CBA: Analytic Stream Settings

Document created by RSA Information Design and Development on Mar 15, 2018Last modified by RSA Information Design and Development on Mar 26, 2018
Version 2Show Document
  • View in full screen mode
 

After you create or deploy an Analytic Stream mapping in the Cloud Gateway Analytic Stream Mappings panel (ADMIN > System > Cloud Gateway), you have the option to change some Analytic Stream configurations for that mapping.

What do you want to do?

                       
Role I want to ...Show me how
Administrator

Change the Lag Time for a Cloud Gateway Analytic Stream mapping.

Change the Lag Time

Administrator

Undeploy and redeploy an Analytic Stream mapping.

Change the Lag Time

Related Topics

Analytic Stream Settings

To access the Analytic Stream settings, in the Cloud Gateway Analytic Stream Mappings panel, select the mapping that you want to change and in the Actions column, select Actions icon > Edit stream.

Analytic Stream Settings dialog

Configuration

The Configuration section enables you to view the Analytic Stream configuration and change the Lag Time setting.

The following table describes the settings available for a Cloud Gateway Analytic Stream mapping.

                           

Field

Description

Analytic StreamShows the name of the mapped Analytic Stream.
ServiceShows the Cloud Gateway service that processes the data for the mapping.
SourcesShows the mapped data sources and the URLs used to communicate with the Cloud gateway.

Lag Time

(Minutes)

Specifies a constant time delay in minutes, which is added to avoid losing events being processed by the data sources during periods of heavy activity. For example, Concentrator performance varies depending on factors such as incoming load, ongoing queries, and indexing. Due to these factors, a Concentrator may not aggregate events in real-time, which leads to the delay.

The Lag Time parameter gives the Concentrator a chance to finish aggregating all of the data.
Data aggregates at Current (System) Time - Lag Time. Setting Lag Time is useful when a Concentrator is slow in aggregating data. The Lag Time guarantees that Cloud Behavioral Analytics (CBA) does not process data that arrives to the Concentrator within the Lag Time window so there is adequate delay to ensure all events that get generated in the enterprise can be processed by CBA.

For example, if Lag Time is 30 minutes, and the current time is 2:00 PM, the Concentrator starts pulling records at 1:30 PM. The Lag Time window, 30 minutes in this example, remains constant as time advances. When the current time advances to 2:01 PM, the Concentrator pulls the next minute of data at 1:31 PM, and so on.

Important: The Lag Time defines the buffer between the current time and the time when the Analytic Stream ingests the data.

The Lag Time value is specific to a particular mapping and it applies to all Concentrators within that mapping after you deploy it. If a Concentrator is shared between two Analytic Streams with different Lag Times, the Concentrator uses separate Lag Time values for each Analytic Stream mapping.

Caution: RSA recommends that Administrators adjust the Lag Time parameter dynamically based on the performance of each of the individual Concentrators to avoid missing any events during aggregation.

To determine the correct Lag Time, add together the following to get an environmental Lag Time:

1. Log or Packet Latency - This is the time it takes for the Log Decoder to receive the logs or the (Packet) Decoder to receive packets. For example, the Log Decoder may get logs every 20 minutes. In this case, you would want to set Lag Time to at least 20 minutes, preferably 25 minutes, so that you do not miss events.

2. Aggregation Latency - This is the time it takes to get the data from the Log Decoder to the Concentrator.

3. Other Buffer - Add in any additional time delay specific to your environment.

You are here
Table of Contents > Cloud Gateway References > Analytic Stream Settings

Attachments

    Outcomes