NW Cfg: Configure Live Services Settings

Document created by RSA Information Design and Development on Sep 14, 2017Last modified by RSA Information Design and Development on Nov 20, 2019
Version 17Show Document
  • View in full screen mode
 

Options for configuring Live Services are in the System view > Live Services Configuration panel. The Live Configuration panel allows you to configure:

  • The Live account.
  • The Live Content update schedule and preferences for notification of updates.
  • Participation in Live Services Feedback.
  • Sharing Live Content Usage
  • RSA Live Connect (Beta)

Prerequisite

To activate your Live account for NetWitness Platform, please contact RSA Customer Care. When you have a confirmation that your Live account has been set up, you can configure and test the CMS server connection.

For information on Analyst Behaviors and Data Sharing, see "NetWitness Platform Feedback and Data Sharing" topic in the Live Services Management Guide.

About Live Feedback Participation

Once you sign up for a Live account, Live Feedback automatically collects relevant information for further improvement and anonymously sends it to RSA. The shared data is protected in accordance with the applicable license agreement. For information on Live Feedback, see Live Feedback Overview. For information, see Configure Live Services Settings

If needed, you can manually download historical usage data and share it with RSA. For information on how to download historical usage data and share it with RSA, see Upload Data to RSA for Live Feedback.

This topic contains the following procedures:

Access the Live Services Configuration Panel

  1. Go to ADMIN > System.
  2. In the options panel, select Live Services.

Note: If you are not signed in with your Live Account credentials, a masked screen is displayed.

Configure Live Account

In the Live Account section, you must set up the user's Live account. The information needed to set up the user’s Live account consists of the Username, Password, and Live URL for the Content Management System. This information is provided by Customer Care.

To configure a Live account:

  1. In the Live Account section, click Sign In.

    Note: The Modify button shows that the live account is configured. Click Modify to change the user that is accessing Live Services.

  2. In the Live Services Account dialog box, enter the Host (typically cms.netwitness.com) and type your username and password.

  3. (Optional) If you are using a different CMS, type the host URL for the Content Management System. The default points to the CMS at cms.netwitness.com.
  4. (Optional) If you are using a different CMS, type the communications port for Live to send requests to the Content Management System. The default for this field is 443, which is the communications port on the Content Management System.
  5. (Optional) If you do not want to use SSL, uncheck the SSL option. (SSL is enabled by default.)
  6. Click Test connection to test the connection to CMS.
  7. To save and apply the configuration, click Apply.

Configure the Live Content Synchronization Interval and Notification

You can change the interval at which NetWitness Platform checks for new updates to Live Content:

  1. Use the Check for New Updates field to change the interval. Select an interval from the drop-down list. The default value for this setting is once a day.

  2. To configure Live Services to send update reports to one or more people, in the Email Addresses field, type the email addresses as a comma-separated list, for example, john@company.com,ted@company.com,brian@company.com
  3. (Optional) To receive messages in HTML format rather than plain text, select HTML Format.
  4. To save and apply, click Apply.

    The time and date of the next scheduled Live synchronization based on the configured interval for checking is displayed.

Force Immediate Synchronization

Instead of waiting for the next scheduled resource cycle, this option forces Live to begin immediate synchronization of the subscribed resources in this instance of NetWitness Platform. One use for this is to see the immediate impact of a configuration change. For example, a new service has been added, or new resources have been toggled for automatic deployment. The scheduled synchronization could take place hours later if Live Services is set to synchronize a few times a day.

Caution: Synchronization can cause a parser reload if a FlexParser is deployed in the update cycle. This is acceptable once or twice a day, but a number of back-to-back parser reloads can cause packet loss at the Decoder. If this is the initial setup and you haven’t configured Live resource subscriptions, do not Synchronize Now. Wait until you have configured subscriptions.

To force immediate synchronization, click Check Now. NetWitness Platform checks for updates in subscribed resources.

Using RSA Live Connect

RSA Live Connect is a cloud based threat intelligence service. This service collects, analyzes, and assesses threat intelligence data such as IP addresses, domains, and files collected from various sources including the RSA NetWitness Platform and RSA NetWitness Endpoint customer community. RSA Live Connect consists of the following features:

  • Threat Insights
  • Analyst Behaviors
  • File Reputation

Threat Insights

Threat Insights provides analysts the opportunity to pull threat intelligence data such as IP related information from the Live Connect service to be leveraged by the analysts during investigation.

By default, Threat Insights is enabled in Additional Live Services section. If Context Hub service is configured, Live Connect is automatically added as a data source for Context Hub. For more information, see "Configure Live Connect Data Source for Context Hub" topic in the Context Hub Configuration Guide.

With Live Connect as a data source for context hub, you can use the Context Lookup option in INVESTIGATE > Navigate view or INVESTIGATE > Events view to fetch contextual information. For instructions, see "View Additional Context for a Data Point" topic in the Investigation and Malware Analysis Guide.

Analyst Behaviors

Analyst Behaviors is a feature where analysts participate in sharing data to RSA community. This is an automated data collection service. Its goal is to share potential threat intelligence data to the RSA Live Connect cloud service for analysis. The type of data that could be shared from your network to RSA Live Connect includes various types of meta data captured by NetWitness Platform such as ip.src, ip.dst, ip.addr, device.ip, alias.ip, alias.host, paddr, sessionid, domain.dst, domain.src. For information on Analyst Behaviors and Data Sharing, see "NetWitness Platform Feedback and Data Sharing" topic in the Live Services Management Guide.

File Reputation

File Reputation provides analysts the opportunity to view reputation status of files.

By default, File Reputation is enabled in Additional Live Services section. If Context Hub service is configured, Live Connect is automatically added as a data source for Context Hub. For more information, see "Configure Live Connect Data Source for Context Hub" topic in the Context Hub Configuration Guide.

You are here
Table of Contents > Standard Procedures > Configure Live Services Settings

Attachments

    Outcomes