You can easily create an Identity feed and populate it to selected Decoders and Log Decoders. After completing this procedure, you will have created an Identity feed.
In order to create an identity feed, you need to have:
- A Log Collector service with an Identity Feed Event Processor
- A Log Collector service with Windows Collection configured and enabled
Create an Identity Feed
In the Security Analytics menu, select Live > Feeds.
The Feeds grid is displayed.
The Setup Feed dialog is displayed, with Identity Feed selected by default.
Select Identity Feed and click Next.
The Configure Identity Feed panel opens with the Define Feed tab displayed.
(Conditional) You can create an on-demand or recurring feed.
- To define an on-demand Identity feed task that executes once, select Adhoc in the Feed Task Type field, type the feed Name, and browse for and open the feed.
To define a recurring Identity Feed task that executes on a recurring basis, select Recurring in the Feed Task Type field.
The Define Feed form includes the fields for a recurring feed.
Note: Security Analytics verifies the location where the file is stored, so that Security Analytics can check for the latest file automatically before each recurrence.
In the URL field, enter the URL where the feed data file is located. For example:
http://<LogCollector>:50101/event-processors/<ID Event processor name>?msg=getFile&force-content-type=application/octet-stream&expiry=600
- (Optional) If the URL has restricted access and requires authentication using your username and password, select Authenticated. Security Analytics provides your user name and password for authentication to the URL.
To define the interval for recurrence, do one of the following:
- Specify the number of minutes, hours, or days between recurrences of the feed.
- To define the date range for the execution of the feed to recur, specify the Start Date and time and the End Date and time.
- Click Verify to verify your identity feed configuration before you proceed to the Select Services form.
The Select Services form is displayed.
- To identify services on which to deploy the feed, select one or more Decoders and Log Decoders and click Next.
Click the Groups tab, select a group, and click Next.
The Review form is displayed.
Note: If a group of devices with Decoders and Log Decoders is used to create recurring or custom feeds and this group is deleted, you can edit the feed and add a new group to the feed.
Anytime before you click Finish, you can:
- Click Cancel to close the wizard without saving your feed definition.
- Click Reset to clear the data in the wizard.
- Click Next to display the next form (if not viewing the last form).
- Click Prev to display the previous form (if not viewing the first form).
- Review the feed information, and if correct, click Finish.
Upon successful creation of the feed definition file, the Create Feed wizard closes, and the feed and corresponding token file are listed in the Feed grid and progress bar tracks completion. You can expand or collapse the entry to see how many services are included, and which services were successful.