This topic introduces the features of the System view > Investigation Configuration panel, which provides the user interface for Administrators to configure the system-wide settings that Security Analytics Investigation uses when analyzing data and reconstructing an event.
The Investigation Configuration settings allow an administrator to manage application performance for Investigation. As analysts analyze and reconstruct sessions that they are investigating, performance can be affected by operations that involve loading, searching, visualizing, and reconstructing large amounts of data.
To access the Investigation Configuration panel:
- In the Security Analytics menu, select Administration > System.
- In the options panel, select Investigation.
The following figure shows the Events tab.
Procedures associated with this panel are provided in Standard Procedures.
The following figure shows the Context Lookup tab.
Procedures associated with this panel are provided in "Manage Meta Type and Meta Key Mapping" in the Investigation and Malware Analysis Guide.
The Investigation Configuration panel has three tabs: Navigate, Events, and Context Lookup.
Though most fields in the tabs have a selection list with specific increments through the range of possible values, you can enter a value within the allowed range manually. An invalid entry is signaled by the field highlighted in red. When valid values are selected, clicking Apply in a given section puts the changes into effect immediately.
The Navigate tab has two sections: Render Threads Setting and Parallel Coordinates Settings.
Render Threads Setting
The Render Threads Setting is a selectable value between 1 and 20, which defines the number of concurrent (Values) loads in the Navigate view. The default value is 1.
Parallel Coordinates Settings
The Parallel Coordinates Settings apply to the Parallel Coordinates visualization in the Navigate view. There is a fixed limit on the amount of data that can be rendered as a parallel coordinates chart. In Security Analytics 10.5 the administrator can configure parallel coordinates limits here.
The following table describes the Parallel Coordinates Settings.
The Events tab provides configurable settings that affect the investigation of events. This tab has four sections: Event Search Settings, Reconstruction Settings, Web View Reconstruction Settings, and Reconstruction Cache Settings.
Event Search Settings
The Event Search Settings help to limit the number of events scanned when searching in the Events view.
The following table describes the Event Search Settings.
As analysts reconstruct sessions that they are investigating, some events can be very large and contain many thousands of source packets. Reconstructing these sessions, especially in a multi-user environment, can degrade application performance. The Reconstruction Settings allow an administrator to limit the number of packets and the size of a single event during reconstruction.
The following table describes the Reconstruction Settings features.
Web View Reconstruction Settings
The Web View Reconstruction Settings allow an administrator to configure settings that improve the reconstruction of a web view by scanning and reconstructing related events that contain the same supporting files. When Security Analytics is reconstructing a web view that spans multiple events, it is possible to improve the reconstruction of the target event by scanning and reconstructing related events that contain the same supporting files, such as images and cascaded style sheet (CSS) files.
- The only related events scanned are HTTP service type events with the same source address as the target event, and a time stamp within a specified time range before and after the target event.
- The maximum number of related events to scan is configurable.
Clicking on the Advanced Settings option displays all configurable settings in this section.
The following table describes the Web View Reconstruction Settings.
Reconstruction Cache Settings
In some cases, the reconstruction cache can present incorrect content; for this reason Security Analytics removes reconstructions that are older than a day from the cache. The cache is cleaned every day at midnight. Between the daily cache cleanings, certain actions may result in stale cache being used for a reconstruction, and if the need arises, administrators can manually clear cache for one or more services that are connected to the current Security Analytics server.
The following table describes the Reconstruction Cache Settings features.
Context Lookup Tab
The Context Lookup tab enables the administrator to configure the Investigation meta keys and meta type mapping. The administrator can add or remove meta keys found in Investigation to the list of meta types supported by Context Hub service. Procedures associated with this panel are provided in Manage Meta Type and Meta Key Mapping topic in the Host and Service Configuration Guide.
The following table describes the features of the Context Lookup tab.