NW Cfg: Live Feedback Overview

Document created by RSA Information Design and Development on Sep 14, 2017Last modified by RSA Information Design and Development on Oct 13, 2017
Version 8Show Document
  • View in full screen mode
  

This topic provides an introduction to Live Feedback. Live Feedback collects relevant information such as the Licensing usage data for Packet Decoder, Log Decoder and Malware Analysis, Threat Detection Enabled or Disabled status, Number of enabled ESA rules,and version number details of all the services of NetWitness Suite. For more information about the licensing usage data for Packer Decoder, Log Decoder and Malware Analysis, see the Metered Licenses Tab topic in the Licensing Guide. The information is collected to improve future releases of NetWitness Suite. You will automatically be signed on to live feedback and you cannot disable this option.

In addition to this, information on the Live Content Usage can also be shared with RSA. Live Content usage metrics for resource types from CONFIGURE > LIVE CONTENT > Search Criteria such as total count of RSA Application Rule, RSA Correlation Rule etc. can be shared with RSA. The information collected is used to improve the use of Live Content. For more information about sharing live content configuration, see Live Services Configuration Panel.

About Live Feedback Participation

When you participate in Live Feedback, it collects relevant information for further improvement. For information on Live Feedback, see Live Feedback Overview.

When you install NetWitness Suite, you will be prompted to participate in Live Feedback. For information, see Configure Live Services Settings

If needed, you can manually download historical usage data and share it with RSA. For information on how to download historical usage data and share it with RSA, see Upload Data to RSA for Live Feedback.

Note: Live Feedback is activated only if you have configured your Live account.

The Live Feedback data is in JSON format as mentioned below. When you sign up with your Live Account credentials, a single encrypted JSON file is automatically uploaded to the RSA servers everyday.

JSON File

The JSON file consists of usage data information for a component or a set of components. In case of a set of components with the same license id, the usage data for all the components is aggregated and represented as a component called Entitlement. However, even if there is a single component such as a log decoder or decoder, an Entitlement component will be generated and will display the usage data for a single component. This aggregation is for components namely log decoders, decoders or malware analysis.

Note: The version of Entitlement is always null as it is the aggregate for a license data.

For example, if there are three Decoders with the same license id "xxx" with the following usage data:
Decoder1 = 150 MB
Decoder2 = 250 MB
Decoder3 = 100 MB
The aggregated usage data of 500 MB is displayed.

This JSON file is described in the following sections:

  • Components
  • Metrics
  • Other Product Details
  • Sample

Components

Details of each service in your NetWitness Suite deployment. This is represented as Component. For each component the following details are displayed.

                       
ComponentDescription
VersionVersion number of the component in the NetWitness Suite deployment. For example, 11.0.0.0.x.x.x.x.
IDThis is the unique Component ID that represents the host and is used to link to the metrics generated.
Properties
  • Name - This is the name of the property for that component. For example, malware analysis, ESA, log decoder, etc.
  • Value - This is the unique value to identify the component.

Metrics

Metrics of the components (hosts) namely log decoder, decoder and malware analysis. The license usage data for each host is shared. For Live Content usage metrics, resource types from Live > Search such as total count of RSA Application Rule, RSA Correlation Rule etc. are shared.

                           
ComponentDescription
StartTimeUTCThis is the time from when the metrics is collected. (in EPOCH format).
Stats
  • Value - This is the value generated for the specific component ID for each component.
  • Name - This is the name of the statistics for which the metrics is collected. For example, Capture Total Bytes.
EndTimeUTCThis is the time when the metrics collection is complete (in EPOCH format).
Component IDThis is the ID of the component for which the value is recorded.

Other Product Details

  • Product Type - This is the name of the product. In this example, the Product Type is NetWitness Suite.
  • Version - This is the version of the JSON file which tracks the changes made to the file format.
  • Product Instance - This is the License Server ID.
  • Checksum - This is the information which is used for integrity checks.

The following table describes details of the JSON file with examples.

                                                                                                                       
MetricsDescription
ContentDisplays the content that contains all the Components, Metrics, Product Type and Product Instance data except Checksum.
Components

 

The details of all the services in NetWitness Suite are represented as a Component. The details of the component such as the version number of the component, the name, and the value is displayed as shown below:

Version: Displays the version of NetWitness Suite service. For example, 11.0.0.0.

ID: Displays an unique id which is generated for the NetWitness Suite service and is used to link to the metrics for that particular component. In this example, the ID for Malware Analysis is 5 and the metrics is displayed for ComponentId 5 in bytes, as shown below:

Properties: Displays the properties for the component such as name and value as shown in the above figure.

Value: Displays the value of the property which is an internal UUID for a component as shown in the above figure This is generated by NetWitness Suite. For example, For malware analysis the value displayed as "55f7a0b30e502231c42d063f"

Name: "InstanceId": Displays the name of the property as shown in the above figure.

Name": "malwareanalysis": Displays the name of component which is a service name such as LogDecoder, Decoder, or MalwareAnalysis.

Metrics

 

 

 

Displays the list of the metrics with the usage data for components namely log decoder, decoder and malware analysis.

In this example, the metrics is displayed for ComponentId 5 in bytes, as shown below.

StartTimeUTC: Displays the time when the metrics is collected, in the EPOCH format.
Stats: Displays the usage value and usage type statistics of the component.
Value: Displays the value of the statistics. For example, "Value": "1582940012678" as shown in the above figure.
Name: Displays the name of the statistics. For example, Capture Total Bytes or Total File bytes.
EndTimeUTC: Displays the time when the metrics collection is complete, in the EPOCH format.

ComponentId: Displays the component id for which the metric values are collected. This is the same as the "ID" in the Components section.

ContentDisplays the content that contains all the Components, Metrics, Product Type and Product Instance data except Checksum.

Components

 

 

 

 

 

 

 

 

The details of all the services in NetWitness Suite are represented as a Component. The details of the component such as the version number of the component, the name, and the value is displayed as shown below:

Version: Displays the version of NetWitness Suite service. For example, 11.0.0.0

ID: Displays an unique id which is generated for the NetWitness Suite service and is used to link to the metrics for that particular component. In this example, the ID for Reporting Engine is 6 and the metrics is displayed for ComponentId 6 in Total Count, as shown below:

Properties: Displays the properties for the component such as name and value as shown in the above figure.

Value: Displays the value of the property which is an internal UUID for a component as shown in the above figure. This is generated by NetWitness Suite. For example, for Reporting Engine the value displayed as "57444ddde4b0dd618093064d"

Name: "InstanceId": Displays the name of the property as shown in the above figure.

Name": "reportingengine": Displays the name of component which is a service name such as LogDecoder, Decoder, or ReportingEngine.

Name: Displays the list of the metrics with the usage data for components namely log decoder, decoder and reportingengine.

In this example, the metrics is displayed for ComponentId 6 in bytes, as shown below.

StartTimeUTC: Displays the time when the metrics is collected, in the EPOCH format.

     Stats: Displays the usage value and usage type statistics of the component.
Value: Displays the value of the statistics. For example, Number of RE Report is 10, Number of RE Alert is 2, Number of RE chart is 1 etc as shown in the above figure.
Name: Displays the name of the statistics. For example, Number of RE Report, Number of RE Alert, Number of RE chart, Number of RE Rule, Number of Enabled RE Alert, Number of Enabled RE Chart.
EndTimeUTC: Displays the time when the metrics collection is complete, in the EPOCH format.

ComponentId: Displays the component id for which the metric values are collected. This is the same as the "ID" in the Components section.

ProductTypeDisplays the product type that generates the file. For example, "ProductType": "NetWitness Suite"

ProductInstance

Displays the License server Id and is unique per NetWitness Suite. For example, "ProductInstance": "00-0C-29-6C-66-E3"

ChecksumDisplays the Checksum for the "Content" section in the file. Used by RSA for integrity check. For example, "Checksum": "883DACF97E4BCD9F590A1461A4DD0A312B5883A6CF82E0518E77AAB6A6DDB654"

Sample

Here is a sample JSON file.

 

You are here
Table of Contents > Standard Procedures > Configure Live Services Settings > Live Feedback Overview

Attachments

    Outcomes