NW Cfg: Configure Live Services Settings

Document created by RSA Information Design and Development on Sep 14, 2017Last modified by RSA Information Design and Development on Mar 27, 2018
Version 12Show Document
  • View in full screen mode

Options for configuring Live Services are in the System view > Live Services Configuration panel. The Live Configuration panel allows you to configure:

  • The Live account.
  • The Live Content update schedule and preferences for notification of updates.
  • Participation in Live Services Feedback.
  • Sharing Live Content Usage
  • RSA Live Connect (Beta)


To activate your Live account for NetWitness Suite, please contact RSA Customer Care. When you have a confirmation that your Live account has been set up, you can configure and test the CMS server connection.

When you log on to NetWitness Suite for the first time, you are prompted with New Features Enabled dialog.

When you click Accept, you automatically agree to the following:

  • Participate in Live Feedback.
  • Use Live Connect features to receive threat intelligence data.

  • Allow NetWitness Suite to send anonymous, technical data about your environment to RSA.

If you click View Settings, you are redirected to the Live Services user interface to view the settings for Live Feedback and Live Connect Threat Data Sharing. If you have not configured the Live Account a masked screen is displayed.

For information on Analyst Behaviors and Data Sharing, see "NetWitness Suite Feedback and Data Sharing" topic in the Live Services Management Guide.

About Live Feedback Participation

When you participate in Live Feedback, it collects relevant information for further improvement. For information on Live Feedback, see Live Feedback Overview.

When you install NetWitness Suite, you will be prompted to participate in Live Feedback. For information, see Configure Live Services Settings

If needed, you can manually download historical usage data and share it with RSA. For information on how to download historical usage data and share it with RSA, see Upload Data to RSA for Live Feedback.

This topic contains the following procedures:

Access the Live Services Configuration Panel

  1. Go to ADMIN > System.
  2. In the options panel, select Live Services.

Note: If you are not signed in with your Live Account credentials, a masked screen is displayed.

Configure Live Account

In the Live Account section, you must set up the user's Live account. The information needed to set up the user’s Live account consists of the Username, Password, and Live URL for the Content Management System. This information is provided by Customer Care.

To configure a Live account:

  1. In the Live Account section, click Sign In.

    Note: The Modify button shows that the live account is configured. Click Modify to change the user that is accessing Live Services.

  2. In the Live Services Account dialog box, enter the Host (typically cms.netwitness.com) and type your username and password.

  3. (Optional) If you are using a different CMS, type the host URL for the Content Management System. The default points to the CMS at cms.netwitness.com.
  4. (Optional) If you are using a different CMS, type the communications port for Live to send requests to the Content Management System. The default for this field is 443, which is the communications port on the Content Management System.
  5. (Optional) If you do not want to use SSL, uncheck the SSL option. (SSL is enabled by default.)
  6. Click Test connection to test the connection to CMS.
  7. To save and apply the configuration, click Apply.

Configure the Live Content Synchronization Interval and Notification

You can change the interval at which NetWitness Suite checks for new updates to Live Content:

  1. Use the Check for New Updates field to change the interval. Select an interval from the drop-down list. The default value for this setting is once a day.

  2. To configure Live Services to send update reports to one or more people, in the Email Addresses field, type the email addresses as a comma-separated list, for example, john@company.com,ted@company.com,brian@company.com
  3. (Optional) To receive messages in HTML format rather than plain text, select HTML Format.
  4. To save and apply, click Apply.

    The time and date of the next scheduled Live synchronization based on the configured interval for checking is displayed.

Force Immediate Synchronization

Instead of waiting for the next scheduled resource cycle, this option forces Live to begin immediate synchronization of the subscribed resources in this instance of NetWitness Suite. One use for this is to see the immediate impact of a configuration change. For example, a new service has been added, or new resources have been toggled for automatic deployment. The scheduled synchronization could take place hours later if Live Services is set to synchronize a few times a day.

Caution: Synchronization can cause a parser reload if a FlexParser is deployed in the update cycle. This is acceptable once or twice a day, but a number of back-to-back parser reloads can cause packet loss at the Decoder. If this is the initial setup and you haven’t configured Live resource subscriptions, do not Synchronize Now. Wait until you have configured subscriptions.

To force immediate synchronization, click Check Now. NetWitness Suite checks for updates in subscribed resources.

Using RSA Live Connect

RSA Live Connect is a cloud based threat intelligence service. This service collects, analyzes, and assesses threat intelligence data such as IP addresses, domains, and files collected from various sources including the RSA NetWitness® Suite and RSA NetWitness® Endpoint customer community. RSA Live Connect consists of the following features:

  • Threat Insights
  • Analyst Behaviors

Threat Insights

Threat Insights provides analysts the opportunity to pull threat intelligence data such as IP related information from the Live Connect service to be leveraged by the analysts during investigation.

By default, Threat Insights is enabled in Additional Live Services section. If Context Hub service is configured, Live Connect is automatically added as a data source for Context Hub. For more information, see "Configure Live Connect Data Source for Context Hub" topic in the Context Hub Configuration Guide.

With Live Connect as a data source for context hub, you can use the Context Lookup option in INVESTIGATE > Navigate view or INVESTIGATE > Events view to fetch contextual information. For instructions, see "View Additional Context for a Data Point" topic in the Investigation and Malware Analysis Guide.

Analyst Behaviors

Analyst Behaviors is a feature where analysts participate in sharing data to RSA community. This is an automated data collection service. Its goal is to share potential threat intelligence data to the RSA Live Connect cloud service for analysis. The type of data that could be shared from your network to RSA Live Connect includes various types of meta data captured by NetWitness Suite such as ip.src, ip.dst, ip.addr, device.ip, alias.ip, alias.host, paddr, sessionid, domain.dst, domain.src. For information on Analyst Behaviors and Data Sharing, see "NetWitness Suite Feedback and Data Sharing" topic in the Live Services Management Guide.

You are here
Table of Contents > Standard Procedures > Configure Live Services Settings