The RSA NetWitness Suite Automated Threat Detection functionality enables you to automatically analyze data sources by using preconfigured ESA Analytics modules. An ESA Analytics module is a pipeline composed of activity objects that enrich an event with additional information through mathematical computations. ESA Analytics services process these modules to identify advanced threats.
The Whois Lookup service configuration is required for the Suspicious Domains modules.
- You must have an RSA Live account to use the Whois Lookup service.
- The ESA Analytics Server service must be available (shows a green circle) in the ADMIN > Services view.
If you configured a Live account in the Live Services panel (ADMIN > System > Live Services), the Whois Lookup Service is automatically configured for you. You only need to check the connection of the Whois Lookup service.
Configure the Whois Lookup Service
- Go to ADMIN > System.
- In the options panel, select Whois.
- In the Whois Lookup Service Configuration panel, check to see if the Whois Lookup service is connected. At the bottom of the panel, a connected service shows a green circle next to Connected:
If it is connected, you are finished with the configuration and you can skip the remaining steps. To adjust the advanced settings, go to step 5.
If the service is not connected, continue to step 4.
- In the Live Username and Live Password fields, enter your RSA Live account credentials to access the RSA Whois server.
- If necessary, you can adjust the advanced settings. However, RSA recommends that you use the default values. Whois Lookup Service Configuration provides additional details.
- To test your connection, click Test Connection.
A successful connection shows a green circle next to Connected:
- Click Apply to save your changes.