ESA Config: Whois Lookup Service Configuration

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by RSA Information Design and Development on Oct 4, 2017
Version 5Show Document
  • View in full screen mode
 

In theWhois Lookup Configuration panel (ADMIN > System > Whois), you configure a connection to the Whois Lookup service for your preconfigured ESA Analytics modules used in RSA Automated Threat Detection. The Whois Service enables you to get accurate data about domains that you connect to. In order to ensure effective scoring, it is important that you configure the Whois service settings.

You must have an RSA Live account to use this service.

If you configured a Live account in the Live Services panel (ADMIN > System > Live Services), the Whois Lookup Service is automatically configured for you. You just need to check the connection of the Whois Lookup service.

Note: If you do not have an RSA Live account, you can create one at the RSA Live Registration Portal:
https://cms.netwitness.com/registration/
The Live Services Management Guide provides additional information.

What do you want to do?

                       
Role I want to ...Show me how
Administrator

Configure the Whois Lookup service.

Configure the Whois Lookup Service

Administrator

Check the connection of the Whois Lookup service.

Configure the Whois Lookup Service

Related Topics

Whois Lookup Service Configuration

To access the Whois Lookup Service Configuration, go to ADMIN > System and in the options panel, select Whois.

The ESA Analytics Server service must be available (shows a green circle) in the ADMIN > Services view. If you do not have an ESA Analytics Server service available, you will see the following panel.

Whois Lookup Service panel with no ESA Analytics service available

If you have an ESA Analytics Server service available, you will see the following panel.

Whois Lookup Service Configuration panel

The following table describes the listed Whois Lookup Service configuration settings.

                                                 
ParameterDescription
Live Username

Required only if you did not already configure the Whois Lookup service.  Enter the authentication credential for the RSA Whois Server. This is the same as your RSA Live User ID. If you have not configured an RSA Live account, you will need to do so. 

The default value is "whois."

Live Password

Required only if you did already configure the Whois Lookup service. Enter the authentication credential for the RSA Whois Server. This is the same as your RSA Live password. If you have not configured an RSA Live account, you will need to do so. 

The default value is null.

Allowed Requests

(Optional) Enter how many queries you want to allow before you start throttling the Whois service. This parameter works with Allowed Requests Interval (in seconds), where you set the interval for queries. For example, if you set Allowed Requests to 100 and Allowed Requests Interval to 60, you are allowed 100 requests in any 60 second interval.

The default value is 100.

Allowed Requests Interval

(Optional) If you set the Allowed Requests parameter, you need to also configure this setting to determine the interval. This value should be tuned for your  environment.

The default setting is 60 seconds.

Queue Max Size

(Optional) Specify the maximum size of the queue of the domains whose information will be requested of the RSA WhoisService.

The default is 100,000.

Cache Max Size

(Optional) Specify the maximum number of cached Whois entries. Once this limit is reached, the least recently used entry will be removed to accommodate a new entry.

The default is 50,000.

Refresh Interval Days

(Optional) Specify the number of days for the refresh interval. If requested Whois information is found in the cache, and the cache entry has been there for more than the specified number of days, the entry is removed from the cache and the domain returned to the queue to be looked up. (The cache entry is returned for the request that identified it as stale.)

The default setting is 30 days.

Wait For HTTP Request

(Optional) Requires that the ESA wait for the Whois service to respond before it can complete running the module. This ensures that the Whois data is always included in the results, but it can negatively impact performance as the ESA pauses up to 30 seconds to wait for the Whois service response.

If you do not configure this setting, and the response time is slow, the ESA completes running the analysis for a given event without the Whois data, and calculates the score without the data.

The default setting is true

Query URL

(Optional) Enter the URL to obtain Whois data from the RSA Whois service. The trailing slash ('/') is required. Otherwise, requests will fail.

The default value is: https://cms.netwitness.com/whois/v2/query/

Authentication URL

(Optional) Enter the URL to obtain authentication tokens from the RSA Whois service.

The default value is: https://cms.netwitness.com/authlive/authenticate/WHOIS

You are here
Table of Contents > References > Whois Lookup Service Configuration

Attachments

    Outcomes