Warehouse Analytics: Step 3. Configure Warehouse Analytics Models

Note: Warehouse Analytics is not supported in Netwitness Suite 11.0 or later.

The Warehouse Analytics models are available on Live and must be imported and defined as Warehouse Analytics jobs before you generate reports.

Deploy Warehouse Models from Live

You can download a Warehouse Analytics model from the RSA Live Server and deploy it on NetWitness Suite. For more information, see Live Content View and Live Resource View.

Prerequisites

Ensure that:

• You have created a Live Account. For more information, see "Create Live Account" in the Live Services Management Guide.
• You have configured the connection and synchronization between the CMS server and NetWitness Suite. For more information, see "Set Up Live on NetWitness Suite" in the Live Services Management Guide.

Deploy Warehouse Analytics Models

1. Search a Warehouse Analytics Model.

   1. Select Configure > Live Content.

   2. In the Search Criteria panel, specify the search criteria. In the Resource Types field, select Advanced Analytics (Warehouse).

      

   3. Click Search.

      The Warehouse Analytics models are listed as shown in the Matching Resources panel.
      

2. Select the desired resource and click .

   The Deployment Wizard page is displayed.

   

3. Click Next.

   The Services page is displayed.

   

   The Services page contains the following two tabs and columns are a subset of the ones available in the Admin > Services View.

   • Services tab: List of individual services.
   • Groups tab: Groups of services.

4. Click Next.

   The Review tab is displayed.

   

   Note: Make sure that you have selected the correct resources and the services to which you want to deploy them.

5. Click Deploy to initiate the Live deployment.

   The Deploy tab is displayed with the progress bar that indicates the Live deployment status.

   If you try to deploy resources and services that are not compatible, NetWitness Suite displays to review the errors and you can click to review the errors and re-attempt the deployment.

   After the deployment completes, the following message is displayed and the bar turns green: Live deployment task finished successfully. 

   

6. Click Close.

Create Jobs and Run Scheduled Jobs

After you import Warehouse Analytics models from the RSA Live, you must create a job and schedule it.

Note: It is recommended that you always deploy Warehouse Analytics models from Live.

1. Select Monitor > Reports.

   The Manage tab is displayed.

2. Click Warehouse Analytics.

   The Warehouse Analytics view is displayed.

   

3. In the Warehouse Analytics toolbar, click .

   The Job definition tab is displayed. For more information, see Job Definition View.

   

4. To run the jobs as per the schedule, select Enable checkbox.
5. In the Name field, enter a name for the job configuration.

6. From the Model field, click Browse and select the jar file to be imported.

7. From the Warehouse field, select the data source created in the Reporting Engine configuration page. (For example, Horton Works or MapR).

8. From the On drop down list, select the type of run schedule (Past or Range):

   • To run the query based on Past days, select the specific number of days.
   • To run the query based on specific time range, specify the From and To date from the calendar.

9. In the Advanced Options field, do the following:

   • In the Model Params field, enter the Warehouse Analytics model or job parameters from the List Selection window. You can also select whitelists, for more information, see Use Whitelists in Warehouse Analytics Jobs.
   • In the HDFS Params field, enter the HDFS configuration parameters.
   • In the MapReduce Params field, enter the Hadoop or MapR configuration parameters.
   • In the SandBox JVM Params field, enter the JVM or -D system parameters for JVM executing Warehouse Analytics model.

   Note: On uploading the job, several important parameters are automatically populated. If the parameters are not specified, the job runs with the default values.

10. Click Save.

    The Warehouse Analytics runs the job as scheduled and provides the configured outputs.

Use Whitelists in Warehouse Analytics Jobs

You can use whitelists in Warehouse Analytics jobs so that non-suspicious domains can be ignored while processing. You can use whitelists only for the Suspicious Domains and Suspicious DNS Activity reports.

Ensure that:

• You have created the whitelist. For example, a list of domains that are confirmed to not be suspicious or a whitelist of domains on which no DNS activities occur. For more information on creating a list, see the Create Lists and List Groups topic in the Reporting Guide.
  
• You have downloaded the Warehouse Analytics Jobs from the Live Server. For more information, see Configure Reports for Warehouse Analytics.

To Use Whitelists, perform the following steps.

1. Select Monitor >Reports.
   The Manage tab is displayed.
2. Click Warehouse Analytics.
   
   The Warehouse Analytics view is displayed.
   
3. In the Warehouse Analytics toolbar, click .
   The Job definition tab is displayed.
4. Create jobs and schedule them if needed. For more information, see Configure Reports for Warehouse Analytics.
5. In the Model Params field under Advance Options panel, enter the parameters to include the Whitelist.
   • For Suspicious Domains model, enter the parameter name as model.suspiciousDomains.whiteList.file and select the list using . For more information, see Analysing a Suspicious Domains Report section in Analyze Warehouse Analytics Reports.
   • For Suspicious DNS Activity model, enter the parameter name as model.dns.whiteList.file and select the list using . For more information, see Analysing a Suspicious DNS Activity Report section in Analyze Warehouse Analytics Reports.  

   

6. Click Save.
   The Warehouse Analytics runs the job scheduled and provides the configured outputs. You can view the scheduled job on the Warehouse Analytics view.