SA Cfg: Configure Investigation Settings

Document created by RSA Information Design and Development Employee on Mar 22, 2017Last modified by RSA Information Design and Development Employee on Sep 26, 2017
Version 2Show Document
  • View in full screen mode

This topic provides instructions for administrators who are configuring the settings that apply to all Investigations on the Security Analytics instance being configured. The settings for configuring and tuning behavior of Security Analytics Investigation are available in the System view > Investigation panel. These settings apply to all investigations and reconstructions on the current instance of Security Analytics.

Configure Navigate, Events, and Context Lookup Settings

  1. In the Security Analytics menu, select Administration > System.
  2. In the options panel, select Investigation.
    The Investigation Configuration panel is displayed.
  3. In the Navigate tab, in the Render Threads Settings field, select the maximum number of concurrent meta key values that are loaded by a single user in the navigate view. Click Apply.
  4. In the Navigate tab, in the Parallel Coordinates Settings section, set the maximum limits for meta values scanned and meta value results that can be included in a parallel coordinates visualization. For better performance, these are the recommended settings: Meta Values Scan Limit -100000 and Meta Values Result Limit to 1,000-10,000
    Click Apply.
  5. In the Events tab, in the Event Search Settings section, set the maximum numbers of events scanned and event results displayed when an analyst is conducting an event search in the Events view. Click Apply.
  6. In the Events tab, in the Reconstruction Settings section, set the limits for the amount of data processed in the reconstruction of a single event. The default values are 100 maximum packets and 2097152 bytes. If analysts are seeing slow performance when reconstructing sessions in Investigation, the reconstructing settings may need adjustment. Click Apply.

Caution: Setting a higher value affects the performance of the Security Analytics server by increasing the time and memory taken to create a reconstruction of an event. Setting the value to zero disables any limit and may lead to a Security Analytics server crash.

  1. (Optional) In the Events tab, in the Web View Reconstruction Settings section, enable the use of supporting files in a web view reconstruction, and configure the additional settings to calibrate web view reconstructions. These include the time range (in seconds) to scan for related events, the maximum number of related events to scan, and overrides to Reconstruction Settings for use with web view reconstructions. Click Apply.
  2. In the Context Lookup tab, manage mapping of Context Hub meta types with meta keys in Investigation. You can add or remove meta keys to the list of meta types supported in Investigation by Context Hub. Procedures associated with this tab are provided in "Manage Meta Type and Meta Key Mapping" in the Investigation and Malware Analysis Guide.

Clear Reconstruction Cache for Services

Under Reconstruction Cache Settings, administrators can clear the cache for one or more services. For example, the administrator can clear the cache for a single Broker, a Broker and Decoder, or all connected services. These are a few examples of causes for stale cache being used in a reconstruction.

  • The downstream services may have their sessions invalidated or data reset. As an example, if Investigation is browsing a Broker and a downstream Concentrator or Decoder has a data reset, the meta and session data for the investigating service (Broker) does not match the content if the downstream service has reset and repopulated. The reconstruction in Investigation shows content from cache, which does not match the real content. Even if the Decoder is offline, content is still displayed in the Broker reconstruction. Clearing cache on the Broker causes the Security Analytics to reach out to the Decoder and an error is returned because the Decoder is offline.
  • Another case where cache may be stale is when a service ID for a downstream service changes. This can happen when exporting, importing, deleting, and adding services to Security Analytics because Security Analytics can reuse service IDs. In this case, clearing the cache on the Broker causes Security Analytics to request data from the services.

To clear reconstruction cache, do one of the following:

  1. To clear cache for one or more services, select the services and click Clear Cache for the Selected Services.
  2. To clear the cache for all listed services, click Clear Cache for All Services.
    The reconstruction cache for the selected services is cleared. Security Analytics sends a request for data to the services.
You are here
Table of Contents > Standard Procedures > Configure Investigation Settings