. Styling will be preserved as best as possible—external styles and references must be removed—and inline content (images), if included in the session, will be displayed. Placeholders will be shown for content that is not available or cannot be rendered and any inline script should be made inactive but displayed to the user for informational purposes. If set to false, standard rendering is used which will render the email body as best as possible and return it as text in the bodyContent field of the {@link com.rsa.asoc.nw.investigate.server.recon.domain.bean.Email} object. This setting is dependent on the Reconstruction Object Cache being enabled. (see {@link ReconstructionProperties#objectCacheEnabled}) It is ignored otherwise.

rsa.investigate.reconstruction.
image-placeholder-url

 

uri

Url used in Email recon for web email when original images cannot be loaded

rsa.investigate.reconstruction.
object-cache-enabled

true

boolean

Flag to enable/disable reconstruction object cache. In addition to caching the content (protobuf files) that are downloaded from core devices, the investigate service will attempt to cache any objects and files that are created while reconstructing sessions. For this release (11.4—the first release with the object cache) this only pertains to email reconstruction.

rsa.investigate.reconstruction.
reactive-message-size

32

bytes

Used in reactive streaming to configure the maximum buffer size for holding reconstructed data.

rsa.investigate.reconstruction.
reactive-text-streaming

true

boolean

Flag to turn on reactive streaming for text reconstruction. Reactive streaming prevents web socket overload by sending as many reconstructed text blocks that fit into a known buffer size and stopping until the caller tells the service to proceed.

rsa.investigate.reconstruction.
support-script-urls

 

uri[]

If html is generated in reconstruction, that is served to the UI via an IFRAME (as to not interfere with the functionality/styling of the main application) this setting stores an array of strings (url’s) to javascript files that will be injected into the html. The javascript is injected via <script /> elements at the time of HTML file creation and therefore will be saved to the object-cache. Any updates to this array would require clearing of the object-cache and/or a service restart.

rsa.investigate.reconstruction.
sync-core-timeout

10

seconds

Max time to wait for operations for caching core content to complete to prevent deadlocks. Internal setting. Not recommended for customer use.

rsa.investigate.reconstruction.
wire-size-provider

 

reconstructionproperties$
wiresizeprovider

The method used to determine object size when transmitting objects via websocket

ResponseProperties

                       
NameDefault valueTypeDescription

rsa.investigate.response.events-batch-size

5000

long

Number of data size to send per message. If client send request with stream batch size and it is smaller than this, the client batch size will be used instead.

EventsStreamProperties

                             
NameDefault valueTypeDescription

rsa.investigate.stream.events.factor-of-multiple-meta-values-with-same-key

5

integer

Like the above property. This property is used to calculate a safety threshold if not specified. It’s a factor to allow for multiple meta values existing in the same key and should be something reasonably high.

rsa.investigate.stream.events.safe-num-of-column-selected

50

integer

Used to calculate a safety value for "threshold" in the query to avoid the query going unbounded if threshold is not specified. The value of threshold is calculate by the formula below: threshold = (num of sessions desired) * (num of column selected) * (factor of multiple meta values with same key) If the above (num of column selected) can’t be inferred from "select" field, this default value would be used.

You are here
Table of Contents > Investigate-server Configuration

Attachments

    Outcomes