Options for configuring Live Services are in the System View > Live Services Configuration panel. The Live Configuration panel allows the user to configure:
- The Live account.
- The Live Content update schedule and preferences for notification of updates.
- Participation in Security Analytics Live Feedback.
- RSA Live Connect (Beta)
To activate your Live account for Security Analytics, please contact RSA Customer Care. When you have a confirmation that your Live account has been set up, you can configure and test the CMS server connection.
When you click Accept, you automatically agree to the following:
- Participate in Live Feedback.
Use Live Connect features to receive threat intelligence data.
- Allow Security Analytics to send anonymous, technical data about your environment to RSA.
If you click on View Settings, you are redirected to the Live Services user interface to view the settings for Live Feedback and Live Connect Threat Data Sharing. If you have not configured the Live Account a masked screen is displayed.
For information on Analyst Behaviors and Data Sharing, see the Security Analytics Feedback and Data Sharing topic in the Live Services Management Guide.
About Live Feedback Participation
When you participate in Live Feedback, it collects relevant information for further improvement. For information on Live Feedback, see Live Feedback Overview.
When you install Security Analytics, you will be prompted to participate in Live Feedback. For information, see .Configure Live Services Settings
If needed, you can manually download historical usage data and share it with RSA. For information on how to download historical usage data and share it with RSA, see Upload Data to RSA for Live Feedback.
This topic contains the following procedures:
- Access the Live Services Configuration Panel
- Configure Live Account
- Configure the Live Content Synchronization Interval and Notification
- Force Immediate Synchronization
- About RSA Live Connect (Beta)
Access the Live Services Configuration Panel
To access the Live Configuration panel:
- In the Security Analytics menu, select Administration > System.
- In the left navigation panel, select Live Services.
Note: If you are not signed in with your Live Account credentials, a masked screen is displayed:
Configure Live Account
In the Live Account section, you must set up the user's Live account. The information needed to set up the user’s Live account consists of the Username, Password, and Live URL for the Content Management System. This information is provided by Customer Care.
To configure Live account:
In the Live Account section, click Sign In.
Note: The Modify button shows that the live account is configured. Click Modify, to change the user that is accessing Live Services.
In the Live Services Account dialog box, enter the Host (typically cms.netwitness.com) and type your username and password.
- (Optional) If you are using a different CMS, type the host URL for the Content Management System. The default points to the CMS at cms.netwitness.com.
- (Optional) If you are using a different CMS, type the communications port for Live to send requests to the Content Management System. The default for this field is 443, which is the communications port on the Content Management System.
- (Optional) If you do not want to use SSL, uncheck the SSL option. (SSL is enabled by default.)
- Click Test connection to test the connection to CMS.
- To save and apply the configuration, click Apply.
Configure the Live Content Synchronization Interval and Notification
You can change the interval at which Security Analytics checks for new updates to Live Content:
Use the Check for New Updates field to change the interval. Select an interval from the drop-down list. The default value for this setting is once a day.
- To configure Security Analytics Live Services to send update reports to one or more people, select Enable Notifications of Content Updates.
- In the Email Addresses field, type the email addresses as a comma-separated list, for example, firstname.lastname@example.org,email@example.com,firstname.lastname@example.org
- (Optional) To receive messages in HTML format rather than plain text, select HTML Format.
To save and apply, click Apply.
The time and date of the next scheduled Live synchronization based on the configured interval for checking is displayed.
Force Immediate Synchronization
Instead of waiting for the next scheduled resource cycle, this option forces Live to begin immediate synchronization of the subscribed resources in this instance of Security Analytics. One use for this is to see the immediate impact of a configuration change. For example, a new service has been added, or new resources have been toggled for automatic deployment. The scheduled synchronization could take place hours later if Security Analytics Live is set to synchronize a few times a day.
Caution: Synchronization can cause a parser reload if a FlexParser is deployed in the update cycle. This is acceptable once or twice a day, but a number of back-to-back parser reloads can cause packet loss at the Decoder. If this is the initial setup and you haven’t configured Live resource subscriptions, do not Synchronize Now. Wait until you have configured subscriptions.
To force immediate synchronization, click Check Now. Security Analytics checks for updates in subscribed resources.
About RSA Live Connect (Beta)
RSA Live Connect is a cloud based threat intelligence service. This service collects, analyzes, and assesses threat intelligence data such as IP addresses, domains, and files collected from various sources including the RSA Security Analytics and RSA ECAT customer community. RSA Live Connect consists of the following features:
- Threat Insights
- Analyst Behaviors
Threat Insights provides analysts the opportunity to pull threat intelligence data such as IP related information from the Live Connect service to be leveraged by the analysts during investigation.
By default, Threat Insights is enabled in Additional Live Services section. If Context Hub service is configured, Live Connect is automatically added as a data source for Context Hub. For more information, see the Configure Live Connect Data Source for Context Hub topic in the Context Hub Configuration Guide.
With Live Connect as a data source for context hub, you can use the Context Lookup option in Investigation > Navigate view or Investigation > Events view to fetch contextual information. For instructions, see the View Additional Context for a Data Point topic in the Investigation and Malware Analysis Guide.
Analyst Behaviors is a feature where analysts participate in sharing data to RSA community. This is an automated data collection service. Its goal is to share potential threat intelligence data to the RSA Live Connect cloud service for analysis. The type of data that could be shared from your network to RSA Live Connect includes various types of meta data captured by Security Analytics such as ip.src, ip.dst, ip.addr, device.ip, alias.ip, alias.host, paddr, sessionid, domain.dst, domain.src. For information on Analyst Behaviors and Data Sharing, see the Security Analytics Feedback and Data Sharing topic in the Live Services Management Guide.