Options for configuring Live Services are in the System view > Live Services Configuration panel. The Live Configuration panel allows you to configure:
- The Live account.
- The Live Content update schedule and preferences for notification of updates.
- Participation in Live Services Feedback.
- Sharing Live Content Usage
- RSA Live Connect (Beta)
To activate your Live account for NetWitness Platform, please contact RSA Customer Care. When you have a confirmation that your Live account has been set up, you can configure and test the CMS server connection.
The Live Services user interface displays the settings for Live Feedback, Share UEBA Insights, and RSA Live Connect (Beta) options like Threat Insights and Analyst Behaviors.
For information on Analyst Behaviors and Data Sharing, see "NetWitness Platform Feedback and Data Sharing" topic in the Live Services Management Guide.
About Live Feedback Participation
When you participate in Live Feedback, it collects relevant information for further improvement. For information on Live Feedback, see Live Feedback Overview.
When you install NetWitness Platform, you will be prompted to participate in Live Feedback. For information, see Configure Live Services Settings
If needed, you can manually download historical usage data and share it with RSA. For information on how to download historical usage data and share it with RSA, see Upload Data to RSA for Live Feedback.
This topic contains the following procedures:
- Access the Live Services Configuration Panel
- Configure Live Account
- Configure the Live Content Synchronization Interval and Notification
- Force Immediate Synchronization
- Using RSA Live Connect
If you are not signed in with your Live Account credentials, a masked screen is displayed.
After you sign in with the Live Credentials, the screen is displayed without a mask.
In the Live Account section, you must set up the user's Live account. The information needed to set up the user’s Live account consists of the Username, Password, and Live URL for the Content Management System. This information is provided by Customer Care.
To configure a Live account:
In the Live Account section, click Sign In.
In the Live Services Account dialog box, enter the Host (typically cms.netwitness.com) and type your username and password.
- (Optional) If you are using a different CMS, type the host URL for the Content Management System. The default points to the CMS at cms.netwitness.com.
- (Optional) If you are using a different CMS, type the communications port for Live to send requests to the Content Management System. The default for this field is 443, which is the communications port on the Content Management System.
- (Optional) If you do not want to use SSL, uncheck the SSL option. (SSL is enabled by default.)
- Click Test connection to test the connection to CMS.
- To save and apply the configuration, click Apply.
You can change the interval at which NetWitness Platform checks for new updates to Live Content:
- To configure Live Services to send update reports to one or more people, in the Email Addresses field, type the email addresses as a comma-separated list, for example, email@example.com,firstname.lastname@example.org,email@example.com
- (Optional) To receive messages in HTML format rather than plain text, select HTML Format.
To save and apply, click Apply.
The time and date of the next scheduled Live synchronization based on the configured interval for checking is displayed.
Instead of waiting for the next scheduled resource cycle, this option forces Live to begin immediate synchronization of the subscribed resources in this instance of NetWitness Platform. One use for this is to see the immediate impact of a configuration change. For example, a new service has been added, or new resources have been toggled for automatic deployment. The scheduled synchronization could take place hours later if Live Services is set to synchronize a few times a day.
To force immediate synchronization, click Check Now. NetWitness Platform checks for updates in subscribed resources.
Using UEBS Insights
Using the User and Entity Behavior Analytics (UEBA) service the usage metrics is shared which is leveraged for deep analysis to improve and optimize the use of UEBA. The metrics collected are number of alerts created (ADE & output), number of indicators created (ADE & output), number of events processed (input). Customers who wish not to share data, can uncheck this option.
RSA Live Connect is a cloud based threat intelligence service. This service collects, analyzes, and assesses threat intelligence data such as IP addresses, domains, and files collected from various sources including the RSA NetWitness® Platform and RSA NetWitness® Endpoint customer community. RSA Live Connect consists of the following features:
- Threat Insights
- Analyst Behaviors
Threat Insights provides analysts the opportunity to pull threat intelligence data such as IP related information from the Live Connect service to be leveraged by the analysts during investigation.
By default, Threat Insights is enabled in Additional Live Services section. If Context Hub service is configured, Live Connect is automatically added as a data source for Context Hub. For more information, see "Configure Live Connect Data Source for Context Hub" topic in the Context Hub Configuration Guide.
With Live Connect as a data source for context hub, you can use the Context Lookup option in INVESTIGATE > Navigate view or INVESTIGATE > Events view to fetch contextual information. For instructions, see "View Additional Context for a Data Point" topic in the Investigation and Malware Analysis Guide.
Analyst Behaviors is a feature where analysts participate in sharing data to RSA community. This is an automated data collection service. Its goal is to share potential threat intelligence data to the RSA Live Connect cloud service for analysis. The type of data that could be shared from your network to RSA Live Connect includes various types of meta data captured by NetWitness Platform such as ip.src, ip.dst, ip.addr, device.ip, alias.ip, alias.host, paddr, sessionid, domain.dst, domain.src. For information on Analyst Behaviors and Data Sharing, see "NetWitness Platform Feedback and Data Sharing" topic in the Live Services Management Guide.