These are the required configuration steps for a new Decoder or Log Decoder, and also for changing the configuration of an existing Decoder. Unless otherwise stated, Decoder refers to both packet and log Decoders. Perform the steps in the section in the sequence they are given.
Step 1: Verify System Configuration
The first step which needs to be completed when a new service is added to Security Analytics is the verification of system configuration.
Certain default values for the system configuration parameters are already in effect. These values can be edited and fine tuned for optimal performance.
Step 2: Configure Capture Settings
Next, you can configure the adapter for data capture, enable autostart of data capture, select the parsers that are applied to the captured data, and tune data capture by configuring capture settings.
Step 3: Enable or Disable Parsers
See which parsers have been downloaded and deployed from Live, and manage which ones are enabled or disabled.
Step 4: Configure Decoder Rules
Capture rules can add alerts or contextual information to sessions or logs. They can also define which data is filtered out by a Decoder or Log Decoder. Rules are created for specific metadata patterns, which result in predefined actions when matches are found. For example, to keep all traffic that fits certain criteria, but discard all other traffic, you can create a rule to perform the necessary actions. When applied, rules affect both packet capture file importing, as well as live network capture.
By default, no rules are defined when you first install Security Analytics. Until rules are specified, the packets are not filtered. You can deploy the latest rules from Live. You can define three types of rules: Network Layer Rules, Application Layer Rules, and Correlation Rules.
Step 5: Start and Stop Data Capture
When a Decoder starts up, it automatically begins aggregating data if Capture Autostart is enabled. When autostart is not enabled, you can start and stop data capture manually.