000029467 - How to configure Incident Management in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Sep 9, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000029467
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics UI, Security Analytics Server, Event Stream Analysis (ESA), Incident Management
RSA Version/Condition: 10.4.x, 10.5.x, 10.6.x
Platform: CentOS
O/S Version: EL6
IssueBy default in the Security Analytics UI, if you go to Incidents -> Configure you won't see any records.
This is because the Incident Management (IM) database has not yet been configured.

Also, while the IM Service resides on the Security Analytics Server, the IM Database resides on the ESA Server.
Therefore, the Incident Management module requires an ESA appliance to properly function.
ResolutionTo Configure IM follow steps below
  1. Make sure port 27017 is listening on the ESA server by issuing the command below.

    netstat –an | grep 27017

  2. From the SA Server confirm that you are able to ping the ESA server by IP Address and/or FQDN.
  3. In the Security Analytics UI, navigate to Administration -> Service -> {IM} > View -> Explore -> Service -> Configuration -> Database.
  4. Enter the following data:
    1. Host: ESA Server IP Address or Hostname/FQDN
    2. DatabaseName: im
    3. Port: 27017
    4. Username: im
    5. Password: im
        NOTE: By default a username called im with password im is configured on the ESA Server to access the MongoDB database name called im.
  5. From the SA Server restart the Incident Management service with the commands below.

    service rsa-im stop
    service rsa-im start

  6. Wait 5 minutes and then check the Incidents -> Configure page again in the Security Analytics UI.

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.