CBA: Cloud Gateway Analytic Stream Mappings

Document created by RSA Information Design and Development on Mar 15, 2018Last modified by RSA Information Design and Development on Mar 26, 2018
Version 2Show Document
  • View in full screen mode
 

In the Cloud Gateway Analytic Stream Mappings panel (ADMIN > System > Cloud Gateway), you define the resources that RSA NetWitness Suite Cloud Behavioral Analytics (CBA) uses to automatically detect advanced threats.

You can configure the RSA Cloud Gateway to automatically upload Analytic Streams from one or more Concentrators to Cloud Behavioral Analytics (CBA). An Analytic Stream is a pipeline of selected traffic activity used for analytics processing. For example, Analytic Streams can include HTTP, FTP, SMB, or DNS traffic. By creating and deploying Analytic Stream mappings between Concentrator sources and Cloud Gateway services, data streams are automatically forwarded to the Cloud for analytics processing.

Workflow

This workflow shows the process for creating and enabling a Cloud Gateway Analytic Stream mapping to start automatically detecting advanced threats.

Cloud Gateway Analytics Stream Mappings workflow

Before you create a Cloud Gateway Analytic Stream Mappings mapping, ensure that the NetWitness Suite hosts and services that you want to use for your mappings are online and available. All of the services need to be in sync with a consistent time source. Ensure that the Concentrators are collecting the required data. Cloud Gateway services must be provisioned to enable Cloud Behavioral Analytics.

When you create a mapping, you select an Analytic Stream to map, such as HTTP. Then you select the data sources, such as Concentrators, to use for that Analytic Stream along with a Cloud Gateway service to process the data. When you are ready to start aggregating data, you deploy the mapping. (Future) Analysts can view detected threats for that Analytic Stream in the NetWitness Suite user interface (UI).

What do you want to do?

                                           
Role I want to ...Show me how
Administrator

Verify that the NetWitness Suite hosts and services are online and available.

ADMIN > Hosts and ADMIN > Services
See Hosts and Services Getting Started Guide.

Administrator

Ensure that the Concentrators are collecting the required data.

See Broker and Concentrator Configuration Guide

Administrator

Provision the Cloud Gateway.

Provision a Cloud Gateway

AdministratorCreate Cloud Gateway Analytic Stream mappings*

Mapping Cloud Gateway Analytic Streams

AdministratorDeploy Cloud Gateway Analytic Stream mappings*

Mapping Cloud Gateway Analytic Streams

Administrator,
Analyst
View detected threats.

See NetWitness Respond User Guide and NetWitness Investigate User Guide.

*You can complete these tasks here (that is in the Cloud Gateway Analytic Stream Mappings panel).

Related Topics

Quick Look

The following example illustrates a Cloud Gateway Analytic Stream mapping. The configuration defines the data sources for the selected Analytic Stream and the Cloud Gateway service that will process the events from those data sources.

Cloud Gateway Analytics Stream Mappings diagram

                                 
1Displays the Cloud Gateway Analytic Stream Mappings panel.
2Shows the status of the mapping.
3The name of the Analytic Stream that is mapped.
4Data sources, such as Concentrators, assigned to the mapping.
5Cloud Gateway service that processes the data for the mapping.
6Lag Time configuration (in minutes) on the data sources for the mapping.
7Actions for changing Analytic Stream settings, deploying mappings, and undeploying mappings.

Toolbar

The following table describes the toolbar actions.

                       

Icon /

Button

Descripton

Add.png

Opens the Create Mappings dialog where you can create a mapping. Create a separate mapping for each Analytic Stream.
After creating and reviewing the mappings, you deploy them.

Delete icon

Deletes a Mapping.

  • You can delete a mapping with a status of Undeployed at any time. Since a mapping in the Undeployed state is not deployed and is not running, it does not affect data aggregation.

  • Deleting a deployed mapping clears the configuration on the host server, reverts the deployment for that mapping, and stops pulling data from the data source for that Analytic Stream. You should undeploy a mapping with a status of Deployed before deleting it.

Deploy NowAfter you create your mappings, you need to deploy them in order to start aggregating data for the Analytic Streams. You can select one or more mappings with a status of Undeployed to deploy.

Note: If you want to make changes to a deployed mapping, such as adding or removing Concentrators or changing the service, you must undeploy and delete the existing mapping and then create and deploy a new mapping for that Analytic Stream.

Cloud Gateway Analytic Stream Mappings

The following table describes the listed Cloud Gateway Analytic Stream mappings.

                                       

Icon /

Field

Description

Select iconTo select an individual mapping, select the checkbox next to the mapping.
Status

Shows the status of the mapping. There are two statuses:

Undeployed - An undeployed mapping maps an Analytic Stream to sources and a Cloud Gateway service. It does not start aggregating data for the Analytic Stream until you deploy the mapping.

Deployed - A deployed mapping is deployed and running. In a deployed mapping, the selected Cloud Gateway service uses query-based aggregation to collect the appropriate filtered traffic for the selected Analytic Stream from the Concentrators.

Analytic StreamIndicates the selected Analytic Stream. An Analytic Stream is a pipeline of selected traffic activity used for analytics processing. For example, Analytic Streams can include HTTP, FTP, SMB, or DNS traffic. By creating and deploying Analytic Stream mappings between Concentrator sources and Cloud Gateway services, data streams are automatically forwarded to the Cloud for analytics processing.
SourcesSources are the data sources, such as Concentrators, from which the Cloud Gateway will aggregate the data for the specified Analytic Stream.
ServiceIndicates the Cloud Gateway service that will process the data for the specified Analytic Stream. The selected service needs to be in sync with a consistent time source.
Lag Time (Minutes)

Specifies a constant time delay in minutes, which is added to avoid losing events being processed by the data sources during periods of heavy activity. For example, Concentrator performance varies depending on factors such as incoming load, ongoing queries, and indexing. Due to these factors, a Concentrator may not aggregate events in real-time, which leads to the delay.

The Lag Time parameter gives the Concentrator a chance to finish aggregating all of the data.

Data aggregates at Current (System) Time - Lag Time. Setting Lag Time is useful when a Concentrator is slow in aggregating data. The Lag Time guarantees that Cloud Behavioral Analytics (CBA) does not process data that arrives to the Concentrator within the Lag Time window so there is adequate delay to ensure all events that get generated in the enterprise can be processed by CBA.

For example, if Lag Time is 30 minutes, and the current time is 2:00 PM, the Concentrator starts pulling records at 1:30 PM. The Lag Time window, 30 minutes in this example, remains constant as time advances. When the current time advances to 2:01 PM, the Concentrator pulls the next minute of data at 1:31 PM, and so on.

Important: The Lag Time defines the buffer between the current time and the time when the Analytic Stream ingests the data.

Caution: RSA recommends that Administrators adjust the Lag Time parameter dynamically based on the performance of each of the individual Concentrators to avoid missing any events during aggregation.

Actions icon

Enables you to select additional actions for the selected Analytic Stream mapping:

  • Edit stream - Enables you to configure the Lag Time for the selected mapping.

  • Deploy - Deploys the selected mapping. The specified Cloud Gateway service starts pulling data from the data sources for that Analytic Stream.

  • Undeploy - Undeploys the selected mapping. The specified Cloud Gateway service stops pulling data from the data sources for that Analytic Stream.

Caution: Undeploying a mapping with a status of Deployed will affect data aggregation for that Analytic Stream.

 

You are here
Table of Contents > Cloud Gateway References > Cloud Gateway Analytic Stream Mappings

Attachments

    Outcomes