To activate your Live account for Security Analytics, please contact RSA Customer Care. When you have confirmation that your Live account has been set up on the RSA Content Management System (CMS), you can configure and test the CMS server connection as described in Configure Live Settings.
The Live Configuration panel provides the user interface to configure:
- The Live account and access to the Content Management System server.
- The Live subscription update schedule and preferences for notification of updates.
- Participation in Live Intelligence Sharing.
To access this view:
- In the Security Analytics menu, select Administration > System.
- In the options panel, select Live.
The Live Configuration panel has three sections: Live Account, Intelligence Sharing, and Subscription Settings.
Live Account Section
In the Live Account section, you must set up the user's Live account. The information needed to set up the user’s Live account consists of the Username, Password, and Live URL for the RSA Content Management System. This information is provided by Customer Care.
The Live Account section also has fields that you can use to configure Live access to the Internet through a proxy server. When configured to use a proxy server, Live issues requests to the RSA Content Management System using the proxy settings.
The following table describes the Live Account section features.
The Live account user name as provided by RSA Customer Care.
The Live account user password as provided by RSA Customer Care.
The Live URL for the Content Management System. The default value points to the RSA CMS at cms.netwitness.com.
The communications port for Live to send requests to the Content Management System. The default value for this field is 443, which is the communications port on the Content Management System.
Specifies that Live can communicate via SSL when the Decoder or Log Decoder requires it.
Activates and deactivates the Proxy specification fields.
The hostname of the proxy server for LIve to use when sending requests to the Content Management System.
The communications port on the proxy server for Live to send requests to the Content Management System.
The username for Live to use when sending requests to the CMS via the proxy server.
The password for Live to use when sending requests to the CMS via the proxy server.
Tests the ability of Live to connect to the CMS as configured.
Saves and implements the proxy settings.
Intelligence Sharing Section
To implement Live Intelligence Sharing, this instance of Security Analytics queries a specific group of devices on a daily basis, packages the results and sends them to the RSA Live server. You can choose to participate and select a device group in the Intelligence Sharing section.
The following table describes the Intelligence Sharing section features.
|Participate in Live Intelligence Sharing|
When selected, denotes agreement to participate in Live Intelligence Sharing.
|Group of Devices to Query|
An input field with drop-down selection list of available device groups.
Saves and implements the settings.
Subscription Settings Section
The following table describes the Subscription Settings features.
|Check for new updates|
This setting dictates how often Security Analytics checks for new updates to Live Subscriptions and synchronizes subscribed resources and tags:
The default value for this setting is once a day.
|Next Live synchronization is scheduled for|
Displays the time and date of the next scheduled Live synchronization based on the configured interval for checking.
Email addresses specified here receive messages containing a list of subscribed resources that have been updated in the last 24 hours.
Specifies the format of email messages. Checked = HTML, not checked = text.
Instead of waiting for the next scheduled resource cycle, this option forces Live to begin immediate synchronization of the subscribed resources in this instance of Security Analytics.
Caution: Use this feature with caution because synchronization can cause a parser reload if a Lua Parser or FlexParser is deployed in the update cycle. This is acceptable once or twice a day, but a number of back-to-back parser reloads can cause packet loss at the Decoder. If this is the initial setup and you haven’t configured Live resource subscriptions, do not Synchronize Now. Wait until you have configured subscriptions.
Applies the changed configuration to the subscription synchronization behavior. The changes become effective immediately. The Next Live synchronization is scheduled for field is updated if the time changed.