This topic describes the procedure to configure Live Connect data source for Context Hub.
RSA Live Connect is a cloud based threat intelligence service. This service collects, analyzes, and assesses threat intelligence data such as IP addresses, domains, and files collected from various sources including the RSA NetWitness Platform and RSA NetWitness Endpoint customer community.
RSA Live Connect is a part of Live Services and can be configured from the System View > Live Services Configuration panel. For more information about configuring Live Services, see the Configure Live Services Settings topic in the System Configuration Guide.
RSA Live Connect Threat Insights provides analysts the opportunity to pull threat intelligence data such as IP related information from the Live Connect service to be leveraged by analysts during the investigation process. By default, Threat Insights is enabled in Additional Live Services. If Context Hub service is configured, Live Connect is automatically added as a data source for Context Hub.
- Context Hub is enabled and the service is available in (Admin) > Services view of NetWitness Platform.
- RSA Live Account is available.
By default, Threat Insights is enabled in Additional Live Services section. Before setting up Live Connect data source, make sure that you have signed in to your Live account with your Live Account Credentials and Context Hub is enabled. Live Connect is automatically added as a data source for context hub.
For information about configuring Live Account and Live Services, see the Configure Live Services Settings topic in the System Configuration Guide.
For information about configuring Context Hub service, see the Step 1. Add the Context Hub Service topic in the Context Hub Configuration Guide.
Enable or Disable Live Connect Data Source
To enable or disable Live Connect data source for Context Hub:
- Go to (Admin) > Services.
- In the left navigation pane, select Live Services.
In the Additional Live Services section, enable Threat Insights.
- Click Apply.
Live Connect data source is enabled for Context Hub service.
- To verify, go to the Data Sources tab and view the available sources.
Live Connect source must be added to the list of available sources and the Enabled field must be a solid green circle ().
To disable Live Connect data source, disable Threat Insights in Additional Live Services panel and click Apply.
Live Connect data source is disabled for Context Hub service.
Edit Live Connect Data Source Settings
To edit live connect data source for Context Hub:
- Select (Admin) > Services.
The Services view is displayed.
- In the Services panel, select the Context Hub service, and > View > Config.
The Services Config view is displayed.
The Edit Data Source dialog is displayed.
- Edit the required fields:
To edit the Live Connection and Proxy settings, do the following:
To edit the Live Connection settings, see the Live Services Configuration Panel topic in the System Configuration Guide.
To edit the proxy settings, see the HTTP Proxy Settings Panel topic in the System Configuration Guide.
Click Test Connection to test the connection between Context Hub and the data source.
Click Save to save the settings.
|Max. Concurrent Queries||You can configure the maximum number of concurrent queries defined by the Context Hub service to be run against the configured data sources. The default value is 25.|
After completing the configuration, you can view the contextual data in the Context Summary Panel of the Respond view or Investigate view. For more information, see the RSA NetWitness Respond User Guide and the RSA NetWitness Investigate User Guide.