10.4 User Guide

RSA Security Analytics
User Documentation
Copyright 2010 - 2014 RSA, the Security Division of EMC. All rights reserved.
Trademarks
RSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other
trademarks used herein are the property of their respective owners. For a list of EMC trademarks, go to www.emc.com/legal/emc-corporation-trademarks.htm.
License Agreement
This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and may be used and copied only in
accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof,
may not be provided or otherwise made available to any other person.
No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of
this software and the documentation may be subject to civil and/or criminal liability. This software is subject to change without notice and should not be
construed as a commitment by EMC.
Third-Party Licenses
This product may include software developed by parties other than RSA. The text of the license agreements applicable to third-party software in this product
may be viewed in the thirdpartylicenses.pdf file.
Note on Encryption Technologies
This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import,
and export regulations should be followed when using, importing or exporting this product.
Distribution
Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. EMC believes the information in this
publication is accurate as of its publication date. The information is subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY
KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY
OR FITNESS FOR A PARTICULAR PURPOSE.
10.4 User Guide
10.4 User Guide

10.4 User Guide
27
About This Guide
28
User Interface Guide
32
Elements in the Browser Window
33
Elements in a Dashboard
38
Elements in a View
43
Context Menus
48
Grids
50
Jobs Tray Features
55
Notifications Tray
58
Configure Security Analytics Dashboards
61
Change Layout of a Dashboard
62
Create a Custom Dashboard
64
Export a Dashboard
67
Import a Dashboard
69
Remove a Custom Dashboard
71
Restore the Default Dashboard
72
Select a Dashboard
73
Add a Dashlet
74
Delete a Dashlet
78
Edit Dashlet Properties
80
Maximize a Dashlet
84
Move a Dashlet
86
Security Analytics Dashlets
88
Admin News Dashlet
91
Admin Service List Dashlet
92
Admin Service Monitor Dashlet
94
Dashboard RSA First Watch Dashlet
97
Dashboard Shortcuts Dashlet
99
Dashboard What's New Dashlet
101
Investigation Jobs Dashlet
103
Investigation Top Values Dashlet
105
Live Featured Resources Dashlet
108
Live New Resources Dashlet
110
Live Subscriptions Dashlet
112
Live Updated Resources Dashlet
114
Malware Malware with High Confidence IOCs and High Scores Dashlet
116
Malware Scan Jobs List Dashlet
120
Malware Top Listing of Highly Suspicious Malware Dashlet
122
10.4 User Guide
Malware Top Listing of Possible Zero Day Malware Dashlet
126
Reporting RE Top Alerts Dashlet
130
Reports Realtime Chart Dashlet
134
Reports Recent Run Report Dashlet
138
Reports RE Alert Variance Dashlet
140
Reports RE Recent Alerts Dashlet
143
Site Planning Guide
145
Site Requirements and Safety
146
Deployment Overview
148
Network Architecture and Ports
149
Virtual Appliance Setup Guide

Virtual Appliance Overview
Install Security Analytics Virtual Appliance in Virtual Environment
153
154
0
Step 1: Deploy the Virtual Appliance
Step 2: Configure the Network
Step 3: Configure Datastore Space for the Appliance
Step 4: Configure Appliance-Specific Parameters
Appliance and Service Configuration Guides

Appliance and Service Getting Started Guide
0
0
The Basics
Required Procedures
Step 1: Add or Update an Appliance
Step 2: Add a Service to an Appliance
Step 3: Establish a Trusted Connection
Step 4: Manage Access to a Service
Additional Appliance Procedures
Change the Name and Hostname of an Appliance
Create and Manage Appliance Groups
Remove an Appliance
Search for Appliances
Add and Delete a Filesystem Monitor
Reboot Appliance
Set Appliance Built-In Clock
Set Network Configuration
Set Network Time Source
Set SNMP
Set Syslog Forwarding
Show Network Port Status
Show Serial Number
Shut Down Appliance
Stop and Start an Appliance Service
References
10.4 User Guide
Appliance and Service Configuration Settings
Appliance Service Configuration
Concentrator Service Configuration
Decoder Service Configuration
Log Decoder Service Configuration
Appliances View
Appliances Panel Toolbar
Appliance Updates Menu
Groups Panel Toolbar
Services View
Add Service Dialog
Groups Panel Toolbar
Services Panel Toolbar
Services Config View

Files Tab
0
0
Services Explore View
Properties Dialog
Services Logs View
Services Security View
Roles Tab
Users Tab
Services Stats View
Chart Stats Tray
Gauges
Timeline Charts
Services System View
Appliance Task List Dialog
Decoder Services System View
System View
System Logging Panel
Historical Tab
Realtime Tab
Settings Tab
URL Integration Panel
Archiver Configuration Guide
Archiver Overview
Configure Archiver
Step 1: Add the Archiver Service
Step 2: Add Log Decoder as Data Source to Archiver
Step 3: Configure Storage
Step 4: Add Archiver as Data Source to Reporting Engine
Step 5: Configure Archiver Monitoring
10.4 User Guide
Additional Procedures
Configure Archiver to Use Secondary Long-Term Data Storage
Data Backup and Restore
Step 1: Add Workbench Service
Step 2: Create Collection
Step 3: Add Workbench Service as Data Source to Reporting Engine
Step 4: Add Workbench Service as a Data Source to Broker
Increase Overall Data Retention in Archiver
Group Aggregation
Set Up Group Aggregation
Retrieve Hash Information
Schedule Data Rollover
Reference Information
Group Aggregation Parameters
Services Config View - Archiver
Broker and Concentrator Configuration Guide
Broker and Concentrator Overview
Broker and Concentrator Configuration
Step 1: Verify Service System Configuration
Step 2: Configure the Aggregation Process
Step 3: Configure Aggregate Services
Step 4: Start and Stop Aggregation
References
Services Configuration View - Broker General Tab
Services System View - Broker
Decoder and Log Decoder Configuration Guide
Decoder and Log Decoder Basics
Decoder Configuration Checklist
Required Procedures
Step 1: Verify System Configuration
Step 2: Configure Capture Settings
Configure System-Level (BPF) Packet Filtering

Step 3: Configure Decoder Rules
0
0
Configure Application Rules
Configure Correlation Rules
Configure Network Rules
Step 4: Start and Stop Data Capture

Configure Feeds and Parsers
Create and Deploy Custom Feed Using Wizard
0
0
0
0
Create a Custom Feed
Create an Identity Feed
10.4 User Guide
Edit a Custom Feed

Use Custom Parsers
0
0
Configure Syslog Forwarding to Destination
Map IP Address to Device Type
Upload Log File to a Log Decoder
Upload Packet Capture File
Verify Decoder System Information
References
Services Config View Feeds Tab - Decoder
Upload Feeds Dialog
Services Config View Files Tab - Decoder
0
0
0
0
Feed Definitions File
Flex Parser
Arithmetic Functions
Common Parser Operations
General Functions
Logging Functions
Nodes
Payload Functions
Regex
String Functions
Geo IP Parser
Lua Parsers
Search Parser
search.ini Search String Syntax

Wireless LAN Configuration
0
0
Services Config View General Tab - Decoder
Services Config View Parsers Tab - Decoders
Services Config View Rules Tabs - Decoders
App Rules Tab
Correlation Rules Tab
Network Rules Tab
Services System View - Log Decoder

Event Stream Analysis (ESA) Configuration Guide
0
0
Event Stream Analysis (ESA) Overview
Configure Event Stream Analysis (ESA)
Step 1: Add Event Stream Analysis Service
Step 2: Add a Data Source to an ESA Appliance
Step 3: Configure Advanced Settings for an ESA Appliance
Start, Stop, or Restart ESA Service
Verify ESA Component Versions and Status
10.4 User Guide
References
ESA Advanced View
Incident Management Configuration Guide
0
0
0
Incident Management Overview
Configure Incident Management
Step 1: Add Incident Management Service
Step 2: Configure a Database for the Incident Management Service
Step 3: Configure Alert Sources to Display Alerts in Incident Management
IPDB Extractor Service Configuration Guide
IPDB and the IPDB Extractor Service Overview
Configure the IPDB Extractor Service
Step 1: Mount the IPDB
Step 2: Associate a Reporting Engine with an IPDB
Step 3: (Optional) Map Multiple Storage Locations
Step 4: Reset nwipdbadptr postgreSQL User Password
Step 5: Specify IPDB Password
Step 6: Configure IPDB Extractor Data Sources in Reporting Engine
Step 7: Create IPDB Datasource Event Source List for Reports
Step 8: Deploy Live Content to IPDB Extractor
Step 9: (Optional) Configure Multi-Site Deployment
References
Services Config View - IPDB Extractor Configuration
0
0
Malware Analysis Configuration Guide
How Malware Analysis Works
Roles and Permissions for Analysts
Scoring Modules
Basic Setup
Step 1: Configure Malware Analysis Operating Environment
Step 2: Add Malware Analysis Appliance and Service
Step 3: Configure General Malware Analysis Settings
Step 4: Configure Indicators of Compromise
Step 5: Configure Installed Antivirus Vendors
(Optional) Configure Auditing on Malware Analysis Appliance
(Optional) Configure Hash Filter
(Optional) Configure Malware Analysis Proxy Settings
(Optional) Register for a ThreatGrid API Key
Create Custom Alert in CEF Format
Enable Custom YARA Content
Malware Analysis References
Auditing Tab
AV Tab
10.4 User Guide
General Tab
Hash Tab
Indicators of Compromise Tab
IOC Summary Tab
Proxy Tab
Sample Syslog Auditing File
ThreatGrid Tab
Reporting Engine Configuration Guide
Reporting Engine Overview
Configure Reporting Engine
Step 1: Add a Reporting Engine
Step 2: Configure Reporting Engine Settings
Step 3: Configure Reporting Engine Data Sources
Add Warehouse as a Data Source to Reporting Engine

Enable LDAP Authentication
0
0
(Optional) Add Archiver as Data Source to Reporting Engine
(Optional) Add Collection as Data Source to Reporting Engine
(Optional) Add Workbench as Data Source to Reporting Engine
(Optional) Integrate ECAT Information Into Reports
Step 4: Configure Output Actions
Step 5: Configure Task Scheduler for a Reporting Engine
Add Additional Space for Large Reports
Configure Workbench
Add Workbench Service

References
0
0
Reporting Engine Audit Configuration
Reporting Engine General Tab
Reporting Engine Log File Parameters
Reporting Engine Manage Logos Tab
Reporting Engine Output Actions
Reporting Engine Sources Tab
Security Analytics Core Database Tuning Guide
Security Analytics Core Database Introduction
Basic Database Configuration
Tiered Database Storage
Manifests
Advanced Database Configuration
Database Configuration Nodes
Index Configuration Nodes
SDK Configuration Nodes
Per-User Configuration Nodes
10.4 User Guide
Scheduler
Rollover
Queries
Index Customization
Optimization Techniques
Appendix: Statistics
RSA Analytics Warehouse (MapR-based) Configuration Guide
RSA Analytics Warehouse Overview
Configure RSA Analytics Warehouse (MapR-based)
Step 1: Generate and Update the Default UUID in Appliances
Step 2: Update the Configuration Template File
Step 3: Upgrade the Warehouse Cluster
Step 4: Install the Warehouse License File
Step 5: Generate the Virtual IP Address for Primary Warehouse Appliance
Step 6: Configure Warehouse Connector to Write to Warehouse
Verify the Network File System (NFS) Services Status
Install the Network File System Packages
Mount the Warehouse on the Warehouse Connector
Step 7: Configure other Security Analytics Services for the Warehouse

0
0
Access MapR Control System UI for Cluster Administration
Enable MapR Metrics on RSA Analytics Warehouse Cluster
Enable EPEL Internet Repository
Edit and Remove Virtual IP Addresses using the Command Line
Add and Remove a Virtual IP Address using the MapR Control System
Warehouse Connector Configuration Guide
Warehouse Connector Overview
Install Warehouse Connector Service on a Log Decoder or Decoder
Configure Warehouse Connector
Step 1: Add an Warehouse Connector Service
Step 2: Create Lockbox
Change the Lockbox Password
Refresh the Lockbox
Step 3: Configure the Data Source
Step 4: Configure the Destination Using NFS
Step 5: Configure the Destination Using SFTP
Configure SSH Keys

Step 6: Configure the Destination Using WebHDFS
Configure SSH Keys
0
0
0
Step 7: Configure Streams
Create a Stream
Edit a Stream
10
10.4 User Guide
Finalize the Stream
Start the Stream
Configure Warehouse Connector Monitoring
Specify Meta Filters
Update the Port Number and SSL Settings of the Source
References
Services Config View - Warehouse Connector
Services System View - Warehouse Connector
Log Collection Guides

Log Collection Getting Started Guide
0
0
The Basics
Procedures
Step1: Add Local and Remote Collectors
Step 2: Download Latest Content from LIVE
Step 3: Set Up a Lockbox
Step 4: Configure Collection Protocols and Event Sources
Step 5: Start Protocols and Enable Automatic Start
Step 6: Verify That Log Collection Is Working
Reference - Configuration Parameters Interface
Log Collector Configuration Parameters Interface
Log Collection Service System View Interface
Troubleshoot Log Collection

Log Collection Deployment Guide
0
0
The Basics
Procedures
Access Local Collectors and Remote Collectors
Configure Local and Remote Collectors
Pull Events from Remote Collector
Push Events to Local Collectors
Configure Failover Local Collector
Configure Failover Remote Collector
Configure Load Balancing
Configure Replication
Configure Chain of Remote Collectors
Throttle Remote Collector to Local Collector Bandwidth
Reference - Remote/Local Collectors Configuration Parameters Interface
Troubleshoot Log Collection Deployment
Log Collection Configuration Guide
The Basics
Procedures
Step 1: Download Latest Content from LIVE (Needs Work)
11
10.4 User Guide
Step 2: Configure Settings
Configure Lockbox Security Settings
Configure Certificates
Step 3: Configure Event Sources in Security Analytics
Add Certificates and Passwords
Import, Export, and Edit Event Sources in Bulk
Step 4: Configure the Event Sources to Send Events to Security Analytics
Step 5: Start and Stop Configured Protocols
Step 6: Verify That Log Collection Is Working
Reference - Configuration Parameters Interface
Log Collection General Tab
Log Collection Event Destinations Tab
Log Collection Parameters
Log Collection Event Sources Tab
Log Collection Settings Tab
Lockbox Configuration Parameters
Certificates Configuration Parameters
Troubleshoot Log Collection Configuration

Check Point Collection Configuration Guide
0
0
The Basics
Procedures
Step1: Configure Check Point Event Sources to Send Events to Security Analytics
Step 2: Configure Check Point Event Sources in Security Analytics
Step 3: Start Configured Check Point Collection Protocol
Step 4: Verify That Check Point Collection Is Working
References - Check Point Collection Configuration Parameters
Troubleshoot Check Point Collection
File Collection Protocol Configuration Guide
The Basics
Procedures
Step 1: Configure File Event Sources in Security Analytics
Configure SFTP Shell Script File Transfer
Install and Update SFTP Agent
(Optional) Create Custom Content Typespec for File Collection
Step 2: Configure File Event Sources to Send Events to Security Analytics
Step 3: Start Configured File Collection Protocol
Step 4: Verify That File Collection Is Working
References - File Collection Configuration Parameters
Troubleshoot File Collection
Netflow Collection Configuration Guide
The Basics
Procedures
12
10.4 User Guide
Step 1: Configure Netflow Event Sources in Security Analytics
Step 2: Configure Netflow Event Sources to Send Events to Security Analytics
Step 3: Start Configured Netflow Collection Protocol
Step 4: Verify That Netflow Collection Is Working
References - Netflow Collection Configuration Parameters
Troubleshoot Netflow Collection
ODBC Collection Configuration Guide
The Basics
Procedures
Step 1: Configure ODBC Event Sources in Security Analytics
Configure Data Source Names (DSNs)
Create Custom Content Typespec for ODBC Collection
Step 2: Configure ODBC Event Sources to Send Events to Security Analytics
Step 3: Start Configured ODBC Collection Protocol
Step 4: Verify That ODBC Collection Is Working
References - ODBC Collection Configuration Parameters
ODBC Event Source Configuration Parameters
ODBC DSNs Event Source Configuration Parameters
Troubleshoot ODBC Collection

SDEE Collection Configuration Guide
0
0
The Basics
Procedures
Step 1: Configure SDEE Event Sources in Security Analytics
Step 2: Configure SDEE Event Sources to Send Events to Security Analytics
Task 3: Start Configured SDEE Collection Protocol
Task 4: Verify That SDEE Collection Is Working
Reference - SDEE Event Source Configuration Parameters
Troubleshoot SDEE Collection
SNMP Collection Configuration Guide
The Basics
Procedures
Step 1: Configure SNMP Event Sources in Security Analytics

Configure SNMP v3 Users
0
0
Step 2: Configure SNMP Event Sources to Send Events to Security Analytics
Step 3: Start Configured SNMP Collection Protocol
Step 4: Verify That SNMP Collection Is Working
References - SNMP Collection Configuration Parameters
SNMP Event Source Configuration Parameters
SNMP v3 User Manager Configuration Parameters
Troubleshoot SNMP Collection
VMware Collection Configuration Guide
The Basics
13
10.4 User Guide
Procedures
Step 1: Configure VMware Event Sources in Security Analytics
Step 2: Configure VMware Event Sources to Send Events to Security Analytics
Step 3: Start Configured VMware Collection Protocol
Step 4: Verify That VMware Collection Is Working
References - VMware Event Source Configuration Parameters
Troubleshoot VMware Collection
Windows Collection Configuration Guide
The Basics
Procedures
Step 1: Configure Windows Event Sources in Security Analytics

Configure Kerberos Realm
0
0
Step 2: Configure Windows Event Sources to Send Events to Security Analytics
Step 3: Start Configured Windows Collection Protocol
Step 4: Verify That Windows Collection Is Working
References - Windows Collection Configuration Parameters
Windows Event Source Configuration Parameters
Windows Kerberos Configuration Parameters
Troubleshoot Windows Collection

Legacy Windows and NetApp Collection Configuration Guide
0
0
The Basics
Procedures
Step 1: Configure Legacy Windows and NetApp Event Sources in Security Analytics
Configure Remote Registry Access
0
0
Step 2: Configure Legacy Windows and NetApp Event Sources to Send Events to Security Analytics
Step 3: Start Configured Windows Legacy Collection Protocol
Step 4: Verify That Windows Legacy Collection Is Working
References - Legacy Windows and NetApp Collection Configuration Parameters
Troubleshoot Legacy Windows and NetApp Collection
Security Analytics Licensing Guide
How Entitlements Work
Setting Up Licensing
Step 1: Register the Security Analytics Server
Step 2: Synchronize Security Analytics Server
Step 3: Activate and Deactivate Device Entitlements
(Optional) Configure LLS Expiration Notifications
Reclaim Device Licenses
Synchronize Local Licensing Server Offline
Upload a Trial License
View and Manage License Pool on LLS
View Devices with Allocated Licenses
14
10.4 User Guide
References
Licensing Panel
0
0
Allocations Tab
Entitlements Tab
Offline Tab
Settings Tab
Troubleshoot Licensing
System Preferences
0
0
System Preferences Overview
Required Procedures
Access System Settings
Configure Investigation Settings
Configure Audit Log
Configure Email Server and Notification Account
Configure Live Settings
Configure Log File Settings
Add Custom Context Menu Actions
Configure Proxy for Security Analytics
References
Advanced Configuration Panel
Auditing Configuration Panel
Email Configuration Panel
Live Configuration Panel
Plugins Panel
System Maintenance Guide

Back up and Restore Data for Appliances and Services
0
0
Core Appliances Backup and Recovery
ESA Backup and Recovery
Log Collector Backup and Recovery
Malware Analytics Backup and Recovery
Reporting Engine Backup and Recovery
Security Analytics Server Backup and Recovery
Warehouse Connector Backup and Recovery
Monitor Health and Wellness of Security Analytics
Monitor Appliances and Services
Filter Appliances and Services in the Monitoring View
View Appliance Details
View Service Details
Monitor Event Sources
Configure Event Source Monitoring
Filter Event Sources
15
10.4 User Guide
View Historical Graphs of Events Collected for an Event Source

Monitor System Statistics
0
0
Filter System Statistics
View Historical Graphs of System Statistics
Monitor Service Statistics
Add Statistics to a Gauge or Chart
Edit Properties of Statistics Gauges
Edit Properties of Timeline Charts
Monitor Health and Wellness Using SNMP Alerts
View and Modify Queries Using URL Integration
View System and Service Logs
Access Reporting Engine Log File
Search and Export Historical Logs
Health And Wellness Reference Information
Appliance Details View
Archiver Monitoring Tab
Event Source Monitoring View
Event Source Monitoring Settings
Historical Graph View for Events collected from an event source
Historical Graph View for System Stats
Monitoring View
Service Details View
System Stats Browser View
Warehouse Connector Monitoring Settings
Reference
Protocols
Service Statistics
Appliance Statistics
Broker Statistics
Concentrator Statistics
Decoder and Log Decoder Statistics
User Jobs, Notifications, and Preferences Management

Customize User Application Settings
0
0
Edit Application Settings
Edit Investigation Preferences
Edit User Password
Manage Jobs and Notifications
Manage User Jobs
Manage User Notifications
References
Profile View Jobs Panel
Profile View Notifications Panel
16
10.4 User Guide
Profile View Preferences Panel

Investigation Tab
Live Resource Management
0
0
0
Live Content in Security Analytics
Required Procedures
Step 1: Set Up Live on Security Analytics
Step 2: Search for Live Resources
Step 3: Manage Live Resources
Add Subscribed Resources for Deployment to Services
Create a Resource Package
Delete a Subscription
Deploy Resources in Live
Deploy Resource to Services
Deploy Resources Manually
Deploy Resources from a Resource Package
Deploy Live Resources Using Deployment Wizard
Display Resource Details in Live Resource View
Download a Resource
Locate and Remove a Deployed Resource from Services
Manage Custom Feeds
Create a Custom Feed
Create an Identity Feed
Edit a Feed
Remove a Feed
Remove Subscribed Resources from the Deployments Subscriptions Grid
Show Results as a Grid or in Detail
Subscribe to Live Resources
Subscribe and Unsubscribe to a Resource
View Detail of a Subscribed Resource in the Resource View
View Subscribed Resources Selected to Deploy on Services
References
Deployment Wizard
Live Configure View
Deployments Tab
Subscriptions Tab
Live Feeds View
Live Resource View
Live Search View
Resource Package Deployment Wizard
Investigation and Malware Analysis
How Analysts Investigate Data
17
10.4 User Guide
Malware Analysis Functions
Malware Scoring Modules
Configure Investigation Views and Preferences
Configure Malware Summary of Events View
Configure Navigate View and Events View
Conduct an Investigation
Begin an Investigation
Filter Information in Navigate View
Manage and Apply Default Meta Keys in an Investigation
Manage User-Defined Meta Groups
Set Quantification Method and Sort Sequence of Meta Key Results
Set the Time Range for an Investigation
Query Data in Navigate View
Create a Custom Query
Drill into Data in the Navigate View Time Chart
Drill into Data in the Values Panel
View and Modify Queries Using URL Integration
Act on a Drill Point in the Navigate View
Export a Drill Point
Launch an External Lookup of a Meta Key
Launch a Malware Analysis Scan from the Navigate View
Open the Events List
Print the Current Drill Point
Visualize the Current Drill Point in Informer
Examine Events
Export Events and Extract Files
Filter and Search Results in the Events View
Manage Column Groups in the Events View
Reconstruct an Event
Conduct Malware Analysis
Begin a Malware Analysis Investigation
Examine Scan Files and Events in List Form
Filter Dashlet Data in the Summary of Events View
Implement Custom YARA Content
Upload Files for Malware Scanning
Upload Files From a Watched Folder
View Detailed Malware Analysis of an Event
Investigation Reference Materials
Events View
Malware Analysis View
Navigate View
Navigate View and Events View Settings Dialog
18
10.4 User Guide
Select a Malware Analysis Service Dialog

Alerting
0
0
Alerts Overview
Configure ESA Alert Notifications
Configure Notification Servers
Notification Servers Overview
Configure the Email Settings as Notification Server
Configure Script as a Notification Server
Configure the SNMP Settings as Notification Server
Configure the Syslog Settings as Notification Server
Configure Notifications
Notifications Overview
Configure Email as a Notification
Configure Script as a Notification
Configure SNMP as a Notification
Configure Syslog as a Notification
Configure Templates for Alert Notification

Templates Overview
Template Definition
0
0
0
Configure a Template
Delete a Template
Duplicate a Template
Edit a Template
Export a Template
Import a Template
Configure Enrichment Sources
Configure Database as Enrichment Source
Configure In-Memory Tables as Enrichment Source
Configure Warehouse Analytics as Enrichment Source
Define ESA Rules
ESA Rule Types
Define a Basic Rule
Define an Advanced ESA Rule
Delete ESA Rule
Duplicate ESA Rule
Edit ESA Rule
Export ESA Rules
Import ESA Rules
Configure Synchronization
Migrate the Data from previous ESA version
19
10.4 User Guide
Alerts Reference Information
Alerts Summary View
Event Processing Language (EPL)
ESA Annotations
New Advanced Rule Tab
New Basic Rule Tab
Rules Tab
All Rules View
Left Panel
Synchronizations View
Services Tab
Settings Tab
Incident Management
Incident Management Process

The Basics
Review Alerts
0
0
0
Filter Alerts
Create an Incident Manually
Add alerts to an existing incident
Incident Management Process Flow
View Incident Queue
View Incident Details
Edit Incidents
Investigate an Incident
Add a Journal Entry
Create a Remediation Task
Send a Remediation task as a Helpdesk Ticket
Send a remediation task to RSA Archer
Close an Incident
Automate the Incident Management Process
Configure Notification Settings
Create an Aggregation Rule
System Integration
Configure Integration Setting to Manage Incidents in Security Analytics
Configure Integration Setting to Manage Incidents in RSA Archer Security Operations
Incident Reference Information
Alerts View
Configure View
Aggregation Rules Tab
New Rule Tab
Notifications Tab
Incident Queue
0
0
20
10.4 User Guide
Remediation View
Remediation Task Details View
Reporting
0
0
0
Reporting Overview
Rules
Rule Overview
Rule Syntax
0
0
IPDB Rule Syntax
NWDB Rule Syntax
Rule Types
Supported IPDB Extractor Service Deployments on Virtual Environments
Define Rule Groups and Rules
0
0
0
Add a Rule Group
Define a Rule
Define a Rule Using IPDB Data Source
Define a Rule Using NetWitness Data Source
Define a Rule Using Warehouse Data Source
Test a Rule
Tune IPDB Rules
Additional Rule Definition Procedures
Delete a Rule
Delete a Rule Group
Duplicate a Rule
Edit a Rule
Export a Rule
Export a Rule Group
Import Rules and Rule Groups
View Dependents of a Rule
Manage Access for a Rule or Rule Group
Set Access Control for a Rule
Set Access Control for a Rule Group
Create a Chart Using a Rule
Create a Report Using a Rule
Create an Alert Using a Rule
Rule References
Build Rule View
IPDB Event Source Specification
Rule View
Warehouse Database Rule Definition Modes
Reports
WarehouseDB Simple Rules
WarehouseDB Advanced Rules
0
0
21
10.4 User Guide
Report Overview
Define Report Groups and Reports
Basic Procedures
Add a Report
Add a Report Group
Use Meta Aliases for Reporting Engine
Delete a Report
Delete a Report Group
Duplicate a Report
Edit a Report
Export a Report
Export a Report Group
Import Reports and Report Groups
Refresh a Group or Report List
View a List of All Reports
View a Report
References
Build Report View
Report View
View All Reports Panel
View a Report Panel
Schedule Reports
Basic Procedures
0
0
Enable or Disable a Scheduled Report
Generate a List from the Scheduled Report
Schedule a Report
Start or Stop a Scheduled Report
View an Execution History of a Scheduled Report
View Scheduled Reports
Delete a Scheduled Report
Edit a Scheduled Report
References
Execution History Panel
Generate a List Panel
Scheduled Reports View
Schedule Report Panel
Task Scheduler for Warehouse Reporting
Manage Access for a Report or Report Group
Set Access Control for a Report
Set Access Control for a Report Group
22
10.4 User Guide
Investigate a Report
Manage a Report Logo
Select a Logo
Select a Logo Panel
Use Variables for Parameterized Reporting

Charts
0
0
Chart Overview
Define Chart Groups and Charts
Basic Procedures
Add a Chart
Add a Chart Group
Delete a Chart
Delete a Chart Group
Disable a Chart
Drag and Drop a Chart to a Group
Duplicate a Chart
Edit a Chart
Enable a Chart
Export a Chart
Export a Chart Group
Import Charts and Chart Groups
Refresh a Group or Chart List
Search an Existing Chart
View All Charts List
View a Chart
References
Build Chart View
Chart View
Test a Chart View
View a Chart Panel
Manage Access for a Chart or Chart Group
Set Access Control for a Chart
Set Access Control for a Chart Group
Test a Chart
Investigate a Chart
Alerts
Alert Overview
Define Alerts
Basic Procedures
Add an Alert
23
10.4 User Guide
Delete an Alert
Disable an Alert
Edit an Alert
Enable an Alert
Export an Alert
Import an Alert
Refresh an Alerts List
References
Alert View
Create or Modify Alert View
Import an Alert Dialog
View Alerts Panel
Define Alert Templates

Basic Procedures
Add a Template
0
0
0
0
Delete a Template
Edit a Template
View All Templates
References
Create or Modify Template View
Template View
Manage Access for an Alert

Set Access Control for an Alert
Configure Security Analytics to Generate an Alert
0
0
0
Disable a Scheduled Alert
View an Alert List
View Alerts Schedule
View Alerts Schedule View
Investigate an Alert
Configure Reporting Engine to Send Sylog Messages over TCP/TLS for Alerts
Lists
List Overview
Define List Groups and Lists
Add a List
Add a List Group
Additional List Definition Procedures
Delete a List
Delete a List Group
Duplicate a List
Edit a List
Export a List
24
10.4 User Guide
Export a List Group
Import Lists and List Groups
Manage Access for a List or List Group
Set Access Control for a List
Set Access Control for List Groups
List References
Build List View
List View
Search Reporting Details
Manage Access for Reporting Module
Add a Role and Assign Permissions for Reporting Module

Warehouse Analytics
0
0
Warehouse Analytics Overview
Configure Warehouse Analytics
Manage Access to Warehouse Analytics Module
Add a Role and Assign Permissions for Warehouse Analytics
Set Access Control for a Warehouse Analytics Job
Configure Warehouse Analytics Models

Download Warehouse Analytics Model from Live Server
Download a Warehouse Analytics Model
0
0
0
Define a Warehouse Analytics Job
Use a Whitelist in a Warehouse Analytics Job
Delete a Warehouse Analytics Job
Edit a Warehouse Analytics Job
Enable or Disable a Scheduled Job
Refresh a Jobs List
View All Jobs List
View a Scheduled Job
References
Job Definition View
Live Resource View
Live Search View
View All Jobs Panel
View a Scheduled Job Panel
Warehouse Analytics View
Analyze a Warehouse Analytics Report
Analyze a Suspicious Domains Report
Analyze a Suspicious DNS Activity Report
Analyze a Host Profile Report
Investigate from a Warehouse Analytics Report

RSA Archer Integration
0
0
25
10.4 User Guide
RSA ECAT Integration
Configure ECAT to Receive RSA Live Feeds
Configure ECAT Alerts via Message Bus
Configure ECAT Alerts via Syslog into a Log Decoder
Configure Contextual Data from ECAT via Recurring Feed
26
Overview
10.4 User Guide

Overview
This guide provides information that administrators, analysts, and operators need to know about Security Analytics
10.4.
RSA Security Analytics is a security solution that leverages the proven technology of RSA NetWitness to provide
converged network security monitoring and centralized security information and event management (SIEM). Unlike
perimeter or signature based security solutions, RSA Security Analytics helps analysts discover "interesting" or
"anomalous" behavior without being dependent on having foreknowledge of the attackers specific tools or techniques.
The visual platform unifies security analytics, such as detection, investigation, reporting, and content and administration
into a single browser-based interface. The architecture is designed to bring together other security technologies, such as
combining network traffic and log event data, to deliver the most effective and efficient security operations center
analysts.
This RSA Security Analytics User Guide provides information needed to understand and use features of RSA Security
Analytics.
PLEASE NOTE: This guide provides initial 10.4 release documentation.

Note: Although the majority of these documents are final, late breaking changes are still coming in. The Technical
Publications team will continue to roll out updates, additions, and polish over the next few weeks. During this
period, please check here for the latest updates. We appreciate feedback from readers and strive to provide the
information that you need.
2010 - 2014 RSA, The Security Division of EMC.
27
Overview
About This Guide

Overview
This topic provides information to help administrators, analysts, and operators quickly locate topics in the 10.4 User
Guide that are relevant to the task at hand.
Context
This 10.4 User Guide is organized into logical collections of information to guide administrators and operators
in performing tasks, such as configuration, maintenance, and integrations with other RSA products such as ECAT. Other
guides provide information for analysts to learn about Security Analytics tools for reporting, alerting,
investigation, analysis, and incident management. The tables below identify the documents for each audience and
objective.
View and Print Guides

There are numerous individual guides for configuration and use of Security Analytics components and functions.
Readers can view topics online or print a logical subset of the 10.4 User Guide (approximately 50 topics) as a PDF for
use offline. Readers can also create a customized PDF with only the selected topics in a specified order.
Larger guides are packaged as containers, which provide high-level or getting started information, and then targeted
guides for specific cases. The Appliance and Service Configuration Guides and the Log Collection
Guides are examples.
Each guide organizes information in the following sections as they apply to the topic:
An introductory section to introduce and explain the component, feature, function, or process.
A section of basic or required procedures, presented in the sequence that you perform the actions.
A section of additional procedures that are not usually part of the required or basic sequence, but may be
needed at other times, presented in alphabetical order.
A reference section describes the user interface features and provides detailed information about each
feature, and may also provide detailed information about file formats, protocols, and other technical
information. Reference topics are in alphabetical order.
28
Search the Site
Search the Site

An improved search function helps readers to search for a term, then a selection list of available guides (10.1, 10.2, 10.3
and 10.4) is presented. The enhanced search can lead more quickly to the exact topic to answer a question.
For All Readers

These guides provide general and introductory material that is useful for all readers who want to understand Security
Analytics and the become more adept at navigating and working in the user interface.
Guide Title
Description
Security Analytics System

Overview
A basic system description that identifies components and functions. (available

soon)
A complete description of the user interface.
For Administrators and Operators

These guides provide instructions for administrators who are configuring appliances and services.
Guide Title
Description
Site Planning
Guide
Basic information about environmental requirements, general deployment sequence, and detailed
information about port usage.
Virtual
Appliance
Setup Guide
How to install and configure a virtual appliance.
Appliance and Services configuration guides.
Appliance
and Service
Configuration
Guides
The Getting Started Guide introduces the concept of appliances and services in Security Analytics
with procedures and references that apply to all types of appliances and services.
A service-specific configuration guiide for each service: Archiver, Broker and Concentrator,
Decoder and Log Decoder, Event Stream Analysis, Incident Management, IPDB Extractor, Malware
Analysis, Reporting Engine, RSA Analytics Warehouse (MapR-based), and Warehouse Connector.
A guide to tuning the core database is intended for advanced users.
29
For Administrators and Operators
Guide Title
Description
Log
Collection
Guides
Getting Started Guide introduces the basic tasks to start collecting events.
Security
Analytics
Licensing
Guide
Individual guides cover deployment and configuration for different protocols.
Procedures for setup and management of licensing.
These guides provide instructions for administrators who are maintaining Security Analytics, and the appliances
and services in the network.
Guide Title
Description
System Security and User Management Guide
Information about setting up security and controlling

user access. (available soon)
System Preferences
How to customize system settings, such as email

notifications, the audit log, logging settings, the Live
connection, add custom context menu actions, and
configure a proxy for Security Analytics.
System Maintenance Guide
Maintenance tasks such as monitoring and backup

procedures, and reference materials such as listings
of service statistics.
These topics provide information that administrators can use to integrate other RSA products with Security
Analytics:
Title
Description
RSA Archer Integration
Setup for integrating RSA Archer with Security

Analytics.
RSA ECAT Integration
Setup for integrating RSA ECAT with Security

Analytics.
30
For Analysts
For Analysts
These topics are provide information that analysts need:
Title
Description
User Jobs,
Notifications, and
Preferences
Management
Tells individual users who do not have administrative access how to set their password,
choose the application language, the default component, enable notifications, and other
settings that apply to their own sessions.
Live Resource
Management
Tells analysts how to access, search, and deploy RSA Live resources, such as feeds and
parsers.
Investigation and
Malware Analysis
Tells analysts how to configure views and behavior in Security Analytics Investigation and
how conduct an investigation of sessions and search for malware.
Alerting
Tells analysts how to create and manage alerts in Security Analytics.
Reporting
Tells analysts how to use the reporting function in Security Analytics.
Warehouse Analytics
Tells analysts how to use the Advanced Analytics function introduced in Security Analytics
10.4. (available soon)
Incident Management
Tells analysts how to use the Incident Management function introduced in Security Analytics
10.4.
31
Overview

Overview
Provides an introduction to common concepts and features that Security Analytics users need to understand.
Introduction
In this section, look for information to get started with the RSA Security Analytics user interface. This includes an
introduction to the user interface, as well as the Jobs Tray and Notifications Tray.
Security Analytics presents information in a web browser using dashboards and views. There is one dashboard for all
modules (Security Analytics Dashboard). Each module has its own view that provides specific functions for the module.
In addition, the Profile View presents options for user preferences.
By default, Security Analytics opens to the Security Analytics Dashboard when you log in. In the Profile view, you can
set default application settings according to your preference for language, browser time zone, default component in the
initial view, enable notifications and context menus (see User Preference Configuration Guide).
32
Overview
Elements in the Browser Window

Overview
This topic introduces common Security Analytics elements that are present in every browser window.
Introduction
RSA Security Analytics is a web-based application that you launch in a browser window. Compatible browsers include:
Google Chrome, Mozilla Firefox, and Internet Explorer 9.x.
Screen Captures
An example of the Security Analytics Dashboard illustrates the common elements.
33
How to Access
How to Access
To display this view, do one of the following:
Log on to Security Analytics at https://<SA-IP>, where <SA-IP> is the Security Analytics server IP address.
In the Security Analytics menu, select Security Analytics Dashboard.
Features
Every browser window that is accessing Security Analytics includes these elements:
The Security Analytics menu.
The Security Analytics toolbar.
The footer.
Security Analytics toolbar

At the top of all Security Analytics dashboards is the Security Analytics toolbar. Different modules have different content
based on available views. Here are two examples of the Security Analytics toolbar.
These are the features of the Security Analytics toolbar.

Feature
Description
Security Analytics menu
Module View buttons
Dashboard button
Contains options to access modules, Help, Profile,

and Sign Out. Some modules have a submenu of
views.
Displays a view. The button for the currently

displayed view is highlighted.
In Security Analytics 10.0, displays the Unified

Dashboard.
In earlier versions of Security Analytics, this button
is next to the Security Analytics menu on the left,
and displays a module-specific dashboard for all
modules except Unified.
34
Features
Feature
Description
Jobs button
Notifications button
Displays the Jobs tray, which displays information

on jobs for a user.
Displays the Notifications tray, which displays

notifications for a user.
Security Analytics Menu

The Security Analytics menu is on the left side of the Security Analytics toolbar.
These are the options in the Security Analytics menu.

Security Analytics Menu Option
Dashboard
Description
Displays the Security Analytics Dashboard.

35
Features
Security Analytics Menu Option
Investigation
Incidents
Description
Displays the Investigation module with the Navigate

view open. The submenu has an option to display
the Navigate view, the Events view, and the
Malware Analysis view.
Displays the Incident Management module.
Alerts
Displays the Alerts module with the View view

open. The submenu has options to directly access
the views: Summary and Manage.
Reports
Displays the Reports module with the View view

the views: View and Manage.
Administration
Displays the Administration module with the

Appliances view open. The submenu has options to
directly access the Administration view: Appliances,
Services, Health & Wellness, or System.
Live
Displays the Live module with the Manage view

the Live views: Search, Resources, Manage, and
Feeds.
Profile
Displays the Profile to configure user preferences,

and view notifications and jobs.
Help
Sign Out
Displays the online help for Security Analytics.
Signs out of Security Analytics.
36
Features
Footer
The page footer is at the bottom of the browser window.
The footer has two pieces of information:

The user name of the logged in user.
The current Security Analytics version.
Send Us Feedback
The Send Us Feedback tab opens a new email message addressed to our feedback center. We appreciate your
comments and suggestions, and consider them an integral part of our new features and improvements process in
Security Analytics.
37
Overview
Elements in a Dashboard
Overview
This topic explains the structure of Security Analytics dashboards and how to use their features.
Introduction
A dashboard is a group of dashlets that give you the ability to see in one space key snapshots of the various modules
that you consider important. The Security Analytics Unified module has a dashboard. You can compose dashboards to
glean high-level information and metrics that portray the overall picture of a Security Analytics deployment, displaying
only the information that is most relevant to day-to-day operations.
The Default Dashboard

The default dashboard for the Unified module is configured to display specific dashlets in specific positions. The default
dashboard serves as an example of dashboard composition and a starting point for customization.
You can customize the information on the default dashboard by editing dashlets, adding dashlets, moving dashlets, maximizing
dashlets, and deleting dashlets.
After modifying the default dashboard, you can restore the default dashboard to its original layout.
The default dashboard cannot be deleted.
Custom Dashboards
You can create custom dashboards to serve a particular purpose; for example, to represent a specific geographical or
functional area of the network. Each custom dashboard is appended to the Dashboard Selection List.
Once custom dashboards are created, you can:
Switch between dashboards by selecting an option from the Dashboard Selection List.
Delete any custom dashboard.
Import or export a dashboard.
Composing Dashboards provides detailed information on working with dashboards and dashlets.
Screen Captures
An example of the default Security Analytics Dashboard illustrates the common elements in all dashboards.
38
How to Access
How to Access
When you log into Security Analytics, the Security Analytics Default dashboard is displayed.
Features
Each dashboard has:
The Actions drop-down
The dashboard title and the Dashboards Selection List
Zero or more dashlets
Dashboard Actions
Next to the current dashboard title is the Dashboard Actions drop-down menu. The Dashboard Actions drop-down
allows various operations on dashboards and dashlets.
39
Features
Option
Description
Add Dashlet
Change Dashboard Layout
Create New Dashboard
Displays the Add a Dashlet dialog, where you add a dashlet to the current
dashboard.
Displays the Change Layout dialog, where you change the layout of the
dashboard to one of five options.
Displays the Add a Dashboard dialog, where you define a custom dashboard.
Remove Dashboard
Deletes a custom dashboard. The default dashboard cannot be deleted.
Rename Dashboard
Displays the Rename Dashboard dialog, where you change the dashboard title.
Restore Default Dashboard
Restores the default dashboard to its original appearance, with the

default dashlets in their original positions.
Export Dashboard
Creates a .cfg file containing the structure of the current dashboard.
Import Dashboard
Adds a dashboard based on the previously exported .cfg file.
Dashboard Title
The dashboard title reflects the current module; for example, Default dashboard.
Dashboard Selection List

You can access custom dashboards on the Dashboard selection list. When you select a custom dashboard, its title is
displayed below the Security Analytics toolbar.
40
Features
Dashlets
Security Analytics uses dashlets to display focused subsets of system information, devices, jobs, resources,
subscriptions, rules, and other information.
Security Analytics modules can display only those dashlets presented in the Add a Dashlet dialog. The Unified
dashboard, as the name suggests, offers all Security Analytics dashlets. In an earlier version of Security Analytics,
dashboards were also used to display dashlets in the Administration, Investigation, and Live modules; these dashlets
are now available in the Unified dashboard.
Controls for a dashlet are in the title bar. All dashlets use a common set of controls, and only those that apply to the
particular dashlet appear in the title bar.
Icon
Name
Description
Collapse vertically
Collapses the dashlet vertically so that only the title is visible.
Expand vertically
Expands the dashlet to its original size.
Page forward
In dashlets with more than one page, moves to the next page.
Page back
In dashlets with more than one page, moves to the previous page.
Last Page
In dashlets with more than one page, moves to the last page.
First Page
In dashlets with more than one page, moves to the first page.
Reload
Reloads the dashlet.
Settings
Displays configurable settings for the dashlet.
41
Features
Icon
Name
Description
Maximize
In some dashlets with content that does not fit horizontally within the
width of the dashlet, maximizes a chart or a dashlet to full screen.
Delete
Deletes the dashlet from the dashboard.
42
Overview
Elements in a View
Overview
This topic explains the structure of Security Analytics views and how to use their features.
Introduction
Some Security Analytics modules (Administration, Investigation, Live, Alerts, and Reports) have views that provide
specific functions for the module.
In addition, the Profile view, accessible directly from the Security Analytics menu, presents options for user preferences.
Screen Captures
This example of the Administration Appliances view illustrates some of the features of a view.
43
How to Access
How to Access
To display a view, select a module from the Security Analytics menu, For example, Security Analytics,
Administration, Investigation, or Live). As you roll your cursor over the module, you can select a view from the
options menu.
From within the module, you can select an alternate view from the Security Analytics toolbar. For
example, Administration has four views: Appliances, Services, Health & Wellness, or System.
Features
Each view has different features. Any combination of these features is possible in a view:
Breadcrumbs
Toolbars
Sections
Panels
Grids
Context Menus
The parts of a view are labeled in the illustration below:

44
Features
45
Features
Parts of a View
Key
Feature
Description
bread crumbs
Display the options selected to reach this view. Click on a crumb to go back to
the view or menu.
toolbar
A toolbar may apply to the entire view, to a section, or to a panel.
3,4
sections (top to
bottom)
Within a panel, some dashboards have sections that organize information from
top to bottom; for example, the Device Info view has two sections in the
Devices panel, the Device section at the top and the Sessions section at the
bottom. Sometimes you may need to scroll down to view a section near the
bottom of the panel.
5,6
panels (left to
right)
Within a view, most dashboards have panels that organize information from left
to right; for example, the Device Stats view has two panels, the main panel on
46
Features
Key
Feature
Description
the left and the Chart Stats Tray panel on the right. The Chart Stats Tray is
not the main focus, so it is collapsible to allow more space in the main panel.
47
Overview
Context Menus
Overview
This topic explains how context menus are used in Security Analytics. Security Analytics has a large set of context
menus that you access by right-clicking an object.
Introduction
Context menus offer options that pertain specifically to the current context. In certain views, hovering over an item and
right-clicking the mouse displays the options that can apply to that item. Throughout the Security Analytics
documentation, context menus are discussed in the pertinent modules and views.
Screen Captures
A good example of a context menu is shown in the Navigation view. When you right-click a count for a value (the green
number in the parentheses), the menu offers two options: to open the drill in a new tab or view the geo-map locations in
a new tab.
48
Screen Captures
When you right-click on the value (blue text), a different context menu is displayed. In this context, there are options to
scan for malware, look up the value in Investigation and to display the same drill in a new tab, apply the reverse of this
drill (!EQUALS) in the same tab, or apply the reverse of this drill in a new tab.
49
Overview
Grids
Overview
This topic explains how Security Analytics uses grids to display some information.
Introduction
Much of the information displayed in the Security Analytics dashboards and dashlets is best displayed in rows and
columns. This is called a grid, and all grids can be customized in several ways. You can:
Change the width of columns.
Select which columns to display.
Sort each column in ascending or descending order.
Screen Captures
This is an example of a grid (the Live Search View's Matching Resources grid).
50
Procedures
Procedures
Change the Width of a Column
1. Hover in the title bar on the right edge of the title.
51
Procedures
2. When the cursor changes to the column resize cursor (one short vertical line with arrows pointing right and left), click and drag
the line to make the column wider or narrower. This is an example of resizing the Name column in progress.
3. When the width is correct, release the mouse button.
Select Which Columns to Display

52
Procedures
2. When the cursor changes to the selection list icon (
), click to see the list.
3. At the bottom of the list, select Columns.

A list of available columns is displayed with a check mark for each column currently included in the grid.
4. Select a column name to check or uncheck it.
When you uncheck a column name, that column is removed from the grid. When you check a column name, that column is
added to the grid. This is an example of the Matching Resources grid after several columns are deselected.
Sort the Contents of a Column

2. When the cursor changes to the selection list icon (
The menu displays a list of available sort options.
) click to see the menu.
53
Procedures
3. Select from the sort options; for example, Sort Ascending or Sort Descending.
The grid is sorted based on your selection.
54
Overview
Jobs Tray Features

Overview
This topic provides an overview of the Security Analytics jobs system for monitoring jobs.
Introduction
While you are working in Security Analytics, you can open a quick view of your jobs from the Security Analytics toolbar.
You can look anytime, but when a job status has changed, the Jobs icon (
) is flagged with the number of running
jobs. Once all jobs are completed, that number disappears.

You can also see the jobs in these two views.
In the Profile View, you see the same jobs in a full panel. These are only your jobs.
In the System View, users with administrative privileges can view and manage all jobs for all users in a single jobs panel.
The structure of the jobs panel is the same in all views, and related procedures are provided in Manage Jobs.
Screen Capture
55
How to Display
How to Display
To display the Jobs tray, in the Security Analytics toolbar, click the Jobs icon
Features
The Jobs Tray lists all jobs that you own, recurring and non-recurring, using a subset of the columns available in the
Jobs panel. Otherwise the Jobs Tray and the Profile View > Jobs panel are the same. In the Administration System
view, the Jobs panel lists information about all Security Analytics jobs for all users.
Feature
Description
The Resume option applies only to recurring jobs that have been paused. When you
resume a paused job, the next execution of the job executes as scheduled.
The Pause option applies only to recurring jobs. When you pause a recurring job that is
running, it has no effect on that execution. The next execution (assuming the job is still
paused) is skipped.
Cancels a recurring or non-recurring job. You can cancel a job while it is running. If you
cancel a recurring job, it cancels that execution of the job. The next time the job is
scheduled to run, it executes normally.
Deletes a recurring or non-recurring job from the Jobs panel. When you delete a job,
the job is instantly deleted from the Jobs panel. No confirmation dialog is offered. If you
delete a recurring job, all future executions are removed as well.
This table describes the Jobs tray and Jobs panel features.
Feature
Description
Selection box
Click in this box to select one or more jobs.
Progress
Shows the percentage complete for a job.
Job Name
The name of the job; for example, Extract Files or Upgrade Device.
56
Features
Feature
Description
Recurring
Indicates whether the job is recurring or non-recurring. Yes = recurring, No = nonrecurring.
Component
The component in which the job originated; for example, Investigation or

Administration.
Owner
The owner of the job is not included in the default Jobs Tray, because only the current
user's jobs are displayed here. The column is available to add.
Status
The status of the job. Common values for status are Paused, Running, Canceled,
Failed, Completed, and other status values are possible.
Message
Additional information about the job; for example, Extracting files or No sessions
found.
Action
Views job in the Investigation Malware Analysis view, or downloads job files for the job to
the default Downloads directory on the local system. Only successfully completed jobs
have the View link in the Action column. Only jobs that create a file have the Download
link in the Action column.
View Your
Jobs
Displays jobs in the Profile View > Jobs panel.
Scheduled
Indicates the date and time at which the job was scheduled to begin.
57
Overview
Notifications Tray
Overview
This topic provides an overview of the Security Analytics system for sending notifications.
Introduction
While you are working in Security Analytics, you can view recent system notifications without leaving the module in
which you are working. You can open a quick view of notifications from the Security Analytics toolbar. You can look
anytime, but when a new notification is received, the Notifications icon is flagged.
Examples of notifications include:
An appliance upgrade completed.
A parser push to decoders completed.
A newer software version is available.
You can see all notifications in a grid format in the Profile View. Procedures for viewing notifications are provided in View
and Delete Notifications.
Screen Capture
This is an example of the Notifications tray.
58
How to Access
How to Access
To display the Notifications tray, in the Security Analytics toolbar, click the Notifications icon (
).
Features
The Notifications tray displays system notifications that have not been viewed previously, in a page format. This table
describes the features of the Notifications tray.
Feature
Description
Title
The title of the notification; for example, File Extraction Complete.
Message
The entire message. In this example, The file extraction is complete and ready for
download.
View >>
Some messages include a link that displays a view where you can take action. For
example, if there is a file to download, clicking this link opens a new tab showing the
view where you can download the file.
The close button deletes a single notification record in the Notifications Tray, and in
the Profile View Notifications Grid.
59
Features
Feature
Description
Created
The number of days since the notification was created.
View All button
Displays the Profile View Notifications Grid.
60
Overview
Configure Security Analytics Dashboards

Overview
This topic provides an overview of the various ways in which you can change the composition of a dashboard.
Introduction
Operations that pertain to dashboards include:
Creating and removing dashboards.
Restoring the default dashboard.
Changing a dashboard layout.
Switching between dashboards.
Adding, deleting, moving, editing, and maximizing dashlets in a dashboard.
Importing and exporting dashboards.
61
Overview
Change Layout of a Dashboard

Overview
This topic explains how to change the dashboard layout.
Introduction
To customize the views in Security Analytics, you can change the layout of the Security Analytics dashboard or a
custom dashboard. The Change a Layout dialog provides a way to change the dashboard layout.
Screen Capture
62
How to Display
How to Display
To access this dialog, click Change Dashboard Layout in the Dashboard Actions drop-down menu.
Features
The following table describes the features of the Change Dashboard Layout dialog.
Feature
Description
Select the type of layout. There are 5 different

available layouts:
3 columns of even width
Layout
2 columns of even width

2 columns, the first column taking two-thirds of
the space
2 columns, the first column taking one-third of
the space
1 column spanning the entire view
Cancel
Change
If you decide that you do not want to change the

dashboard layout, click Cancel.
To change the dashboard layout, click Change.
Change a Dashboard Layout

1. Navigate to any dashboard.
2. In the Dashboard Actions drop-down menu, click Change Dashboard Layout.
The Change Layout dialog box opens.
3. Choose an appropriate layout for the dashboard and click Change.
The dashboard layout is changed to the selected layout.
63
Overview
Create a Custom Dashboard

Overview
This topic explains how to create a custom dashboard for a Security Analytics module.
Introduction
To tailor Security Analytics to better serve your site and methods, you can create custom dashboards. Some reasons for
creating custom dashboards are:
Consolidate related functionality on a single dashboard.
Create a Unified dashboard with a collection of dashlets for all modules.
Create a dashboard to consolidate dashlets for different network locations.
Create an overview of a given module's capabilities.
Consolidate dashlets that apply to a specific scenario.
Screen Capture
64
How to Display
You access this dialog from the Security Analytics Dashboard by selecting the Create a Dashboard option from the
Dashboard Actions menu.
Features
The following table describes the features of the Create a Dashboard dialog.
Field
Description
Dashboard Title
Type the title for the new dashboard in this field.

You can type letters, numbers, special characters,
and spaces for the name. The permitted length of
the name is up to 255 characters.
65
Procedures
Field
Description
Select the layout for the new dashboard from the

following options:
3 columns of equal width
Layout
2 columns of equal width

2 columns, the first using two-thirds of the space
2 columns, the first using one-third of the space
1 column, spanning the entire width of the panel
Cancel
If you decide that you do not want to create this

dashboard, click Cancel.
Create
To create the new dashboard, click Create.
Procedures
To create a dashboard:
1. Specify the name for the new dashboard.
2. Select a Layout option for the new dashboard.
The dashboard is created and added to the Dashboard selection list.
Now, that you have created a dashboard, you can:

Add dashlets to the dashboard.
Export the dashboard.
Remove the dashboard.
66
Overview
Export a Dashboard
Overview
This topic describes how to export a Dashboard.
Introduction
The ability to customize dashboards to changing circumstances and conditions could result in a large number of
dashboards that are not needed on a daily basis. Rather than re-invent the wheel each time you want to re-create a
particular custom dashboard, you can export your dashboards that are not currently in use and they will be available to
you at some future point. Initially they will go to your local Downloads folder.
Exported dashboards are designed to work within the same Security Analytics instance. It is also possible to share your
custom dashboards with other users in your organization, provided that they have equivalent permissions.
To export a dashboard, you must have the dashboard open to access the Export Dashboard dialog in the Dashboard
Actions drop-down menu.
Note: When you export the Reporter Realtime Charts dashboard, you must also export the charts used in the
Report Realtime Chart dashlets as they are not exported by default. When you import the dashboard, you must
manually import the dependent charts used in the Reporter Realtime Chart dashlets.
Export a Dashboard
To export a dashboard:
1. Navigate to the dashboard that you want to export. All existing dashboards appear in the drop-down Dashboard Selection List
in the currently displayed dashboard.
67
Export a Dashboard
2. Select Export Dashboard in the Dashboard Actions drop-down menu.
3. A warning appears at the bottom of your screen that downloaded files can harm your computer. If this is the dashboard you wish
to export, click Keep.
68
Overview
Import a Dashboard
Overview
This topic describes how to import a dashboard.
Introduction
The ability to customize dashboards to changing circumstances and conditions could result in a large number of
dashboards that are not needed on a daily basis. When you are ready to use a previously exported dashboard, it is a
simple matter to import the dashboard into Security Analytics.
Note: You must import the Reporter Realtime Charts dashboard and its related charts into the same instance of
the Security Analytics server and Reporting Engine from where it was exported. You must ensure that the data
sources configured for the Reporting Engine are the same as on the Security Analytics instance from which it was
exported. If you import the dashboard and related charts into another instance of Security Analytics server, you
must ensure the data source name is updated in the charts.
Note: When you import the dashboard from a previous version to 10.3, you must do the following after you
complete the upgrade:
- Enable the chart again by editing and saving them. Refer to Edit a Chart.
- Remove the Reporter Realtime Chart dashlets that you added prior to the 10.3 version and add them again on
the dashboard.
69
Screen Captures
Screen Captures
Import a Dashboard
To import a dashboard:
1. Access the Import Dashboard dialog in the Dashboard Actions drop-down menu.
2. Browse to the dashboard file in the Import Dashboard dialog.
3. Click Import Dashboard. The dashboard is then displayed in Security Analytics.
70
Overview
Remove a Custom Dashboard

Overview
This topic explains how to remove a custom dashboard in a Security Analytics module.
Introduction
If you find that the Dashboard Selection List in Security Analytics includes custom dashboards that are no longer
needed, you can remove the unused dashboards. The dashboard to be removed must be displayed. The default
dashboard cannot be removed.
Note: If you want the dashboard to be available at some future time, see Export a Dashboard.
Remove a Dashboard
1. In the Dashboard Selection List, select the unused dashboard; for example, Region 3.
The dashboard is displayed.
2. In the Dashboard Actions menu, select Remove this Dashboard.
The Remove Dashboard dialog is displayed.
3. To confirm deletion of the dashboard, click Yes.

The dashboard is removed from the Dashboard Selection List.
71
Overview

Overview
This topic explains how to restore the default dashboard for a Security Analytics module to its original layout.
Introduction
After customizing the default Security Analytics dashboard, you can revert to the original layout of dashlets using the
Restore Default Dashboard option in the Dashboard Actions drop-down. To accomplish this, the dashboard of a
module must be displayed.

To restore the default dashboard in a Security Analytics module:
1. Navigate to the Security Analytics dashboard, which has been customized.
2. In the Dashboard Actions drop-down, click Restore Default Dashboard.
The original layout of the default dashboard is restored.
72
Overview
Select a Dashboard
Overview
This topic explains how to view and select a dashboard on Security Analytics.
Introduction
Custom dashboards appear in the drop-down Dashboard Selection List in the currently displayed dashboard. You
can select any dashboard in the selection list to view.
Switch Between Dashboards

To switch between dashboards in a Security Analytics module:
1. Click on the Dashboard Selection list.
The Dashboard Selection list drops down.
2. Select the dashboard that you want to view.

The dashboard is displayed.
73
Overview
Add a Dashlet
Overview
This topic explains how to add a dashlet to a dashboard.
Introduction
To customize the views in Security Analytics, you can add dashlets to the Security Analytics dashboard or a custom
dashboard. The Security Analytics dashboard, as the name suggests, offers all Security Analytics dashlets. The Add a
Dashlet dialog provides a way to define the name and configurable parameters for a new dashlet.
Screen Capture
How to Display
To access this dialog, click Add a Dashlet in the Dashboard Actions drop-down menu.
Features
The following table describes the features of the Add a Dashlet dialog.
Feature
Description
Type
Select the type of dashlet. Each dashboard has a

different list of dashlet types. The Security
Analytics Dashboard includes all available
dashlets in the list of dashlet types. After a Type is
74
Add a Dashlet to a Dashboard
Feature
Description
selected, any configurable fields are displayed. All

dashlets have a configurable title. Some have
additional parameters.
Title
Cancel
Add
Type the title for the new dashlet in this field. You
can type letters, numbers, special characters, and
spaces for the name.
If you decide that you do not want to add this

dashlet to the dashboard, click Cancel.
To add the new dashlet, click Add.

1. Navigate to any dashboard.
2. In the Dashboard Actions drop-down menu, click Add a Dashlet.
When first opened, the dialog has a Type selection list.
3. Click on the Type selection list to display available types of dashlets, and select the type of dashlet to add; for example, Admin
Service Monitor Dashlet.
Additional configurable fields become available in the Add a Dashlet dialog. For an Admin Service Monitor Dashlet, you
75
define the dashlet title and the type of service to monitor.
4. Type a title for the dashlet. In the example, Service Monitor Dashlet is also the title.
5. If there are additional configurable fields for the dashlet, set appropriate values. For example, this is the selection list for types of
services to monitor. You can select only one service type.
76
6. When there are no configurable fields left empty, click Add.

The dashlet is added to the dashboard.
77
Overview
Delete a Dashlet
Overview
This topic explains how to delete a dashlet from a dashboard.
Introduction
To improve the readability and usefulness of the contents of a dashboard, you can remove unrelated, unnecessary, or
distracting dashlets from any dashboard.
Delete a Dashlet from the Dashboard

To delete a dashlet in any dashboard:
1. Click the delete control icon in the dashlet title bar:
The Remove Dashlet dialog asks for confirmation that you want to delete the dashlet.
78
Delete a Dashlet from the Dashboard
2. If you want to delete it, click Yes. If you decided not to delete it, click No.
The dashlet is removed from the dashboard.
79
Overview
Edit Dashlet Properties

Overview
This topic explains how to edit configurable properties of a dashlet.
Introduction
Some dashlets are read-only and properties are not configurable. Other dashlets are configurable to allow users to
customize some aspect of the data displayed in that dashlet. A dashlet with editable properties has a settings icon
that displays the property sheet for editing.
A dashlet with no editable properties does not display the settings icon in the title bar.
Many dashlets have an editable title. An example of a dashlet with additional configurable properties is the Admin
Device Monitor Dashlet where you can edit the following properties:
Dashlet display title.
Type of devices to monitor; for example, show only Decoders, or show Decoders and Concentrators.
80
Introduction
Other dashlets have parameters that you define to specify the kind and amount of information you want to see in the
dashlet. The custom Investigation Dashboard has three dashlets. Each of the three displays the settings icon.
81
Display and Modify the Options for a Dashlet

1. In an Action Events dashlet title bar, click the settings icon
The Options dialog is displayed.
2. Change the Result Limit from 20 to 40.

You could also have changed any of the displayed properties (Title, Device, Collection Time Period, Meta Type) or added an
additional query.
3. Click Apply.
The changes are applied.
82
83
Overview
Maximize a Dashlet
Overview
This topic explains how to maximize a chart or an alert dashlet to full screen.
Introduction
This topic explains how to open a dashlet on the entire area of the main Security Analytics dashboard with the
same dashlet title.
For example, the Recent Alerts dashlet from the below figure must be viewed on the entire area of the Security Analytics
dashboard.
84
Maximize a Dashlet
Maximize a Dashlet
To maximize a chart or an alert dashlet:
1. Click the maximize control icon in the dashlet title bar:
The dashlet is displayed on full screen.
2. (Optional) In the Security Analytics interface, select Dashboard to restore the default dashboard.
85
Overview
Move a Dashlet
Overview
This topic explains how to move a dashlet to a different position in a Security Analytics module dashboard.
Introduction
Dashlets can be easily arranged to display according to your preference by dragging and dropping into a different order
on the dashboard.
Drag a Dashlet to a New Position

To move a dashlet:
1. Click and hold in the header of the dashlet that you want to move.
2. The directional cursor
appears over the dashlet.
3. Continue to hold the left mouse button and drag the window toward the new location.
4. Release the mouse button when the dashlet is in the desired location.
86
Drag a Dashlet to a New Position
5. The image below shows the Featured Live Resources dashlet as it is moved from the bottom position of column 1 to the top
position of column 3.
6. The dashlet that currently occupies that position moves down.
87
Overview
Security Analytics Dashlets

Overview
This topic introduces the Security Analytics Dashboard and the available dashlets.
Introduction
The Security Analytics Dashboard is the default dashboard displayed when you log into Security Analytics, and it is
populated with a few useful dashlets to get you started with your own customizations (see Composing Dashboards). In
this module, the dashlets for all Security Analytics modules are available to add to the default Security Analytics
Dashboard or a custom Security Analytics Dashboard.
You can juxtapose a list of newly featured Live resources with a summary of statistics about the Decoders in your
environment. The views in this module tie everything together in a way that works best for you.
88
Screen Capture
Screen Capture
How to Access
To display the Security Analytics dashboard, do one of the following:
Log into Security Analytics, and the application opens to the Security Analytics Dashboard.
In the Security Analytics menu, select Default.
Features
Dashlets for all Security Analytics modules are available to add in the default Security Analytics dashboard or a
custom Security Analytics dashboard. All dashlets have a common set of controls described in Dashboards Overview.
This is an example of some currently available dashlets.
89
Features
90
Overview
Admin News Dashlet

Overview
This topic introduces the Admin News dashlet.
Introduction
This dashlet presents product information and updates for the Administration module.
Screen Capture
How to Access
To display this dashlet in the Security Analytics dashboard or as part of a custom dashboard, click Actions > Add a
Dashlet in the dashboard and select Admin News.
91
Overview
Admin Service List Dashlet

Overview
This topic introduces the Administration Service List Dashlet.
Introduction
The Administration Service List dashlet is a list of available services in Security Analytics with links to administrative
tasks that can be taken on those devices. In effect, this dashlet is a focused subset of the Administration Devices view.
Screen Capture
How to Access
To display this dashlet in the Security Analytics dashboard or as part of a custom dashboard, click Actions > Add
Dashlet in the dashboard and select Admin Service List.
92
Features
Features
0
The View menu (

select a view.
) is a quick link to the View menu in the Administration Devices view. Select a device and click here to
The Navigate button is a quick link to the Navigation view in the Investigation module.
The Devices grid has a subset of the grid columns in the Administration Devices view. The columns presented in the dashlet by 0
default are:
Column
Description
Selection checkbox. Click in the heading to select

or de-select all devices in the list.
Connection Status
The connection icons indicate whether the

connection to the device is good (green) or bad (red
and gray). Rendering of the entire row in red text
also reflects a bad connection status.
Name
The name of the service; for example HQ-Decoder

or 10.26.22.44-Decoder.
Address
Type
The IP address of the NextGen service; for

example, 10.26.22.44.
The type of service. Possible values are Broker,

Concentrator, Decoder, Log Decoder, Log
Collector, and Other.
93
Overview
Admin Service Monitor Dashlet

Overview
This topic introduces the Admin Service Monitor dashlet.
Introduction
The Admin Service Monitor dashlet summarizes device version and status information that appears in the Administration
Devices view. This is a subset of the columns in the Devices view.
Screen Capture
How to Access
Dashlet in the dashboard and select Admin Service Monitor. The Add a Dashlet dialog has an option to select the
device type for the new dashlet.
94
Features
Features
The dashlet includes this subset of the columns in the Devices view:
Name
Type
Version
Status
Memory usage
CPU
Procedures
Lock a Column While Scrolling Horizontally
To keep a column in view while scrolling to the right:
1. Click the drop-down menu icon (
)in the title of any column.
2. The column's context menu is displayed.
3. Click Lock.
4. The column you selected moves to the left side of the grid and remains there when other columns scroll horizontally. In this
example, the Name column remains visible even when you scroll to the right. Notice that part of the Type column has scrolled to
95
Procedures
the left, but the Name column remains in place.
5. When you want to unlock the column, right-click and select Unlock.
96
Overview
Dashboard RSA First Watch Dashlet

Overview
This topic describes the Dashboard RSA First Watch dashlet.
Introduction
The Dashboard RSA First Watch dashlet delivers situational awareness and threat intelligence from across the RSA
research and incident-response community, providing customers the intelligence to prepare for, respond to, and mitigate
advanced cyber threats. The RSA First Watch, Incident Response, and CIRC teams track millions of IPs and domains,
as well as dozens of unique threat sources and threat actors.
Screen Captures
97
How to Access
How to Access
To display this dashlet in the Unified dashboard or as part of a custom dashboard, click Actions > Add Dashlet in the
dashboard and select Dashboard RSA First Watch.
Features
Column
Description
Date
The date the article was posted.
Article
The article title, a sample of the article, and a "Read More" link to the full
article.
98
Overview
Dashboard Shortcuts Dashlet

Overview
This topic introduces the Dashboard Shortcuts Dashlet.
Introduction
The Dashboard Shortcuts dashlet offers quick links to common tasks in other areas of Security Analytics. It is a good
tool for first-time users who are trying to get a feel for the system.
Screen Capture
How to Access
To display this dashlet in the Security Analytics dashboard or as part of a custom dashboard, click Actions > Add
Dashlet in the dashboard and select Dashboard Shortcuts dashlet.
99
Features
Features
In addition to the standard dashlet controls, this dashlet has options that link to common Security Analytics tasks.
Option
Description
Configure Live Connection
Add a Device
Investigate a Device
This is a quick link to the Administration System

View > Live Configuration Panel, where you
configure the connection to the Live content
management system.
This is a quick link to the Devices View.
This is a quick link to the Navigate View Features,

in which you can select a device to navigate from a
list of available devices.
Browse Live Resources
This is a quick link to the Live Search View, in

which you search the Live resource library for
resources.
Setup Live Intel Sharing
This is a quick link to the Administration System

View, in which you can choose to participate in live
intelligence sharing.
Manage Live Subscriptions
This is a quick link to the Live Manage View, in

which you view and edit subscriptions and
deployments.
View My Jobs
This is a quick link to the Jobs Panel (Profile View),

in which you view Security Analytics jobs.
View My Notifications
This is a quick link to the Notifications Panel (Profile

View), in which you view system notifications.
100
Overview
Dashboard What's New Dashlet

Overview
This topic introduces the Dashboard What's New dashlet.
Introduction
The Dashboard What's New dashlet displays the latest product information and announcements for all Security Analytics
products.
Screen Capture
How to Access
To display this dashlet in the Security Analytics dashboard or as part of a custom dashboard, click Actions >
Add Dashlet in the dashboard and select Dashboard What's New dashlet.
101
How to Access
102
Overview
Investigation Jobs Dashlet

Overview
This topic describes the features of the Investigation Jobs dashlet.
Introduction
The Investigation Jobs dashlet displays the status of all jobs in the Investigation module. The toolbar, grid, and job
management procedures are described under Jobs Tray.
Screen Captures
How to Access
To display this dashlet in the Unified dashboard or as part of a custom dashboard, click Actions > Add a Dashlet in the
dashboard and select Investigation Jobs.
103
Features
Features
The Investigation Jobs dashlet lists all jobs that you own, recurring and non-recurring, and lets you monitor their
progress.
Feature
Description
The Resume option applies only to recurring jobs that have been paused. When you resume
a paused job, the next execution of the job executes as scheduled.
The Pause option applies only to recurring jobs. When you pause a recurring job that is
running, it has no effect on that execution. The next execution (assuming the job is still
paused) is skipped.
Cancels a recurring or non-recurring job. You can cancel a job while it is running. If you
cancel a recurring job, it cancels that execution of the job. The next time the job is scheduled
to run, it executes normally.
Deletes a recurring or non-recurring job from the Jobs panel. When you delete a job, the job
is instantly deleted from the Jobs panel. No confirmation dialog is offered. If you delete a
recurring job, all future executions are removed as well.
104
Overview
Investigation Top Values Dashlet

Overview
This topic introduces the Administration Top Values Dashlet.
Introduction
This dashlet allows you to inspect the top values for a specific time period and for a specific meta type on a given
appliance.
Screen Captures
105
How to Access
How to Access
Dashlet in the dashboard and select Investigation Top Values Dashlet.
Define Top Values

You define the meta data and query parameters in the Add a Dashlet dialog.
Field
Description
Title
This title is displayed in the Dashlet.
Device
The name or IP address of the target device.
Time Range
Last Hour
Last 3 Hours
Last 6 Hours
Last 12 Hours
Last 24 Hours
Last 2 Days
Last 5 Days
106
Define Top Values
Field
Description
Meta Type
Select the Meta Type from the dropdown list.
Query
Complete the query to further define the results.
Result Limit
Choose the number of results to display from the dropdown list.
107
Overview
Live Featured Resources Dashlet

Overview
This topic introduces the features of the Featured Resources dashlet in the Live Module.
Introduction
This dashlet displays the list of Live resources that are tagged as featured for the configured Content Management
System (CMS) server.
Screen Capture
How to Access
Dashlet in the dashboard and select Live Featured Resources.
108
Features
Features
This dashlet has a paged view of featured Live resources and provides the following information about each resource.
Value
Description
(Resource Type Icon)
Each type of Live resource is represented by an icon. For example, the

icon in the screen capture represents a Parser feed. Clicking
the Resource Type icon opens a new browser tab with the detailed
view of the resource in the Live Resource view.
Resource Name
The name of the resource, for example, NetWitness APT Threat IPs.
Clicking the Resource Name displays the detailed view of the
resource in the Live Resource view. The view opens in the current
browser tab.
Date Created
The date the resource was created.
Last Updated Date
The date the resource was last updated.
109
Overview
Live New Resources Dashlet

Overview
This topic introduces the features of the New Resources dashlet in the Live Dashboard.
Introduction
This dashlet displays a list of Live CMS resources that are tagged as new for the configured Content Management
System (CMS) server. You can click a resource name to go to the detailed view of the resource.
Screen Capture
How to Access
Dashlet in the dashboard and select Live New Resources Dashlet.
110
Features
Features
This dashlet has a paged view of new Live resources and provides the following information about each resource.
Value
Description
Resource Type Icon
Each type of Live resource is represented by an icon. For example,

the icon to the left represents a Decoder FlexParser. Clicking
the Resource Type icon opens a new browser tab with the detailed
view of the resource in the Live Resource view.
Resource Name
The name of the resource, for example, Gh0st Protocol Parser.

Clicking the Resource Name displays the detailed view of the
resource in the Live Resource view. The view opens in the current
browser tab.
Date Created
Last Updated Date
111
Overview
Live Subscriptions Dashlet

Overview
This topic introduces the features of the Live Subscriptions dashlet.
Introduction
The Live Subscriptions dashlet presents a listing of all Live resources to which this Security Analytics instance is
subscribed. This is simply a quick reference list. If you need to manage subscriptions, use the Subscriptions Tab in the
Live Manage view.
Screen Capture
How to Access
Dashlet in the dashboard and select Live Subscriptions.
112
Features
Features
The grid is a subset of the subscriptions grid in the Live Manage View.
Value
Description
Name
Displays the name of the subscription.
Type
Specifies the type of subscription.
Description
Describes the type of information supplied by the subscription.
113
Overview
Live Updated Resources Dashlet

Overview
This topic introduces the features of the Updated Resources dashlet in the Live Dashboard.
Introduction
This dashlet displays a list of Live CMS resources that are tagged as updated for the configured Content Management
System (CMS) server. You can click on the resource title to go to a detailed view of the resource.
Screen Capture
How to Access
Dashlet in the dashboard and select Live Updated Resources.
114
Features
Features
This dashlet has a paged view of featured Live resources and provides the following information about each resource.
Value
Description
Each type of Live resource is represented by an icon. For example,

(Resource Type Icon)
the icon in the screen capture represents a Decoder feed. Clicking the
Resource Type icon opens a new browser tab with the detailed view
of the resource in the Live Resource view.
Resource Name
The name of the resource, for example, Spamhaus EDROP List IP

Ranges. Clicking the Resource Name displays the detailed view of
the resource in the Live Resource view. The view opens in the current
browser tab.
Date Created
Last Updated Date
115
Overview
Malware Malware with High Confidence IOCs and High Scores

Dashlet
Overview
This topic describes the Malware Malware with High Confidence IOCs and High Scores dashlet.
Context
The Malware Malware with High Confidence IOCs and High Scores dashlet presents the events that Malware Analysis
detected with Indicators of Compromise, high likelihood of harboring malware, and high scores in the scoring modules.
This dashlet is available in the Unified dashboard and in the Malware view. When a Malware Analyst first logs in to
Security Analytics, by default the only visible dashlet in the Unified view is the What's New dashlet. The analyst must
create any additional Malware dashlets.
The Malware Malware with High Confidence IOCs and High Scores dashlet is configurable. You can create multiple
copies of the dashlet, filter results, and configure the display of results as an Events List or a Files List.
116
Screen Capture
Screen Capture
How to Access
To display this dashlet in the Security Analytics Dashboard or as part of a custom dashboard, click Actions >
Add Dashlet in the dashboard and select Malware Malware with High Confidence IOCs and High Scores from
the Type drop-down menu.
Features
The following table lists configurable values for this dashlet.
Variable
Title
Description
Identifies the name of the dashlet. Each dashlet needs a

unique name, especially if you have more than one
117
Procedures
Variable
Description
instance of the same dashlet. The name appears in the

title bar of the dashlet.
Influenced by High Confidence Only
When checked, only events and files that were flagged as

High Confidence (or likelihood) for containing Indicators of
Compromise are displayed in the dashlet.
Static, Network, Community, Sandbox
Filters the results based on the scores for each scoring

module. You can set the value as =, <=, or >=.
Sets the number of results to be displayed. Possible
Result Limit
values in the drop-down list are 5, 10, 20, 30, or 40.
Device
Selects the device to be monitored.
Time (Relative)
Limits the time range of displayed results.
Show Events or Show Files
Specifies the form of the results, either Events List or Files

List format.
Procedures
To configure the dashlet:
1. In the dashlet title bar, select
2. The options dialog for the dashlet is displayed.
118
Procedures
3.
4. In the Title field, enter a name of the dashlet.
5. Select or de-select the Influenced By High Confidence Only option.
6. In the Static, Network, Community, and Sandbox fields, drag the slider or type a number to set the filter for the score in that
scoring module. Select the operator from the drop-down list: =, <=, or >=.
7. In the Device field, select the device you want to monitor.
8. In the Time (Relative) field, select the range of time for displayed results.
9. In the Result Limit field, select the number of entries for the dashlet.
10. Select one of the formats: Show Events or Show Files.
11. Click Add.
12. The dialog closes and the dashlet is drawn as specified.
119
Overview
Malware Scan Jobs List Dashlet

Overview
This topic introduces the features of the Malware Scan Jobs List dashlet.
Introduction
This dashlet displays the same Scan Jobs List found in the Select a Malware Device dialog. You can open completed
scans directly from this dashlet.
Screen Captures
How to Access
Dashlet in the dashboard and select Malware Scan Jobs List.
Features
The columns in this Scan Jobs list are the same as those in the Scan Jobs List in the Select a Malware Device dialog.
120
View a Scan Job
View a Scan Job

To view a job in the Investigation > Malware Analysis view, double-click on the job. The Summary of Events for the
selected scan opens with the default dashlets displayed in a new browser tab.
Procedures
.
The options dialog for the dashlet is displayed.
2. In the Title field, enter a name for the dashlet.

4. Click Add.
The dialog closes and the dashlet is drawn as specified.
121
Overview
Malware Top Listing of Highly Suspicious Malware Dashlet

Overview
This topic describes the Top 10 Highly Suspicious Malware dashlet.
Context
The Malware Top Listing of Highly Suspicious Malware dashlet presents the top 10 most suspicious events in the
Malware Events List or the Files List. This dashlet is available in the Unified dashboard and in the Malware view. When
a Malware Analyst first logs in to Security Analytics, by default the only visible dashlet in the Unified view is the What's
New dashlet. The analyst must create any additional Malware dashlets.
The Malware Top Listing of Highly Suspicious Malware dashlet is configurable. You can create multiple copies of the
dashlet, filter results, and configure the display of results as an Events List or a Files List.
122
Screen Capture
Screen Capture
How to Access
To display this dashlet in the Security Analytics Dashboard or as part of a custom dashboard, click Actions > Add
Dashlet in the dashboard and select Malware Top Listing of Highly Suspicious Malware from the Type drop-down
menu.
Features
123
Procedures
Variable
Description
Title



module. You can set the value as =, <=, or >=.
Device
Time (Relative)
Result Limit


List format.
Procedures
124
Procedures

.

6. In the Time (Relative) field, select the range of time for returned results.
9. Click Add.
Launch a Malware Analysis Investigation

To launch a Malware Analysis investigation of an item in the dashlet, double-click an event or file name in the grid.
125
Overview
Malware Top Listing of Possible Zero Day Malware Dashlet

Overview
This topic describes the Malware Top Listing of Possible Zero Day Malware dashlet.
Context
The Top Listing of Possible Zero Day Malware dashlet presents the top 10 events indicative of a possible zero day
attack in the Malware Events List or the Files List. This dashlet is available in the Unified dashboard and in the Malware
view. When a Malware Analyst first logs in to Security Analytics, by default the only visible dashlet in the Unified view is
the What's New dashlet. The analyst must create any additional Malware dashlets.
The Top Listing of Possible Zero Day Malware dashlet is configurable. You can create multiple copies of the dashlet,
filter results, and configure the display of results as an Events List or a Files List.
From this dashlet, you can launch an Malware Analysis investigation of an event directly by double-clicking the event;
you do not have to go to the Investigation > Malware view to begin.
Screen Capture
This is an example of the dashlet configured to display the Files List.
126
How to Access
How to Access
To display this dashlet in the Security Analytics Dashboard or as part of a custom dashboard, click Actions > Add a
Dashlet in the dashboard and select Malware Top Listing of Possible Zero Day Malware from the Type drop-down
menu.
Features
Variable
Title
Description

127
Procedures
Variable
Description


module. You can set the value as =, <=, or >=. The
operator for the community filter is less than or equal to the
applied slider value by default. The operator for the other
filters is greater than or equal to by default.
Device
Time (Relative)
Result Limit


List format.
Procedures
128
Procedures

.

5. In the Service field, select the service you want to monitor.
6. In the Time (Relative) field, select the range of time for returned results.
9. Click Add.
129
Overview
Reporting RE Top Alerts Dashlet

Overview
This topic describes the Top Alerts dashlet.
Introduction
The Reports RE Top Alerts dashlet is a configurable dashlet that depicts top alerts in four chart types. You can
configure the results to include in the chart (from the top 2 alerts to the top 15 alerts in the specified time range).
The chart is summarized for each top alert against the number of events triggered by the alert for the defined time and
refresh intervals. The first data point in the chart defines the number of events (alert count) triggered by the alert for the
defined time. The subsequent data points are depicted by adding the alert count in the first data point and alert count in
the defined refresh intervals.
For example, if for the defined time range, the number of events (alert count) triggered by the alert is 10, then the first
data point in the chart is shown as 10. The subsequent data point = 10 + number of events (alert count) triggered by the
alert in the defined dashlet refresh interval.
130
Screen Captures
Screen Captures
How to Access
Dashlet in the dashboard and select Reports RE Top Alerts from the Type drop-down menu.
Features
This dashlet is a visual representation of the alerts most frequently triggered by the associated Reporting Engine.
Each chart type can be defined by the number of top alerts, the time from when the alerts needs to be fetched, and the
dashlet refresh interval for the chart to be refreshed.
Variable
Description
Select the type of chart that you want in the dashlet:

Bar (X-axis = Count and Y-axis = Alert name)
Chart Type
Column (X-axis = Count and Y-axis = Alert name)

Pie
Line (X-axis = Count and Y-axis = Alert name)
Tabular (X-axis = Count and Y-axis = Alert name)
131
Procedures
Variable
Description
Title
Provide a name for the Reporting Realtime Chart dashlet.

The name appears in the title bar of the dashlet..
Top
Select the number of top alerts to be considered while

configuring the dashlet. The value ranges from 2 - 15.
Past Hours
Select the time from when the alerts need to be fetched.
Dashlet Refresh Interval (Minutes)
Set the time interval in minutes at which the data in

the dashlet gets refreshed. The interval value ranges from
1-180 minutes.
Procedures
Configure the Alerts Dashlet
You can configure the chart to display the top 2 through the top 15 most frequently triggered alerts. You can set the
number when adding a dashlet or in the dashlet options dialog.
.
132
Procedures
2. In the Type field, enter a dashlet type.

3. In the Title field, enter a title for the dashlet.
4. In the Top field, select a number from the selection list.
5. In the Chart Type field, select a chart type from the drop-down list.
6. In the Past Hours field, select the past time interval.
7. In the Dashlet Refresh Interval field, select the dashlet refresh interval from the selection list.
8. Click Add.
133
Overview
Reports Realtime Chart Dashlet

Overview
This topic describes the Reports Realtime Chart dashlet.
Introduction
This dashlet displays one of the charts from the list of charts that you defined. The chart output is from the live data and
it refreshes itself based on the refresh interval that you set. Each chart is defined by Chart Type and Past Hours value
that you select.
You can select either the Time Line view of the series or the Summary view of the series. The chart graphs the current
data and does not display data points for historical data.
The chart is generated for data depending on the time interval that you defined in the chart definition. The data are
available from a maximum of the past 20 time intervals. For example, if in the chart definition you selected a refresh
interval as five minutes and past hour as one hour, the chart displays data from the past 60 minutes. The chart in the
dashlet refreshes itself based on the dashlet refresh interval that you have defined.
Note: The chart data will be plotted based on the date and time the chart is enabled. For more information,
see Add a Chart.
134
Screen Captures
Screen Captures
How to Access
Dashlet in the dashboard and select the Reports Realtime Chart from the Type drop-down menu.
Features
Chart options are listed in the following table.
Variable
Description
Title
Provide a name for the Reporting Realtime Chart dashlet. The name appears
in the title bar of the dashlet.
Chart
Select a chart from the already defined charts. You can select only one chart
per dashlet.
Series
Timeline: Renders the chart for the entire time range selected.
135
Procedures
Variable
Description
Summarize: Renders the summary of data.
Chart Type
Select the type of chart that you want in the dashlet. The values provided in
the drop-down are: bar, column, and line.
Past Hours
Select the past time interval.
Dashlet Refresh Interval

(Minutes)
Set the time interval in minutes at which the data in the dashlet gets
refreshed. The interval value ranges from 1-180 minutes.
Procedures
Configure the Dashlet
.
136
Procedures
2. Select one of the charts from the charts that you have already defined. The drop-down list shows the charts that are defined in
the Reports > Charts panel.
3. In the Title field, enter the name of the chart.
4. In the Series drop-down list, select Timeline or Summarize.
5. Select the Chart Type from the drop-down list.
The available chart types depend on the Series that you have chosen. If you selected Summarize, the only options are Column
and Pie Chart.
6. In the Past Hours field, select the past time interval.
7. In the Dashlet Refresh Interval field, select the dashlet refresh interval.
8. Click Add.
137
Overview
Reports Recent Run Report Dashlet

Overview
This topic introduces the features of the Reports Recent Run Report dashlet.
Introduction
The Reports Recent Run Report dashlet consists of a list of reports that were run recently in Security Analytics. The
recent reports displayed are from the last 24 hours.
Screen Captures
How to Access
To display this dashlet in the Unified dashboard or as part of a custom dashboard, click Actions > Add a Dashlet in the
dashboard and select Reports Recent Run Report dashlet.
Features
The columns present in the dashlet by default are:
Column
Description
Report Name
The name of the recently run report.
138
Features
Column
Description
Run Config
The run configuration of the recently run report.
Time
The time the report was scheduled.
Export
Click on the export icon (
) to export the file.
139
Overview
Reports RE Alert Variance Dashlet

Overview
This topic describes the Reports RE Alert Variance dashlet.
Introduction
The Reports RE Alert Variance dashlet is a configurable dashlet that depicts top alerts in four different time series chart
types. You can configure the results to include in the chart (from the top 2 alerts to the top 15 alerts in the specified time
range).
Screen Captures
How to Access
To display this dashlet in the Security Analytics Dashboard or as part of a custom dashboard, select Actions > Add
Dashlet in the dashboard drop-down and select Reports RE Alert Variance from the Type drop-down menu.
140
Features
Features
This dashlet is a visual representation of the alerts most frequently triggered by the associated Reporting Engine.
Each chart type can be defined by the number of alerts and past hours from when the alerts need to be fetched, and the
dashlet refresh interval for the chart to be refreshed.
Variable
Description
Select the type of chart that you want in the dashlet:

Bar (X-axis = Count and Y-axis = Alert name)
Type
Column (X-axis = Count and Y-axis = Alert name)

Line (X-axis = Count and Y-axis = Alert name)
Title
Provide a name for the Reporter Realtime Chart

dashlet. The name appears in the title bar of the
dashlet.
No of Alerts
Select the number of alerts to be considered while

configuring the dashlet. The value ranges from 2 15.
Past Hours
Select the time from when the alerts need to be

fetched.
Dashlet Refresh Interval (Minutes)
Set the time interval in minutes at which the data in

the dashlet gets refreshed. The interval value
ranges from 1-180 minutes.
Procedures
Configure the Reporting RE Alert Variance Dashlet
141
Procedures

.

3. In the No of Alerts field, select a number from the selection list.
4. In the Chart Type field, select the chart type from the drop-down list.
5. In the Past Hours field, specify the time from when the alerts need to be fetched.
6. In the Dashlet Refresh Interval field, select the dashlet refresh interval.
7. Click Add.
142
Overview
Reports RE Recent Alerts Dashlet

Overview
This topic describes the Reports RE Recent Alerts dashlet in the Security Analytics Dashboard.
Introduction
The Reports RE Recent Alerts dashlet displays the latest alerts on the dashboard. You can configure the number of
latest alerts to be displayed and also you can specify the time range from when the alerts needs to be fetched.
Screen Captures
How to Access
Dashlet in the dashboard and select Reports RE Recent Alerts from the Type drop-down menu.
Features
Column
Description
143
Features
Name
Displays the name of the alert as defined.
Detected
Displays the date and time that the alert fired. This detection time is when Security
Analytics detected the conditions for firing this alert.
Procedures
Configure the Recent Alerts Dashlet
To configure the recent alerts dashlet:
.
2. In the Top field, select a number from the selection list.

3. In the Past Hours field, specify the time from when the alerts needs to be fetched.
4. Change any of the other parameters for the dashlet.
5. Click Add.
144
Overview
Site Planning Guide

Overview
This document is a guide to site planning when installing Security Analytics appliances in your network.
Introduction
This guide is intended to help you identify the specifications for your RSA Security Analytics network in preparation for
installation. With distributed networks, Brokers, Concentrator, Decoders, and Log Decoders may be installed in diverse
geographical locations before the Security Analytics server appliance is installed and brought online. Even in small
networks, planning can ensure that all goes smoothly when you are ready to bring the devices.
145
Overview
Site Requirements and Safety

Overview
This topic provides important information about the environment in which you install RSA devices.
Introduction
This section contains vital information to reduce the risk of bodily injury, electrical shock, fire, and equipment damage.
Read it thoroughly and observe all warnings and precautions prior to installing or maintaining your RSA devices.
Intended Application Uses

This product was evaluated as Information Technology Equipment (ITE) that may be installed in offices, schools,
computer rooms, and similar indoor commercial type locations. This device is not intended for any connection to an
outdoor type cable.
Service
There are no userserviceable components inside of this device. Please contact Customer Care in the event of a
malfunction.
In a fault condition, high temperatures may arise inside the system causing an alarm signal. In the event of the alarm
signal, immediately disconnect the device from the power source and contact Customer Care. Further operation of the
device will be unsafe and may cause personal injury or property damage.
Safety Information
Site Selection
The system is designed to operate in a typical office environment. Choose a site that is:
Clean, dry, and free of airborne particles (other than normal room dust).
Wellventilated and away from sources of heat, including direct sunlight and
radiators.
Away from sources of vibration or physical shock.
Isolated from strong electromagnetic fields produced by electrical devices.
In regions that are susceptible to electrical storms, we recommend you plug your system into a surge suppressor.
146
Safety Information
Provided with a properly grounded wall outlet.

Provided with sufficient space to access the power supply cords, because they serve as the products main power disconnect.
Equipment Handling Practices

Reduce the risk of personal injury or equipment damage by:
Conforming to local occupational health and safety requirements when moving and lifting equipment.
Using mechanical assistance or other suitable assistance when moving and lifting equipment.
Reducing the weight for easier handling by removing any easily detachable components.
Power and Electrical Warnings

Caution: The power button, indicated by the standby power marking, DOES NOT completely turn off the
system AC power; 5V standby power is active whenever the system is plugged in. To remove power from
system, you must unplug the AC power cord(s) from the wall outlet.
Do not attempt to modify or use an AC power cord if it is not the exact type required. A separate AC cord is required for each
system power supply.
This product contains no userserviceable parts. Do not open the system.
When replacing a hotplug power supply, unplug the power cord to the power supply being replaced before removing it from the
server.
Rack Mount Warnings

The equipment rack must be anchored to an unmovable support to prevent it from tipping when a server or piece of equipment is
extended from it. The equipment rack must be installed according to the rack manufacturers instructions.
Mounting of the equipment in the rack should be such that a hazardous condition is not achieved due to uneven mechanical
loading.
Extend only one piece of equipment from the rack at a time.
To avoid risk of potential electric shock, a proper safety ground must be implemented for the rack and each piece of equipment
installed in it.
Cooling and Air Flow

Installation of the equipment should be such that the amount of air flow required for safe operation of the equipment is
not compromised.
Antenna Placement
This equipment should be installed and operated with a minimum distance of 7cm between the radiator and your body.
The antennas used for this transmitter must not be colocated or operating in conjunction with any other antenna or
transmitter.
147
Overview
Deployment Overview
Overview
This topic introduces the general deployment process for Security Analytics systems.
Context
The components and topology of a Security Analytics network can vary greatly between installations, and should be
carefully planned before the process begins. After the initial planning, and consideration of site requirements and safety
requirements, the general sequence is:
1. Install appliances and connect to the network as described in the Hardware Setup Guides.
2. Set up licensing for Security Analytics as described in the Security Analytics Licensing Guide.
3. Configure individual appliances and services as described in Appliance and Service Configuration Guides.
148
Overview
Network Architecture and Ports

Overview
This topic provides information on Security Analytics Architecture and the service ports used by each Security Analytics
device.
Security Analytics Network Architecture

The following diagram illustrates the Security Analytics network architecture with ports used for communications. The
ports used for communications in Security Analytics 10.4 have changed from those used in Security Analytics 10.4.
149
Security Analytics Device and Service Ports

In versions prior to Security Analytics 10.4, an administrator was able to use the native protocol for fast non-SSL
communications like aggregation and REST API for SSL between SA and the devices. Because all Security
Analytics communications from Security Analytics have moved from the REST API to the native Security Analytics
Core ports, an additional native Security Analytics Core port per appliance service has been added to
allow an administrator to enable secure (SSL) network communications while still being able to utilize non-secure (HTTP
and Security Analytics Core (native) connectivity methods for communication between services that are present on the
same system. Administrators can toggle the ports on and off to support only SSL, only non-SSL, or both.
The following table lists the Security Analytics devices and their respective service ports:
Device/Service
Port(s) /Security Analytics

Core Non-SSL
Appliance
50006
Appliance (REST)
50106
Archiver
50008
Archiver (REST)
50108
Broker
50003
Broker (REST)
50103
rsaCAS
50010
CLDB
7222
CLDB JMX Monitor port
7220
CLDB Web Port
7221
Concentrator
50005
Concentrator (REST)
50105
Decoder
50004
Decoder (REST)
50104
ESA
50030
HBase Master
60000
Incident Management
50040
IPDB Extractor
50009
IPDB Extractor
50025
Security Analytics
Core SSL
56008
56003
56005
56004
56025
150
Device/Service

Core Non-SSL
IPDB Extractor (REST)
50125
JobTracker
9001
JobTracker Web
50030
Local Log Collector (NwLogCollector

on Log Decoder)
50001, Pulls from Remote

Log Collector through 5671
LDAP
389
Log Decoder
50002
Log Decoder (REST)
50102
Log Decoder Protobuf
50202
Log Decoder Protobuf
56202
Log Decoder Syslog
514
Log Decoder Syslog
6514
Malware Analysis
60007
MFS Server
5660
NFS
2049
NFS Management
9998
NFS Monitor (For HA)
9997
NFS Port Mapper
111
Remote Log Collector

(NwLogCollector on remote VM)
50101, Pushes to Local Log

Collector through 5671
Reporting Engine
51113
SA Warehouse Agent
50020
SMTP
25
SSH
22
TaskTracker Web
50060
Warehouse Connector
50020
Warehouse Connector (REST)
50120
Security Analytics
Core SSL
56001
56002
56020
151
Device/Service

Core Non-SSL
Web UI HTTP
8080
Web UI HTTPS
8443
Workbench
50007
Workbench (REST)
50107
ZooKeeper
5181
ZooKeeper Leader Communication
2888
ZooKeeper Leader Election
3888
Security Analytics
Core SSL
56007
152
Overview
Virtual Appliance Setup Guide

Overview
This guide provides instructions for installing and configuring virtual instances of the Security Analytics devices.
Context
This document provides instructions for installing and configuring virtual instances of the following Security Analytics
devices:
Archiver
Broker
Concentrator
Event Stream Analysis
Log Decoder
Malware Analytics
Packet Decoder
Remote IPDB
Security Analytics Server
Warehouse Connector
This document pertains only to elements for installation and configuration that are dependent on instances of Security
Analytics running in a virtualized environment.
153
Overview
Virtual Appliance Overview

Overview
This topics provides an overview of the virtual instances of Security Analytics devices.
Introduction
You can install the following Security Analytics devices in your virtual environment as a virtual appliance and inherit
features that are provided by your virtual environment:
Archiver
Broker
Concentrator
Event Stream Analysis
Log Decoder
Malware Analysis
Packet Decoder
Remote IPDB
Warehouse Connector
You must be familiar with the following VMware infrastructure concepts:

VMware vCenter Server
VMware ESX host
Virtual machine
For information on these VMware concepts, refer to the VMware product documentation.
The virtual appliances are provided as an Open Virtual Appliance (OVA). You need to deploy the OVA file as a virtual
machine in your virtual infrastructure. You then need to configure the virtual appliance as a single appliance or as a
cluster.
154
Installation Media
Installation Media
Installation media are in the form of Open Virtual Appliance (OVA) packages, which are available for download and
installation from Download Central (https://knowledge.rsasecurity.com). As part of your RSA order fulfillment, you are
provided access to the OVFs that pertain to each component ordered.
Virtual Environment Recommendations

The virtual appliances installed with the OVF packages have the same functionality as the Security Analytics hardware
appliances. As a result, when implementing any of the virtual appliances considerations, you must account for the
backend hardware.
Based on resource requirements of the different components, follow best practices to utilize the system and dedicated storage
appropriately.
Ensure that backend disk configurations provide minimum write speed of 10% greater than the required sustained capture and
ingest rate for the deployment.
Build Concentrator directories for meta and Index databases on the SSD/EFD HDD.
If the database components are separate from the installed OS components (that is, on a separate physical system), provide
direct connectivity using either two 8-Gbps Fiber Channel SAN ports per virtual appliance or 6-Gbps SAS connectivity.
Virtual Host Minimum Requirements

The following table lists CPU, Memory, and OS Disk partition minimum requirements for the virtual appliances.
The disk requirements are fixed sizes for the OVA packages.
RAM and CPU metrics are minimums and are also dependent on the capture and ingest environment.
The requirements were tested at ingest rates of 5k EPS for logs and 300 Mbps for packets.
Virtual Appliance Type
Quantity of CPUs
CPU Specifications
RAM
Disk
Packet Decoder
Intel Xeon CPU @2.93 Ghz
16 GB
320 GB
Log Decoder
16 GB
320 GB
Concentrator
16 GB
320 GB
Archiver
16 GB
320 GB
Broker
16 GB
320 GB
155
Virtual Remote Collector Sizing Guidelines
Virtual Appliance Type
Quantity of CPUs
CPU Specifications
RAM
Disk
Warehouse Connector
16 GB
320 GB
16 GB
320 GB
Virtual Remote Collector Sizing Guidelines

The following table lists the recommended Cores, Memory, and Disk size for the Remote Collector Virtual Machine
based on events per second (EPS).
EPS
Cores
Memory
Disk
1k
2 GB
150 GB
2.5k
2.5 GB
150 GB
5k
3 GB
150 GB
156

10.4 User Guide

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

10.4 User Guide

Загружено:

Авторское право:

Доступные форматы

RSA Security Analytics

10.4 User Guide

10.4 User Guide

About This Guide

User Interface Guide

Elements in the Browser Window

Jobs Tray Features

Configure Security Analytics Dashboards

Change Layout of a Dashboard

Create a Custom Dashboard

Remove a Custom Dashboard

Restore the Default Dashboard

Edit Dashlet Properties

Security Analytics Dashlets

Admin News Dashlet

Admin Service List Dashlet

Admin Service Monitor Dashlet

Dashboard RSA First Watch Dashlet

Dashboard Shortcuts Dashlet

Dashboard What's New Dashlet

Investigation Jobs Dashlet

Investigation Top Values Dashlet

Live Featured Resources Dashlet

Live New Resources Dashlet

Live Subscriptions Dashlet

Live Updated Resources Dashlet

Malware Scan Jobs List Dashlet

Malware Top Listing of Highly Suspicious Malware Dashlet

10.4 User Guide

Malware Top Listing of Possible Zero Day Malware Dashlet

Reporting RE Top Alerts Dashlet

Reports Realtime Chart Dashlet

Reports Recent Run Report Dashlet

Reports RE Alert Variance Dashlet

Reports RE Recent Alerts Dashlet

Site Planning Guide

Site Requirements and Safety

Network Architecture and Ports

Virtual Appliance Setup Guide

Step 1: Deploy the Virtual Appliance

Step 2: Configure the Network

Step 3: Configure Datastore Space for the Appliance

Step 4: Configure Appliance-Specific Parameters

Appliance and Service Configuration Guides

Step 1: Add or Update an Appliance

Step 2: Add a Service to an Appliance

Step 3: Establish a Trusted Connection

Step 4: Manage Access to a Service

Additional Appliance Procedures

Change the Name and Hostname of an Appliance

Create and Manage Appliance Groups

Search for Appliances

Add and Delete a Filesystem Monitor

Set Appliance Built-In Clock

Set Network Configuration

Set Network Time Source

Set Syslog Forwarding

Show Network Port Status

Show Serial Number

Shut Down Appliance

Stop and Start an Appliance Service

10.4 User Guide

Appliance and Service Configuration Settings

Appliance Service Configuration