Workbench: Manage Collections

Document created by RSA Information Design and Development on Jul 31, 2016
Version 1Show Document
  • View in full screen mode
 

This topic explains how an Administrator can create and manage collections on a workbench service.

An Administrator can create, delete, and manage workbench collections. Additionally, Administrators can also view workbench statistics and logs.

Mount Archiver Directories

The following steps illustrate how to restore data for reporting and investigation purposes that is in offline storage or cold-tier storage. In the following example, data is restored for the time range beginning on 2015-April-01 through 2015-April-10.

Perform the following steps to restore data for reporting and investigation purposes:

  1. In the Security Analytics menu, select Administration > Services.
  2. Select Archiver from the Services grid.
  3. Navigate to the Explorer view of the Archiver appliance by selecting 104NavSettingsIcon.png > View > Explore.
    Explorer view for Archiver is displayed
  4. Right-click on Database node in left-hand tree and select Database properties to open them in the right-hand panel.
  5. Run manifest command for the selected time range 2015-April-01 to 2015-April-10.
    Your search returns all files that need to be restored for your selected query.

Create a Collection

The Collections tab enables Administrators to restore and save data that is restored from a backup or from an existing set of data. 

Note: The Administrator can point the source path to the location of the database files and the restore command copies them to the workbench. The Administrator needs to mount those directories to the Archiver (where the Workbench is installed) before a restoration collection can be created.

To create a collection using data restored from the backed up data or existing subset of data:

  1. In the Security Analytics menu, select Administration > Services > Workbench.
  2. From the Services grid, select 104NavSettingsIcon.png > View > Config.
    The General tab is displayed.
  3. Click the Collections tab.
    The Collections grid is displayed.
  4. Click Icon-Add.png in the toolbar.
    The Restoration Collection dialog is displayed.

    restorecoll031015.png

  5. Provide the following information:
    • Name: Name of the workbench collection that you want to restore.
    • Source: Location where the Archiver database files have been moved from cold storage.

    Note: Target is the location where the collection is created.

    Click Save to restore the collection.

    Note: If the source path provided to create the restoration collection does not exist, the following error message is displayed:
    "The source path does not exist '/xxx/xxx/'."

    If there is insufficient storage to restore your collection, the following error is displayed:
    "Error during disk space checking. Insufficient disk space in location '/xxx/xxx'."

     The Schedule Job dialog is displayed with the following message:
    "Restoring data into a new collection. Check the jobs page for progress."

  6. Click Jobs icon in the top right area of the Security Analytics menu to expand the list of restoration collection jobs with their current status.

4.png

Note: Restoring a collection that is larger than 550 GB may take several hours to process.

Delete a Collection

The Collections tab enables Administrators to delete collections from the workbench service.

Perform the following steps to delete a collection:

  1. In the Security Analytics menu, select Administration > Services > Workbench.
  2. From the Services grid, click 104NavSettingsIcon.png > View > Config.
    The General tab is displayed.
  3. Select the Collections tab.
    The Collections grid is displayed.
    collgrid031715.png
  4. In the Collections grid, select the workbench service that you want to delete.
  5. Click del031715.png from the toolbar.
    A warning dialog requests confirmation.
  6. If you want to delete the collection, click Yes.
    The collection is removed from the workbench service.

Example Showing How to Restore a Collection for Reporting and Investigation

The following steps illustrate how to restore data for reporting and investigation purposes that is in offline storage or cold-tier storage. In the following example, data is restored for the time range beginning on 2015-April-01 through 2015-April-10.

To restore data for reporting and investigation purposes:

  1. In the Security Analytics menu, select Administration > Services.
  2. Select Archiver from the Services grid.
  3. Navigate to the Explorer view of the Archiver appliance by selecting 104NavSettingsIcon.png > View > Explore.
    Explorer view for Archiver is displayed
  4. Right click on Database node in left-hand tree and select Database properties to open them in the right-hand panel.
  5. Run manifest command for the selected time range 2015-April-01 to 2015-April-10.
    Your search returns all files that need to be restored for your selected query.

Example Search:

time1="2015-04-01 00:00:00" time2="2015-04-10 00:00:00" timeFormat=simple

archiver_wb042715.png

  1. In the Security Analytics menu, select Administration > Services.
  2. Select Workbench from the Services grid.
  3. Select 104NavSettingsIcon.png > View > Config.
  4. Select the Collections tab.
  5. Create a restoration collection with the source path pointing to files listed in the manifest command output.
  6. Save the collection.
    After successfully creating a collection, you can use this collection for reporting and investigation purposes.

Investigate a Collection

To perform an investigation on a workbench collection:

  1. In the Security Analytics menu, select Investigation > Navigate.
    The Investigate dialog is displayed.
  2. Click the Collections tab in the Investigate dialog.
  3. Select a workbench service in the left panel.
  4. Select the collection you want to investigate in the right panel.
  5. Click Navigate.

The Navigate panel is displayed. The panel displays data pertaining to the workbench collection that you selected. Select from any of the drop-down menus to drill down for further investigation of the workbench collection.

invnavms040215.png

View Workbench Collection Statistics

Perform the following steps to view workbench statistics:

  1. In the Security Analytics menu, select Administration > Services > Workbench.
    The Workbench view is displayed.
  2. Select a workbench service, and click 104NavSettingsIcon.png View > Stats
    The Stats view is displayed.

stats021915.png

  1. Within the Stats view, you can collapse or expand charts, or drag a section up or down to change the sequence. For example, you can expand the Chart Stats Tray to see available charts, or drag the Gauge section to the top so that it is above the Workbench Stats section.

Note: For more information about workbench statistics, see Host and Services Configuration Guide

View Workbench Logs

Perform the following steps to view logs on a workbench service:

  1. In the Security Analytics menu, select Administration > Services > Workbench.
  2. From the Services grid, select 104NavSettingsIcon.png > View > Logs.
    The Logs grid is displayed.

Note: For information about viewing and configuring audit logs, see System Configuration Guide.

You are here: Procedures > Manage Collections

Attachments

    Outcomes