Configure File Reputation Server as a Data Source

File Reputation Server provides analysts the opportunity to view reputation status of files. By default, File Reputation is enabled in Additional Live Services section.

If Context Hub service is configured, File Reputation Server is automatically added as data source for Context Hub.

Prerequisites

Ensure that:

  • Context Hub is enabled and the service is available in netwitness_adminicon_25x22.png (Admin) > Services view of NetWitness Platform.
  • RSA Live Account is available.

Note: To create a Live Account, see the Step 1. Create Live Account topic in the Live Services Management Guide.

By default, File Reputation is enabled in Additional Live Services section. Before setting up File Reputation data source, make sure that you have signed in to your Live account with your Live Account Credentials and Context Hub is enabled. File Reputation is automatically added as a data source for context hub.

For information about configuring Live Account and Live Services, see the Configure Live Services Settings topic in the System Configuration Guide.

For information about configuring Context Hub service, see the Step 1. Add the Context Hub Service topic in the Context Hub Configuration Guide.

Enable or Disable File Reputation Data Source

To enable or disable File Reputation data source for Context Hub:

  1. Go to netwitness_adminicon_25x22.png (Admin) > System.
  2. In the left navigation pane, select Live Services.
  3. In the Additional Live Services section, enable File Reputation.

    netwitness_liveservices1.png
    netwitness_liveservices2.png

  4. Click Apply.
    File Reputation Server data source is enabled for Context Hub service.
  5. To verify, go to the Data Sources tab and view the available sources.
    File Reputation source must be added to the list of available sources and the Enabled field must be a solid green circle (netwitness_greencir.png).
    netwitness_1061-ds-tab_1.png
  6. To disable File Reputation data source, disable File Reputation in Additional Live Services panel and click Apply.

    File Reputation data source is disabled for Context Hub service.

Edit File Reputation Server Data Source Settings

To edit File Reputation Server data source for Context Hub:

  1. Select netwitness_adminicon_25x22.png (Admin) > Services.
    The Services view is displayed.
  2. In the Services panel, select the Context Hub service, and netwitness_ic-actns.png > View > Config.
    The Services Config view is displayed.
  3. In the Data Sources tab, select the File Reputation Server source and click netwitness_edit.png.

    The Edit Data Source dialog is displayed.
    netwitness_fileedidatsou_670x738.png

  4. Edit the required fields:
  5. Field Description

    Context Highlighting

    This highlights the meta values (in the Investigate > Navigate, Events, Event details and Nodal graph) for which the contextual information is available for this data source in the Context Hub. By default, this option is enabled.

    Note: You can disable the context highlighting globally in the Context Hub explorer view. After you disable this option, the entity values for all the data sources configured will not be highlighted if there are any contextual information.

    Max. Concurrent Queries You can configure the maximum number of concurrent queries defined by the Context Hub service to be run against the configured data sources. The default value is 25.
  6. To edit the Proxy settings, see the HTTP Proxy Settings Panel topic in the System Configuration Guide.

  7. Click Test Connection to test the connection between Context Hub and the data source.

  8. Click Save to save the settings.