These are the required configuration steps for a new Decoder or Log Decoder, and also for changing the configuration of an existing Decoder. Unless otherwise stated, Decoder refers to both packet and log Decoders. Perform the steps in the section in the sequence they are given.
Step 1: Verify System Configuration
The first step which needs to be completed when a new service is added to Security Analytics is the verification of system configuration.
Certain default values for the system configuration parameters are already in effect. These values can be edited and fine tuned for optimal performance.
Step 2: Configure Capture Settings
Next, you can configure the adapter for data capture, enable autostart of data capture, select the parsers that are applied to the captured data, and tune data capture by configuring capture settings.
Step 3: Enable or Disable Parsers
See which parsers have been downloaded and deployed from Live, and manage which ones are enabled or disabled.
Step 4: Configure Decoder Rules
Rules are filters created for specific metadata, which result in predefined actions when matches are found. Capture rules define the data collected by a Decoder or Log Decoder. When these settings are applied, rules affect both packet capture file importing, as well as live network capture.
By default, no rules are defined when you first install Security Analytics. Until rules are specified, the packets are not filtered. By following the steps to Step 4: Configure Decoder Rules, you can define three types of rules: Network Layer Rules, Application Layer Rules, and Correlation Rules.
Step 5: Start and Stop Data Capture
When a Decoder starts up, it automatically begins aggregating data if Capture Autostart is enabled. When autostart is not enabled, you can start and stop data capture manually.