Context Hub: Configure Live Connect Data Source

Document created by RSA Information Design and Development on Jun 26, 2017
Version 1Show Document
  • View in full screen mode
  

This topic describes the procedure to configure Live Connect data source for Context Hub. 

RSA Live Connect is a cloud based threat intelligence service. This service collects, analyzes, and assesses threat intelligence data such as IP addresses, domains, and files collected from various sources including the RSA Security Analytics and RSA ECAT customer community.

RSA Live Connect is a part of Live Services and can be configured from the System View > Live Services Configuration panel. For more information about configuring Live Services, see the Configure Live Services Settings topic in the System Configuration Guide.

RSA Live Connect Threat Insights provides analysts the opportunity to pull threat intelligence data such as IP related information from the Live Connect service to be leveraged by analysts during the investigation process. By default, Threat Insights is enabled in Additional Live Services. If Context Hub service is configured, Live Connect is automatically added as a data source for Context Hub.

Procedures

Add Live Connect Data Source

Prerequisites

Ensure that:

  • Context Hub is enabled and the service is available in Administration > Services view of Security Analytics.
  • RSA Live Account is available.

Note: To create a Live Account, see the Step 1. Create Live Account topic in the Live Services Management Guide.

 

By default, Threat Insights is enabled in Additional Live Services section. Before setting up Live Connect data source, make sure that you have signed in to your Live account with your Live Account Credentials and Context Hub is enabled. Live Connect is automatically added as a data source for context hub.

For information about configuring Live Account and Live Services, see the Configure Live Services Settings topic in the System Configuration Guide.

For information about configuring Context Hub service, see the Step 1. Add the Context Hub Service topic in the Context Hub Configuration Guide.

Enable/Disable Live Connect Data Source

 

 

To enable/disable Live Connect data source for Context Hub:

  1. In the Security Analytics menu, select Administration > System.
  2. In the left navigation pane, select Live Services.
  3. In the Additional Live Services section, enable Threat Insights.

  4. Click Apply.
    Live Connect data source is enabled for Context Hub service.
  5. To verify, go to the Data Sources tab and view the available sources.
    Live Connect source must be added to the list of available sources and the Enabled field must be a solid green circle ().
  6. To disable Live Connect data source, disable Threat Insights in Additional Live Services panel and click Apply.
    Live Connect data source is disabled for Context Hub service.
 

Note: If Threat Insights is disabled, the Context Lookup panel for Live Connect (in the Investigation Navigate view and Events view) displays a message to configure the Live Connect data source. To view contextual data for Live Connect, you must enable Threat Insights.

Edit Live Connect Data Source Settings

To edit live connect data source for Context Hub:

  1. In the Security Analytics menu, select Administration > Services.
    The Services view is displayed.
  2. In the Services panel, select the Context Hub service, and ic-actns.png > View > Config.
    The Services Config view is displayed.
  3. In the Data Sources tab, select the live connect data source and click
    The Edit Data Source dialog is displayed.
  4. Edit the required fields:
  5.                
    FieldDescription
    Max. Concurrent QueriesYou can configure the maximum number of concurrent queries defined by the Context Hub service to be run against the configured data sources. The default value is 25.
  6. To edit the Live Connection and Proxy settings, do the following:

    • To edit the Live Connection settings, see the Live Services Configuration Panel topic in the System Configuration Guide.

    • To edit the proxy settings, see the HTTP Proxy Settings Panel topic in the System Configuration Guide.

  7. Click Test Connection to test the connection between Context Hub and the data source.

  8. Click Save to save the settings.

Configure Responses for Live Connect Data Source

To view/edit responses for Live Connect data source:

  1. In the Data Sources tab, select the Live Connect source and click ic-actns2.png.
    The Configure Live Connect Responses dialog is displayed.
  2. Configure the following fields:

                           
    FieldDescription
    EnableThis option is enabled by default (checked) and cannot be modified.
    Use CacheSelect the checkbox to enable response caching. When enabled, Context Hub stores the lookup results in cache. Subsequent requests for the same meta value is served from cache for the configured time (Cache Expiration). This option is enabled by default (checked).
    Cache ExpirationThe time (in minutes) that the lookup results are stored in cache after Context Lookup is performed. The default value is 30 minutes.
  3. Click Save to save the settings for Live Connect data source.

Next steps 

After completing the configuration, you can use the Context Lookup option in Investigate > Navigate view or Investigation > Events view to fetch contextual information. For instructions, see the View Additional Context for a Data Point topic in the Investigation and Malware Analysis Guide.

You are here
Table of Contents > Basic Setup > Step 2. Configure Data Sources for Context Hub > Context Hub: Configure Live Connect Data Source

Attachments

    Outcomes