This topic introduces the features of the System View > Live Services Configuration panel for setting up your Live account and the CMS server connection.
Live Account consists of two sections, namely RSA Live Status and Download Live Feedback Activity Log. You must Sign In by entering your Live Account credentials to access the Live Services. To activate your Live account for Security Analytics, please contact RSA Customer Care. When you have confirmation that your Live account has been set up, you can configure the CMS server connection as described in Configure Live Services Settings.
The Live Services panel provides the user interface for :
- The Live account
- The Live Content update schedule and preferences for notification of updates
- Participation in Live Feedback
- RSA Live Connect (Beta)
New Features Enabled Dialog
When you log onto Security Analytics for the first time, you will be prompted with New Features Enabled dialog.
Clicking Accept indicates that you agree to the following:
Clicking View Settings redirects you to the Live Services UI to view the settings. If you have not configured the Live Account, a masked screen is displayed.
For information on Live Feedback, see Live Feedback Overview.
For information on Analyst Behaviors and Data Sharing, see the Security Analytics Feedback and Data Sharing topic in the Live Services Management Guide.
For information on Live Connect Threat Insights, see Configure Live Services Settings.
Live Services View
You access this view in the Security Analytics menu, Administration > System > Live Services.
Note: If you are not signed in with your Live Account credentials, a masked screen is displayed.
The Live Configuration panel has three sections: Live Account, Live Content, and Additional Live Services.
Live Account Section
In the Live Account section, you must enter the Live credentials. The information needed to set up the user’s Live account consists of the Username, Password, and Live URL for the RSA Content Management System. This information is provided by Customer Care.
The following table describes the Live Account section features.
The Live URL for the Content Management System. The default value points to the RSA CMS at cms.netwitness.com.
The communications port for Live to send requests to the Content Management System. The default value for this field is 443, which is the communications port on the Content Management System.
Allows the user to communicate via SSL.
The Live account user name as provided by RSA Customer Care.
The Live account user password as provided by RSA Customer Care.
|Test connection|| |
Tests if the connection is successful or not.
Saves and applies the configuration.
The Live Account section, provides an option to download and share the Live Feedback historical data by clicking Live Feedback Activity Log.
For more information about how to download historical data, see Upload Data to RSA for Live Feedback.
Live Content Section
You can configure the Live Content Synchronization interval and notification at which Security Analytics checks for new updates to Live Content:
Use the Check for New Updates field to change the interval. Select an interval from the drop-down list. The default value for this setting is once a day.
The following table describes the Live Content features.
|Check for new updates|| |
This setting dictates how often Security Analytics checks for new updates to Live Subscriptions and synchronizes subscribed resources and tags:
The default value for this setting is once a day.
|Next Check||Displays the time and date of the next scheduled Live synchronization based on the configured interval for checking.|
|Email Addresses|| |
Email addresses specified here receive messages containing a list of subscribed resources that have been updated in the last 24 hours.
|HTML format|| |
Specifies the format of email messages.
|Check Now|| |
Instead of waiting for the next scheduled resource cycle, this option forces Live to begin immediate synchronization of the subscribed resources in this instance of Security Analytics.
Caution: Use this feature with caution because synchronization can cause a parser reload if a Lua Parser or Flex Parser is deployed in the update cycle. This is acceptable once or twice a day, but a number of back-to-back parser reloads can cause packet loss at the Decoder. If this is the initial setup and you haven’t configured Live resource subscriptions, do not Synchronize Now. Wait until you have configured subscriptions.
|Apply||Applies the changed configuration to the subscription synchronization behavior. The changes become effective immediately. The Next Live synchronization is scheduled for field is updated if the time changed.|
Force Immediate Synchronization
To force immediate synchronization, click Check Now. Security Analytics checks for updates in subscribed resources.
Instead of waiting for the next scheduled resource cycle, this option forces Live to begin immediate synchronization of the subscribed resources in this instance of Security Analytics. One use for this is to see the immediate impact of a configuration change. For example, a new service has been added, or new resources have been toggled for automatic deployment. The scheduled synchronization could take place hours later if Security Analytics Live is set to synchronize a few times a day.
Caution: Synchronization can cause a parser reload if a Flex Parser is deployed in the update cycle. This is acceptable once or twice a day, but a number of back-to-back parser reloads can cause packet loss at the Decoder. If this is the initial setup and you haven’t configured Live resource subscriptions, do not Synchronize Now. Wait until you have configured subscriptions.
Note: Click on Learn more to know more about the data RSA is collecting. For more information, see Live Feedback Overview.
The following tables describes the Additional Live Services features.
|Learn more (For Live Feedback)|| |
Lists the types of data RSA is collecting:
|Learn more (For RSA Live Connect)||Provides more information about Live Connect service and configuring Live Services.|
Enable (Threat Insights)
Enables Threat Insights feature where Live Connect is added as a data source for Context Hub service and the analyst can pull threat intel data during investigation. Ensure that context hub is already configured before enabling this feature.
This option is enabled by default (checked)
|Enable (Analyst Behaviors)||Enables Security Analytics to send anonymous, technical data about your environment to RSA. This option is enabled by default (checked)|
Applies the configured changes. The changes become effective immediately.
Note: This option is applicable only for Threat Insights and Analyst Behaviors.
About Live Feedback Participation
When you participate in Live Feedback, it collects relevant information for further improvement. For information on Live Feedback, see Live Feedback Overview.
When you install Security Analytics, you will be prompted to participate in Live Feedback. For information, see .Configure Live Services Settings
If needed, you can manually download historical usage data and share it with RSA. For information on how to download historical usage data and share it with RSA, see Upload Data to RSA for Live Feedback.