ESA Config: Configure the Whois Lookup Service

Document created by RSA Information Design and Development Employee on Sep 13, 2017Last modified by RSA Information Design and Development Employee on Jan 30, 2020
Version 11Show Document
  • View in full screen mode

The RSA NetWitness Platform Automated Threat Detection functionality enables you to automatically analyze data sources by using preconfigured ESA Analytics modules. An ESA Analytics module is a pipeline composed of activity objects that enrich an event with additional information through mathematical computations. ESA Analytics services process these modules to identify advanced threats.

The Whois Lookup service configuration is required for the Suspicious Domains modules.

Note: (Important) RSA strongly recommends that you configure the Whois Lookup service for accuracy in Automated Threat Detection scoring.


  • You must have an RSA Live account to use the Whois Lookup service.
  • The ESA Analytics Server service must be available (shows a green circle) in the Admin > Services view.

If you configured a Live account in the Live Services panel (Admin > System > Live Services), the Whois Lookup Service is automatically configured for you. You only need to check the connection of the Whois Lookup service.

Note: If you do not have an RSA Live account, you can create one at the RSA Live Registration Portal:
The Live Services Management Guide provides additional information.

To configure the Whois Lookup service:

  1. Go to Admin > System.
  2. In the options panel, select Whois.
  3. In the Whois Lookup Service Configuration panel, check to see if the Whois Lookup service is connected. At the bottom of the panel, a connected service shows a green circle next to Connected: Connected icon
    Whois Lookup Service Configuration
    If it is connected, you are finished with the configuration and you can skip the remaining steps. To adjust the advanced settings, go to step 5.
    If the service is not connected, continue to step 4.
  4. In the Live Username and Live Password fields, enter your RSA Live account credentials to access the RSA Whois server.
  5. If necessary, you can adjust the advanced settings. However, RSA recommends that you use the default values. Whois Lookup Service Configuration provides additional details.
  6. To test your connection, click Test Connection.
    A successful connection shows a green circle next to Connected: Connected icon
  7. Click Apply to save your changes.

You are here
Table of Contents > Configure ESA Analytics > Configure the Whois Lookup Service