The Live Feedback Activity Log enables you to download the usage data required for Live Feedback. After you download the Live Feedback data, you can then upload it to share with RSA.
in the Additional Live Services section.
Additional Live Services
Live Feedback is intended to help improve RSA NetWitness Platform.
Once you set up and configure a Live account, usage data is automatically shared with RSA and is protected in accordance with the applicable license agreement. All such data shall be anonymized and shall not have any Personally Identifiable Information.
Before data is sent to RSA, all Personally Identifiable Information is removed. Thus, only anonymous usage data gets transferred to RSA.
For more information, see the "Live Feedback Overview" topic in the System Configuration Guide.
RSA Live Connect
RSA Live Connect is a cloud based threat intelligence service. This service collects, analyzes, and assesses threat intelligence data such as IP addresses, domains, and files collected from various sources including the RSA NetWitness Platform and RSA NetWitness Endpoint customer community.
RSA Live Connect consists of the following features:
- Threat Insights
- Analyst Behaviors
Threat Insights provides analysts the opportunity to pull threat intelligence data such as IP related information from the Live Connect service to be leveraged by the analysts during investigation.
By default, Threat Insights is enabled in Additional Live Services section. If Context Hub service is configured, Live Connect is automatically added as a data source for Context Hub. For more information, see the "Configure Live Connect Data Source for Context Hub" topic in the Context Hub Configuration Guide.
With Live Connect as a data source for context hub, you can use the Context Lookup option in Investigate > Navigate view or Investigate > Events view to fetch contextual information. For more information, see the "Look Up Additional Context in the Navigate and Events Views" topic in the Investigate User Guide.
Analyst Behaviors is a feature where analysts participate in sharing data to RSA community. This is an automated data collection service. Its goal is to share potential threat intelligence data to the RSA Live Connect cloud service for analysis. The type of data that could be shared from your network to RSA Live Connect includes various types of meta data captured by NetWitness Platform such as ip.src, ip.dst, ip.addr, device.ip, alias.ip, alias.host, paddr, sessionid, domain.dst, domain.src.
Live Connect Threat Data Sharing has been developed as a Community based threat intelligence sharing platform.
It has the following characteristics and goals:
- Crowd-sourced: the RSA community contributes to the entire collection of intelligence
- Centrally collect and analyze data from the RSA community
- Reduce the intelligence cycle time from days to minutes
Some details to consider:
- We are leveraging analyst investigation activity
- We are harvesting meta data such as IP addresses and domain names
- We are doing deep data analysis: Trending, correlation, anomaly detection
- Remember, this feature is currently in Beta
File Reputation service provides instant access to the latest signatures via the RSA Live feed so data is more relevant, with fewer false positives. With this service, users always have reliable data about the reputation of files in their NetWitness Endpoint system. In addition to the whitelisting service, it provides blacklisting information as well.
Participation in RSA Live Connect
On install or upgrade to NetWitness Platform 11.x, a confirmation screen is displayed. You are presented with a New Features Enabled dialog box, where you can enable or disable Threat Insights and Analyst Behaviors.
Authentication for the program is done in the NetWitness Platform UI, where you configure the Live account in the Live services section.
Data is collected as follows:
- Data Attribution: Anonymous
- Data Source: Subset of meta keys and meta values of a NetWitness Platform analyst's page views from the NetWitness Platform Core Query logs.
Query Log Harvesting Process:
- Timing: Batch mode every 24 hours (4 AM – 6 AM UTC)
- Log Collection: NetWitness Platform server collects NetWitness Platform core device log entries for the previous 24 hours
- Log Entries: Only SDK-Value and SDK-Query API calls that contain a where clause are collected
- Log Attribute Parsing: Each entry must have one of the following meta key indicators present: ip.src, ip.dst, ip.addr, device.ip, alias.ip, alias.host, paddr, sessionid, domain.dst, or domain.src. If so, meta keys and meta values from the entry will be collected.
The log report is sent in JSON format, over SSL. It contains:
- Live CMS username (sha256)
- NetWitness Platformlicense server ID (sha256)
- List of SA endpoint IDs (sha256)
- Harvested meta values (MD5 and SHA256 hashed)
This section lists entries from a log, and then the corresponding section of extrapolated data.
Section from a log file:
User admin (session 204298, 10.4.50.60:57454) has issued values (channel 205237) (thread 2332): fieldName=filter id1=1 id2=23138902 threshold=100000 size=20 flags=sessions,sort-total,order-descending,ignore-cache where="(alias.host = 'mail.google.com') && (ip.src = 220.127.116.11) && time=\"2015-12-07 18:08:00\"-\"2015-12-07 21:07:59\"“
Data extrapolation with hashing: