SA Cfg: Configure Live Settings

Document created by RSA Information Design and Development on Jul 29, 2016Last modified by RSA Information Design and Development on Dec 2, 2016
Version 2Show Document
  • View in full screen mode
  

To activate your Live account for Security Analytics, please contact RSA Customer Care. When you have confirmation that your Live account has been set up on the Live Content Management System (CMS), you can configure and test the CMS server connection.

In addition, using Security Analytics Live Intelligence Sharing, you can choose to share data from a specific device group with the RSA Live server. The information includes IP and hostname data that match delivered content such as feeds and alert rules. The shared intelligence is analyzed and compiled into a new Live feed available only to those who have agreed to participate. As a result, intelligence is improved and corroborated with other RSA customers around the world. The End User License Agreement (EULA) for Security Analytics governs the telemetry that is retrieved.

The Live Configuration panel provides the user interface to configure:

  • The Live account and access to the Content Management System server.
  • The Live subscription update schedule and preferences for notification of updates.
  • Participation in Security Analytics Live Intelligence Sharing.

Display the Live Configuration Panel

To display the Live Configuration panel:

  1. In the Security Analytics menu, select Administration > System.
  2. In the options panel, select Live.

    LiveAcct.png

Configure Live Access to the CMS

In the Live Account section, you must set up the user's Live account. The information needed to set up the user’s Live account consists of the Username, Password, and Live URL for the Content Management System. This information is provided by Customer Care.

To configure Live access to the CMS:

  1. In the Live Account section, type your username and password.

    LiveAccount2.png

  2. (Optional) If you are using a different CMS, type the host URL for the Content Management System. The default value points to the CMS at cms.netwitness.com.
  3. (Optional) If you are using a different CMS, type the communications port for Live to send requests to the Content Management System. The default value for this field is 443, which is the communications port on the Content Management System.
  4. (Optional) Click the SSL checkbox.
  5. Click Test connection.
    Security Analytics displays the results of the test. If the message Test connection successful is displayed, your account can authenticate with the Content Management System.
  6. To save and apply the configuration, click Apply.

Configure Live Intelligence Sharing

To implement Live Intelligence Sharing, this instance of Security Analytics queries a specific group of devices on a daily basis, packages the results and sends them to the RSA Live server. You can choose to participate and select a device group in the Intelligence Sharing section. To configure Security Analytics to schedule daily sharing of specific data with Live:

  1. Click the Participate in Live Intelligence Sharing checkbox.
  2. Click in the Group of Devices to Query input field, and select a device group from the drop-down list.
  3. To save and apply the configuration, click Apply.
    An automatic process is scheduled to run in the background once a day to gather the data from the selected device group and post the data to a Live URL with your Live credentials.IntelligenceSharing2.png

Configure the Subscription Synchronization Interval and Notification

You can change the interval at which Security Analytics checks for new updates to Live Subscriptions:

  1. Click Check for Updates and select an interval from the drop-down list. The default value for this setting is once a day.
    SubscriptionSettings.png
  2. To configure Security Analytics Live to send a daily resource update report at 11:30PM to one or more people, in the Email Addresses field, type the email addresses as a comma-separated list, for example, john@company.com,ted@company.com,brian@company.com
  3. (Optional) To receive messages in HTML format rather than plain text, click the HTML checkbox.
  4. To save and apply, click Apply.
    The time and date of the next scheduled Live synchronization based on the configured interval for checking is displayed.

Force Immediate Synchronization

Instead of waiting for the next scheduled resource cycle, this option forces Live to begin immediate synchronization of the subscribed resources in this instance of Security Analytics. One use for this is to see the immediate impact of a configuration change. For example, a new service has been added, or new resources have been toggled for automatic deployment. The scheduled synchronization could take place hours later if Security Analytics Live is set to synchronize a few times a day.

Caution: Synchronization can cause a parser reload if a FlexParser is deployed in the update cycle. This is acceptable once or twice a day, but a number of back-to-back parser reloads can cause packet loss at the Decoder. If this is the initial setup and you haven’t configured Live resource subscriptions, do not Synchronize Now. Wait until you have configured subscriptions.

To force immediate synchronization, click Synchronize Now.
Security Analytics checks for updates in subscribed resources.

You are here
Table of Contents > Standard Procedures > Configure Live Services Settings

Attachments

    Outcomes