Context Hub: Configure Live Connect as a Data Source

Document created by RSA Information Design and Development on Sep 15, 2017Last modified by RSA Information Design and Development on Oct 4, 2017
Version 6Show Document
  • View in full screen mode
  

This topic describes the procedure to configure Live Connect data source for Context Hub. 

RSA Live Connect is a cloud based threat intelligence service. This service collects, analyzes, and assesses threat intelligence data such as IP addresses, domains, and files collected from various sources including the RSA NetWitness® Suite and RSA NetWitness® Endpoint customer community.

RSA Live Connect is a part of Live Services and can be configured from the System View > Live Services Configuration panel. For more information about configuring Live Services, see the Configure Live Services Settings topic in the System Configuration Guide.

RSA Live Connect Threat Insights provides analysts the opportunity to pull threat intelligence data such as IP related information from the Live Connect service to be leveraged by analysts during the investigation process. By default, Threat Insights is enabled in Additional Live Services. If Context Hub service is configured, Live Connect is automatically added as a data source for Context Hub.

Prerequisites

Ensure that:

  • Context Hub is enabled and the service is available in Admin > Services view of NetWitness Suite.
  • RSA Live Account is available.

Note: To create a Live Account, see the Step 1. Create Live Account topic in the Live Services Management Guide.

By default, Threat Insights is enabled in Additional Live Services section. Before setting up Live Connect data source, make sure that you have signed in to your Live account with your Live Account Credentials and Context Hub is enabled. Live Connect is automatically added as a data source for context hub.

For information about configuring Live Account and Live Services, see the Configure Live Services Settings topic in the System Configuration Guide.

For information about configuring Context Hub service, see the Step 1. Add the Context Hub Service topic in the Context Hub Configuration Guide.

Enable or Disable Live Connect Data Source

To enable or disable Live Connect data source for Context Hub:

  1. Go to  ADMIN > System.
  2. In the left navigation pane, select Live Services.
  3. In the Additional Live Services section, enable Threat Insights.


  4. Click Apply.
    Live Connect data source is enabled for Context Hub service.
  5. To verify, go to the Data Sources tab and view the available sources.
    Live Connect source must be added to the list of available sources and the Enabled field must be a solid green circle ().
    Live Connect data source added
  6. To disable Live Connect data source, disable Threat Insights in Additional Live Services panel and click Apply.

    Live Connect data source is disabled for Context Hub service.

    Note: If Threat Insights is disabled, the Context Lookup panel for Live Connect (in the Investigation Navigate view and Events view) displays a message to configure the Live Connect data source. To view contextual data for Live Connect, you must enable Threat Insights.

Edit Live Connect Data Source Settings

To edit live connect data source for Context Hub:

  1. In the main menu, select Admin > Services.
    The Services view is displayed.
  2. In the Services panel, select the Context Hub service, and  > View > Config.
    The Services Config view is displayed.
  3. In the Data Sources tab, select the live connect data source and click .

    The Edit Data Source dialog is displayed.


  4. Edit the required fields:
  5.                
    FieldDescription
    Max. Concurrent QueriesYou can configure the maximum number of concurrent queries defined by the Context Hub service to be run against the configured data sources. The default value is 25.
  6. To edit the Live Connection and Proxy settings, do the following:

    • To edit the Live Connection settings, see the Live Services Configuration Panel topic in the System Configuration Guide.

    • To edit the proxy settings, see the HTTP Proxy Settings Panel topic in the System Configuration Guide.

  7. Click Test Connection to test the connection between Context Hub and the data source.

  8. Click Save to save the settings.

Next steps 

After completing the configuration, you can view the contextual data in the Context Summary Panel of the Respond view or Investigate view. For more information, see the RSA Netwitness Respond User Guide and the RSA NetWitness Investigation and Malware Analysis Guide.

You are here
Table of Contents > Configure Data Sources for Context Hub > Configure Live Connect Data Source

Attachments

    Outcomes