Warehouse Analytics: Live Search View

Document created by RSA Information Design and Development on Sep 11, 2017•Last modified by RSA Information Design and Development on Apr 2, 2018

Version 6Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Live Content View

Note: Warehouse Analytics is not supported in Netwitness Suite 11.0 or later.

You must import the Warehouse Analytics models from the RSA Live and define and schedule jobs for generating reports. In the Live Content view you can browse the configured Live CMS for resources. Once matching resources are found, you can view details, subscribe to resources, and deploy resources to services and service groups.

Workflow

This workflow is overview of the entire procedure to access Warehouse data and generating reports for analyzing and investigating indicators of compromise (IOC).

What do you want to do?

Role	I want to ...	Show me how
Administrator	Access Warehouse Data	Configure Reporting Engine to Access Warehouse Data
Administrator	Configure Reports for Warehouse Data	Deploy Warehouse Models from Live* in Configure Reports for Warehouse Analytics
Administrator	Manage a Warehouse Analytics Job	Manage Reports for Warehouse Analytics
Threat Analyst	View and analyze a Report	Analyze Warehouse Analytics Reports
Threat Analyst	Investigate a Report	Investigation from Warehouse Analytics Reports

*You can complete these tasks here (that is in the Live Content view).

Quick Look

This is an example of the Live Content view.

The Live Search view has a panel for specifying search criteria and a panel that displays matching resources. The Search Criteria panel is collapsible to provide more width for viewing the Matching Resources panel.

Search Criteria Panel

This is an example of the Search Criteria panel.

The following table provides descriptions of the Search Criteria panel features.

Feature	Description
Keyword(s)	Enter a keyword or keywords to browse for resources that have the keyword in the resource name or the resource description. You can use wildcards when you enter a keyword.
Resource Types	Select resources types from the drop-down list to filter resources by type of resource. Possible values are: Advanced Analytics (Warehouse) RSA Application Rule RSA CEP Module RSA Content RSA Correlation Rule RSA Event Stream Analysis Rule RSA Feed RSA FlexParser RSA Investigator Custom Action RSA Log Collector RSA Log Device RSA Lua Parser RSA Malware Rules RSA Meta Key RSA NetWitness Suite List RSA NetWitness Suite Report RSA NetWitness Suite Rule RSA Source Document
Medium	Select one or more mediums from the drop-down list to search for content based on the meta data source. Available values for medium are as follows: log: applied to content that uses meta derived from log data packet: applied to content that uses meta derived from network packets log and packet: applied to content that correlates meta derived across log and packet data
Tags	Select meta tags from the drop-down list to browse based on how the meta is tagged. For example, to browse resources for a Log Decoder, select the netwitness for logs tag. Alternatively, you can click a tag in the Matching Resources panel to insert that tag in this field.
Required Meta Keys	Enter a specific meta key; for example, threat.source. Alternatively, you can click a meta key in the Matching Resources panel to insert that tag in this field.
Generated Meta Values	Enter a generated meta value; for example, netwitness. Alternatively, you can click a generated meta key in the Matching Resources panel to insert that tag in this field.
Research Created Date	Specify a date range during which resources were created. For example, to browse resources that were created between January 1 and January 4, you select January 1 as the start date and January 4 as the end date. You must enter dates in mm/dd/yyyy format or you click and pick dates from a calendar.
Research Modified Date	Specify a date range during which resources were modified. For example, to browse resources that were modified between January 1 and January 4, you select January 1 as the start date and January 4 as the end date. You must enter dates in mm/dd/yyyy format or you click and pick dates from a calendar.
Search	Sends the search request to the Live server. More specific search criteria return matching resources more quickly.
Cancel	Cancels the search in progress.

Matching Resources Panel

The Matching Resources panel presents search results based on the selections made in the Search Criteria panel. Results are initially displayed in a grid, but you can switch between two Show Results options: Detailed or Grid.

Detailed Results

In the detailed results, you can click a tag, meta key, or resource meta value to auto fill the Search Criteria panel and pivot the search results.

The following table describes the elements in the detailed results.

Feature	Description
Resource Type Icon	Graphic representation of the resource type. For example .
Name	Identify and labels the resource, for example, Group Management.
Type	Describes type of the resource, for example, Rule.
Updated	Displays the date the resource was last updated, for example, 2015-09-15 4:27 PM.
Version	Displys the version of the resource, for example, 0.1.
Size	Displays the size of the resource, for example, 153 B.
Subscribed	Displays subscription status: yes: This NetWitness Suite instance is subscribed to this content resource. no: This NetWitness Suite instance has not subscribed to this content resource.
Description	Displays the resource, for example, Compliance Rule-Group Management.
Tags	Displays tags that apply to the resource. Clicking a tag narrows the search to resources with that tag. For example, .
Meta Keys	Displays the meta keys that apply to the resource. Clicking a meta key narrows the search to resources with that meta key. For example, .
Resource Meta Values	Displays the meta values generated by the resource. Clicking a meta value narrows the search to resources that generated the meta value. For example, .

Grid Results

In the grid view, you can select one or more resources and use additional options in the toolbar to view the details of a single resource, subscribe to resources, and deploy resources.

The following table describes the elements in the grid results.

Feature	Description
Grid
Subscribed	Displays subscription status: yes: This NetWitness Suite instance is subscribed to this content resource. no: This NetWitness Suite instance has not subscribed to this content resource.
Name	Identify and labels the resource, for example, Group Management.
Created	Displays the date the resource was created, for example, 2015-08-12 3:11 PM.
Updated	Displays the date the resource was last updated, for example, 2015-09-15 4:27 PM.
Type	Displays the type of the resource, for example, Rule.
Description	Displays the resource, for example, Compliance Rule-Group Management.
Toolbar
	Offers two ways to view search results: Detailed and Grid.
	Applies to a single selected resource. Clicking Details opens the selected resource in the Live Resource view.
	Applies to one or more selected resources.
	Applies to one or more selected resources. Clicking Subscribe opens a dialog that asks for confirmation that you want to receive notification when the selected resources are updated.
	Offers two packaging functions for the selected resources: Create: creates a resourceBundle.zip file that contains the selected resources and opens a dialog in which you can either: open the file, or save the file for subsequent deployment. Deploy: opens the Deployment Wizard, in which you can choose a resourceBundle.zip file and deploy it.