Академический Документы
Профессиональный Документы
Культура Документы
User Documentation
Copyright 2010 - 2014 RSA, the Security Division of EMC. All rights reserved.
Trademarks
RSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other
trademarks used herein are the property of their respective owners. For a list of EMC trademarks, go to www.emc.com/legal/emc-corporation-trademarks.htm.
License Agreement
This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and may be used and copied only in
accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof,
may not be provided or otherwise made available to any other person.
No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of
this software and the documentation may be subject to civil and/or criminal liability. This software is subject to change without notice and should not be
construed as a commitment by EMC.
Third-Party Licenses
This product may include software developed by parties other than RSA. The text of the license agreements applicable to third-party software in this product
may be viewed in the thirdpartylicenses.pdf file.
Note on Encryption Technologies
This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import,
and export regulations should be followed when using, importing or exporting this product.
Distribution
Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. EMC believes the information in this
publication is accurate as of its publication date. The information is subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY
KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY
OR FITNESS FOR A PARTICULAR PURPOSE.
27
28
32
33
Elements in a Dashboard
38
Elements in a View
43
Context Menus
48
Grids
50
55
Notifications Tray
58
61
62
64
Export a Dashboard
67
Import a Dashboard
69
71
72
Select a Dashboard
73
Add a Dashlet
74
Delete a Dashlet
78
80
Maximize a Dashlet
84
Move a Dashlet
86
88
91
92
94
97
99
101
103
105
108
110
112
114
Malware Malware with High Confidence IOCs and High Scores Dashlet
116
120
122
126
130
134
138
140
143
145
146
Deployment Overview
148
149
153
154
0
0
0
The Basics
Required Procedures
Remove an Appliance
Reboot Appliance
Set SNMP
References
Appliances View
Services View
0
0
Properties Dialog
Roles Tab
Users Tab
Gauges
Timeline Charts
System View
Historical Tab
Realtime Tab
Settings Tab
Archiver Overview
Configure Archiver
Additional Procedures
Group Aggregation
Reference Information
References
Required Procedures
0
0
0
0
0
0
0
0
References
Services Config View Feeds Tab - Decoder
Upload Feeds Dialog
Services Config View Files Tab - Decoder
0
0
0
0
Flex Parser
Arithmetic Functions
General Functions
Logging Functions
Nodes
Payload Functions
Regex
String Functions
Geo IP Parser
Lua Parsers
Search Parser
0
0
0
0
Additional Procedures
References
ESA Advanced View
Incident Management Configuration Guide
0
0
0
References
Services Config View - IPDB Extractor Configuration
0
0
Scoring Modules
Basic Setup
Additional Procedures
Auditing Tab
AV Tab
General Tab
Hash Tab
Proxy Tab
ThreatGrid Tab
0
0
Additional Procedures
Configure Workbench
0
0
Manifests
Scheduler
Rollover
Queries
Index Customization
Optimization Techniques
Appendix: Statistics
0
0
Add and Remove a Virtual IP Address using the MapR Control System
0
0
0
Create a Stream
Edit a Stream
10
Additional Procedures
References
0
0
The Basics
Procedures
0
0
The Basics
Procedures
Configure Replication
The Basics
Procedures
11
Configure Certificates
0
0
The Basics
Procedures
Step1: Configure Check Point Event Sources to Send Events to Security Analytics
The Basics
Procedures
The Basics
Procedures
12
The Basics
Procedures
0
0
The Basics
Procedures
The Basics
Procedures
0
0
The Basics
13
Procedures
The Basics
Procedures
0
0
0
0
The Basics
Procedures
Step 1: Configure Legacy Windows and NetApp Event Sources in Security Analytics
Configure Remote Registry Access
0
0
Step 2: Configure Legacy Windows and NetApp Event Sources to Send Events to Security Analytics
Setting Up Licensing
Additional Procedures
14
References
Licensing Panel
0
0
Allocations Tab
Entitlements Tab
Offline Tab
Settings Tab
Troubleshoot Licensing
System Preferences
0
0
Required Procedures
Additional Procedures
References
Plugins Panel
0
0
15
0
0
Monitoring View
Reference
Protocols
Service Statistics
Appliance Statistics
Broker Statistics
Concentrator Statistics
0
0
References
16
0
0
0
Required Procedures
Additional Procedures
Delete a Subscription
Download a Resource
Edit a Feed
Remove a Feed
References
Deployment Wizard
Deployments Tab
Subscriptions Tab
17
Conduct an Investigation
Begin an Investigation
Examine Events
Reconstruct an Event
Events View
Navigate View
18
0
0
Alerts Overview
Configure Notifications
Notifications Overview
0
0
0
Configure a Template
Additional Procedures
Delete a Template
Duplicate a Template
Edit a Template
Export a Template
Import a Template
Additional Procedures
Configure Synchronization
19
ESA Annotations
Rules Tab
Left Panel
Synchronizations View
Services Tab
Settings Tab
Incident Management
0
0
0
Filter Alerts
Edit Incidents
Investigate an Incident
Close an Incident
System Integration
Alerts View
Configure View
Notifications Tab
Incident Queue
0
0
20
Remediation View
Remediation Task Details View
Reporting
0
0
0
Reporting Overview
Rules
Rule Overview
Rule Syntax
0
0
Rule Types
Supported IPDB Extractor Service Deployments on Virtual Environments
Define Rule Groups and Rules
0
0
0
Define a Rule
Test a Rule
Delete a Rule
Duplicate a Rule
Edit a Rule
Export a Rule
Rule References
Rule View
Reports
0
0
21
Report Overview
Basic Procedures
Add a Report
Additional Procedures
Delete a Report
Duplicate a Report
Edit a Report
Export a Report
View a Report
References
Report View
Schedule Reports
Basic Procedures
0
0
Schedule a Report
Additional Procedures
References
22
Investigate a Report
Select a Logo
0
0
Chart Overview
Basic Procedures
Add a Chart
Additional Procedures
Delete a Chart
Disable a Chart
Duplicate a Chart
Edit a Chart
Enable a Chart
Export a Chart
View a Chart
References
Chart View
Test a Chart
Investigate a Chart
Alerts
Alert Overview
Define Alerts
Basic Procedures
Add an Alert
Additional Procedures
23
Delete an Alert
Disable an Alert
Edit an Alert
Enable an Alert
Export an Alert
Import an Alert
References
Alert View
0
0
0
0
Delete a Template
Edit a Template
References
Template View
0
0
0
Investigate an Alert
Configure Reporting Engine to Send Sylog Messages over TCP/TLS for Alerts
Lists
List Overview
Add a List
Delete a List
Duplicate a List
Edit a List
Export a List
24
List References
List View
0
0
0
0
0
Additional Procedures
References
0
0
25
26
Overview
27
Overview
Context
This 10.4 User Guide is organized into logical collections of information to guide administrators and operators
in performing tasks, such as configuration, maintenance, and integrations with other RSA products such as ECAT. Other
guides provide information for analysts to learn about Security Analytics tools for reporting, alerting,
investigation, analysis, and incident management. The tables below identify the documents for each audience and
objective.
Each guide organizes information in the following sections as they apply to the topic:
An introductory section to introduce and explain the component, feature, function, or process.
A section of basic or required procedures, presented in the sequence that you perform the actions.
A section of additional procedures that are not usually part of the required or basic sequence, but may be
needed at other times, presented in alphabetical order.
A reference section describes the user interface features and provides detailed information about each
feature, and may also provide detailed information about file formats, protocols, and other technical
information. Reference topics are in alphabetical order.
28
Description
Description
Site Planning
Guide
Basic information about environmental requirements, general deployment sequence, and detailed
information about port usage.
Virtual
Appliance
Setup Guide
Appliance
and Service
Configuration
Guides
The Getting Started Guide introduces the concept of appliances and services in Security Analytics
with procedures and references that apply to all types of appliances and services.
A service-specific configuration guiide for each service: Archiver, Broker and Concentrator,
Decoder and Log Decoder, Event Stream Analysis, Incident Management, IPDB Extractor, Malware
Analysis, Reporting Engine, RSA Analytics Warehouse (MapR-based), and Warehouse Connector.
A guide to tuning the core database is intended for advanced users.
29
Guide Title
Description
Log
Collection
Guides
Getting Started Guide introduces the basic tasks to start collecting events.
Security
Analytics
Licensing
Guide
These guides provide instructions for administrators who are maintaining Security Analytics, and the appliances
and services in the network.
Guide Title
Description
System Preferences
These topics provide information that administrators can use to integrate other RSA products with Security
Analytics:
Title
Description
30
For Analysts
For Analysts
These topics are provide information that analysts need:
Title
Description
User Jobs,
Notifications, and
Preferences
Management
Tells individual users who do not have administrative access how to set their password,
choose the application language, the default component, enable notifications, and other
settings that apply to their own sessions.
Live Resource
Management
Tells analysts how to access, search, and deploy RSA Live resources, such as feeds and
parsers.
Investigation and
Malware Analysis
Tells analysts how to configure views and behavior in Security Analytics Investigation and
how conduct an investigation of sessions and search for malware.
Alerting
Reporting
Warehouse Analytics
Tells analysts how to use the Advanced Analytics function introduced in Security Analytics
10.4. (available soon)
Incident Management
Tells analysts how to use the Incident Management function introduced in Security Analytics
10.4.
31
Overview
Introduction
In this section, look for information to get started with the RSA Security Analytics user interface. This includes an
introduction to the user interface, as well as the Jobs Tray and Notifications Tray.
Security Analytics presents information in a web browser using dashboards and views. There is one dashboard for all
modules (Security Analytics Dashboard). Each module has its own view that provides specific functions for the module.
In addition, the Profile View presents options for user preferences.
By default, Security Analytics opens to the Security Analytics Dashboard when you log in. In the Profile view, you can
set default application settings according to your preference for language, browser time zone, default component in the
initial view, enable notifications and context menus (see User Preference Configuration Guide).
32
Overview
Introduction
RSA Security Analytics is a web-based application that you launch in a browser window. Compatible browsers include:
Google Chrome, Mozilla Firefox, and Internet Explorer 9.x.
Screen Captures
An example of the Security Analytics Dashboard illustrates the common elements.
33
How to Access
How to Access
To display this view, do one of the following:
Log on to Security Analytics at https://<SA-IP>, where <SA-IP> is the Security Analytics server IP address.
In the Security Analytics menu, select Security Analytics Dashboard.
Features
Every browser window that is accessing Security Analytics includes these elements:
The Security Analytics menu.
The Security Analytics toolbar.
The footer.
Description
Dashboard button
34
Features
Feature
Description
Jobs button
Notifications button
Dashboard
Description
35
Features
Investigation
Incidents
Description
Alerts
Reports
Administration
Live
Profile
Help
Sign Out
36
Features
Footer
The page footer is at the bottom of the browser window.
Send Us Feedback
The Send Us Feedback tab opens a new email message addressed to our feedback center. We appreciate your
comments and suggestions, and consider them an integral part of our new features and improvements process in
Security Analytics.
37
Overview
Elements in a Dashboard
Overview
This topic explains the structure of Security Analytics dashboards and how to use their features.
Introduction
A dashboard is a group of dashlets that give you the ability to see in one space key snapshots of the various modules
that you consider important. The Security Analytics Unified module has a dashboard. You can compose dashboards to
glean high-level information and metrics that portray the overall picture of a Security Analytics deployment, displaying
only the information that is most relevant to day-to-day operations.
Custom Dashboards
You can create custom dashboards to serve a particular purpose; for example, to represent a specific geographical or
functional area of the network. Each custom dashboard is appended to the Dashboard Selection List.
Once custom dashboards are created, you can:
Switch between dashboards by selecting an option from the Dashboard Selection List.
Delete any custom dashboard.
Import or export a dashboard.
Composing Dashboards provides detailed information on working with dashboards and dashlets.
Screen Captures
An example of the default Security Analytics Dashboard illustrates the common elements in all dashboards.
38
How to Access
How to Access
When you log into Security Analytics, the Security Analytics Default dashboard is displayed.
Features
Each dashboard has:
The Actions drop-down
The dashboard title and the Dashboards Selection List
Zero or more dashlets
Dashboard Actions
Next to the current dashboard title is the Dashboard Actions drop-down menu. The Dashboard Actions drop-down
allows various operations on dashboards and dashlets.
39
Features
Option
Description
Add Dashlet
Displays the Add a Dashlet dialog, where you add a dashlet to the current
dashboard.
Displays the Change Layout dialog, where you change the layout of the
dashboard to one of five options.
Displays the Add a Dashboard dialog, where you define a custom dashboard.
Remove Dashboard
Rename Dashboard
Displays the Rename Dashboard dialog, where you change the dashboard title.
Export Dashboard
Import Dashboard
Dashboard Title
The dashboard title reflects the current module; for example, Default dashboard.
40
Features
Dashlets
Security Analytics uses dashlets to display focused subsets of system information, devices, jobs, resources,
subscriptions, rules, and other information.
Security Analytics modules can display only those dashlets presented in the Add a Dashlet dialog. The Unified
dashboard, as the name suggests, offers all Security Analytics dashlets. In an earlier version of Security Analytics,
dashboards were also used to display dashlets in the Administration, Investigation, and Live modules; these dashlets
are now available in the Unified dashboard.
Controls for a dashlet are in the title bar. All dashlets use a common set of controls, and only those that apply to the
particular dashlet appear in the title bar.
Icon
Name
Description
Collapse vertically
Expand vertically
Page forward
In dashlets with more than one page, moves to the next page.
Page back
In dashlets with more than one page, moves to the previous page.
Last Page
In dashlets with more than one page, moves to the last page.
First Page
In dashlets with more than one page, moves to the first page.
Reload
Settings
41
Features
Icon
Name
Description
Maximize
In some dashlets with content that does not fit horizontally within the
width of the dashlet, maximizes a chart or a dashlet to full screen.
Delete
42
Overview
Elements in a View
Overview
This topic explains the structure of Security Analytics views and how to use their features.
Introduction
Some Security Analytics modules (Administration, Investigation, Live, Alerts, and Reports) have views that provide
specific functions for the module.
In addition, the Profile view, accessible directly from the Security Analytics menu, presents options for user preferences.
Screen Captures
This example of the Administration Appliances view illustrates some of the features of a view.
43
How to Access
How to Access
To display a view, select a module from the Security Analytics menu, For example, Security Analytics,
Administration, Investigation, or Live). As you roll your cursor over the module, you can select a view from the
options menu.
From within the module, you can select an alternate view from the Security Analytics toolbar. For
example, Administration has four views: Appliances, Services, Health & Wellness, or System.
Features
Each view has different features. Any combination of these features is possible in a view:
Breadcrumbs
Toolbars
Sections
Panels
Grids
Context Menus
44
Features
45
Features
Parts of a View
Key
Feature
Description
bread crumbs
Display the options selected to reach this view. Click on a crumb to go back to
the view or menu.
toolbar
3,4
sections (top to
bottom)
Within a panel, some dashboards have sections that organize information from
top to bottom; for example, the Device Info view has two sections in the
Devices panel, the Device section at the top and the Sessions section at the
bottom. Sometimes you may need to scroll down to view a section near the
bottom of the panel.
5,6
panels (left to
right)
Within a view, most dashboards have panels that organize information from left
to right; for example, the Device Stats view has two panels, the main panel on
46
Features
Key
Feature
Description
the left and the Chart Stats Tray panel on the right. The Chart Stats Tray is
not the main focus, so it is collapsible to allow more space in the main panel.
47
Overview
Context Menus
Overview
This topic explains how context menus are used in Security Analytics. Security Analytics has a large set of context
menus that you access by right-clicking an object.
Introduction
Context menus offer options that pertain specifically to the current context. In certain views, hovering over an item and
right-clicking the mouse displays the options that can apply to that item. Throughout the Security Analytics
documentation, context menus are discussed in the pertinent modules and views.
Screen Captures
A good example of a context menu is shown in the Navigation view. When you right-click a count for a value (the green
number in the parentheses), the menu offers two options: to open the drill in a new tab or view the geo-map locations in
a new tab.
48
Screen Captures
When you right-click on the value (blue text), a different context menu is displayed. In this context, there are options to
scan for malware, look up the value in Investigation and to display the same drill in a new tab, apply the reverse of this
drill (!EQUALS) in the same tab, or apply the reverse of this drill in a new tab.
49
Overview
Grids
Overview
This topic explains how Security Analytics uses grids to display some information.
Introduction
Much of the information displayed in the Security Analytics dashboards and dashlets is best displayed in rows and
columns. This is called a grid, and all grids can be customized in several ways. You can:
Change the width of columns.
Select which columns to display.
Sort each column in ascending or descending order.
Screen Captures
This is an example of a grid (the Live Search View's Matching Resources grid).
50
Procedures
Procedures
Change the Width of a Column
1. Hover in the title bar on the right edge of the title.
51
Procedures
2. When the cursor changes to the column resize cursor (one short vertical line with arrows pointing right and left), click and drag
the line to make the column wider or narrower. This is an example of resizing the Name column in progress.
52
Procedures
53
Procedures
3. Select from the sort options; for example, Sort Ascending or Sort Descending.
The grid is sorted based on your selection.
54
Overview
Introduction
While you are working in Security Analytics, you can open a quick view of your jobs from the Security Analytics toolbar.
You can look anytime, but when a job status has changed, the Jobs icon (
The structure of the jobs panel is the same in all views, and related procedures are provided in Manage Jobs.
Screen Capture
55
How to Display
How to Display
To display the Jobs tray, in the Security Analytics toolbar, click the Jobs icon
Features
The Jobs Tray lists all jobs that you own, recurring and non-recurring, using a subset of the columns available in the
Jobs panel. Otherwise the Jobs Tray and the Profile View > Jobs panel are the same. In the Administration System
view, the Jobs panel lists information about all Security Analytics jobs for all users.
Feature
Description
The Resume option applies only to recurring jobs that have been paused. When you
resume a paused job, the next execution of the job executes as scheduled.
The Pause option applies only to recurring jobs. When you pause a recurring job that is
running, it has no effect on that execution. The next execution (assuming the job is still
paused) is skipped.
Cancels a recurring or non-recurring job. You can cancel a job while it is running. If you
cancel a recurring job, it cancels that execution of the job. The next time the job is
scheduled to run, it executes normally.
Deletes a recurring or non-recurring job from the Jobs panel. When you delete a job,
the job is instantly deleted from the Jobs panel. No confirmation dialog is offered. If you
delete a recurring job, all future executions are removed as well.
This table describes the Jobs tray and Jobs panel features.
Feature
Description
Selection box
Progress
Job Name
The name of the job; for example, Extract Files or Upgrade Device.
56
Features
Feature
Description
Recurring
Component
Owner
The owner of the job is not included in the default Jobs Tray, because only the current
user's jobs are displayed here. The column is available to add.
Status
The status of the job. Common values for status are Paused, Running, Canceled,
Failed, Completed, and other status values are possible.
Message
Additional information about the job; for example, Extracting files or No sessions
found.
Action
Views job in the Investigation Malware Analysis view, or downloads job files for the job to
the default Downloads directory on the local system. Only successfully completed jobs
have the View link in the Action column. Only jobs that create a file have the Download
link in the Action column.
View Your
Jobs
Scheduled
Indicates the date and time at which the job was scheduled to begin.
57
Overview
Notifications Tray
Overview
This topic provides an overview of the Security Analytics system for sending notifications.
Introduction
While you are working in Security Analytics, you can view recent system notifications without leaving the module in
which you are working. You can open a quick view of notifications from the Security Analytics toolbar. You can look
anytime, but when a new notification is received, the Notifications icon is flagged.
Examples of notifications include:
An appliance upgrade completed.
A parser push to decoders completed.
A newer software version is available.
You can see all notifications in a grid format in the Profile View. Procedures for viewing notifications are provided in View
and Delete Notifications.
Screen Capture
This is an example of the Notifications tray.
58
How to Access
How to Access
To display the Notifications tray, in the Security Analytics toolbar, click the Notifications icon (
).
Features
The Notifications tray displays system notifications that have not been viewed previously, in a page format. This table
describes the features of the Notifications tray.
Feature
Description
Title
Message
The entire message. In this example, The file extraction is complete and ready for
download.
View >>
Some messages include a link that displays a view where you can take action. For
example, if there is a file to download, clicking this link opens a new tab showing the
view where you can download the file.
The close button deletes a single notification record in the Notifications Tray, and in
the Profile View Notifications Grid.
59
Features
Feature
Description
Created
60
Overview
Introduction
Operations that pertain to dashboards include:
Creating and removing dashboards.
Restoring the default dashboard.
Changing a dashboard layout.
Switching between dashboards.
Adding, deleting, moving, editing, and maximizing dashlets in a dashboard.
Importing and exporting dashboards.
61
Overview
Introduction
To customize the views in Security Analytics, you can change the layout of the Security Analytics dashboard or a
custom dashboard. The Change a Layout dialog provides a way to change the dashboard layout.
Screen Capture
62
How to Display
How to Display
To access this dialog, click Change Dashboard Layout in the Dashboard Actions drop-down menu.
Features
The following table describes the features of the Change Dashboard Layout dialog.
Feature
Description
Cancel
Change
63
Overview
Introduction
To tailor Security Analytics to better serve your site and methods, you can create custom dashboards. Some reasons for
creating custom dashboards are:
Consolidate related functionality on a single dashboard.
Create a Unified dashboard with a collection of dashlets for all modules.
Create a dashboard to consolidate dashlets for different network locations.
Create an overview of a given module's capabilities.
Consolidate dashlets that apply to a specific scenario.
Screen Capture
64
How to Display
You access this dialog from the Security Analytics Dashboard by selecting the Create a Dashboard option from the
Dashboard Actions menu.
Features
The following table describes the features of the Create a Dashboard dialog.
Field
Description
Dashboard Title
65
Procedures
Field
Description
Layout
Cancel
Create
Procedures
To create a dashboard:
1. Specify the name for the new dashboard.
2. Select a Layout option for the new dashboard.
The dashboard is created and added to the Dashboard selection list.
66
Overview
Export a Dashboard
Overview
This topic describes how to export a Dashboard.
Introduction
The ability to customize dashboards to changing circumstances and conditions could result in a large number of
dashboards that are not needed on a daily basis. Rather than re-invent the wheel each time you want to re-create a
particular custom dashboard, you can export your dashboards that are not currently in use and they will be available to
you at some future point. Initially they will go to your local Downloads folder.
Exported dashboards are designed to work within the same Security Analytics instance. It is also possible to share your
custom dashboards with other users in your organization, provided that they have equivalent permissions.
To export a dashboard, you must have the dashboard open to access the Export Dashboard dialog in the Dashboard
Actions drop-down menu.
Note: When you export the Reporter Realtime Charts dashboard, you must also export the charts used in the
Report Realtime Chart dashlets as they are not exported by default. When you import the dashboard, you must
manually import the dependent charts used in the Reporter Realtime Chart dashlets.
Export a Dashboard
To export a dashboard:
1. Navigate to the dashboard that you want to export. All existing dashboards appear in the drop-down Dashboard Selection List
in the currently displayed dashboard.
67
Export a Dashboard
3. A warning appears at the bottom of your screen that downloaded files can harm your computer. If this is the dashboard you wish
to export, click Keep.
68
Overview
Import a Dashboard
Overview
This topic describes how to import a dashboard.
Introduction
The ability to customize dashboards to changing circumstances and conditions could result in a large number of
dashboards that are not needed on a daily basis. When you are ready to use a previously exported dashboard, it is a
simple matter to import the dashboard into Security Analytics.
Note: You must import the Reporter Realtime Charts dashboard and its related charts into the same instance of
the Security Analytics server and Reporting Engine from where it was exported. You must ensure that the data
sources configured for the Reporting Engine are the same as on the Security Analytics instance from which it was
exported. If you import the dashboard and related charts into another instance of Security Analytics server, you
must ensure the data source name is updated in the charts.
Note: When you import the dashboard from a previous version to 10.3, you must do the following after you
complete the upgrade:
- Enable the chart again by editing and saving them. Refer to Edit a Chart.
- Remove the Reporter Realtime Chart dashlets that you added prior to the 10.3 version and add them again on
the dashboard.
69
Screen Captures
Screen Captures
Import a Dashboard
To import a dashboard:
1. Access the Import Dashboard dialog in the Dashboard Actions drop-down menu.
2. Browse to the dashboard file in the Import Dashboard dialog.
70
Overview
Introduction
If you find that the Dashboard Selection List in Security Analytics includes custom dashboards that are no longer
needed, you can remove the unused dashboards. The dashboard to be removed must be displayed. The default
dashboard cannot be removed.
Note: If you want the dashboard to be available at some future time, see Export a Dashboard.
Remove a Dashboard
1. In the Dashboard Selection List, select the unused dashboard; for example, Region 3.
The dashboard is displayed.
2. In the Dashboard Actions menu, select Remove this Dashboard.
The Remove Dashboard dialog is displayed.
71
Overview
Introduction
After customizing the default Security Analytics dashboard, you can revert to the original layout of dashlets using the
Restore Default Dashboard option in the Dashboard Actions drop-down. To accomplish this, the dashboard of a
module must be displayed.
72
Overview
Select a Dashboard
Overview
This topic explains how to view and select a dashboard on Security Analytics.
Introduction
Custom dashboards appear in the drop-down Dashboard Selection List in the currently displayed dashboard. You
can select any dashboard in the selection list to view.
73
Overview
Add a Dashlet
Overview
This topic explains how to add a dashlet to a dashboard.
Introduction
To customize the views in Security Analytics, you can add dashlets to the Security Analytics dashboard or a custom
dashboard. The Security Analytics dashboard, as the name suggests, offers all Security Analytics dashlets. The Add a
Dashlet dialog provides a way to define the name and configurable parameters for a new dashlet.
Screen Capture
How to Display
To access this dialog, click Add a Dashlet in the Dashboard Actions drop-down menu.
Features
The following table describes the features of the Add a Dashlet dialog.
Feature
Description
Type
74
Feature
Description
Title
Cancel
Add
Type the title for the new dashlet in this field. You
can type letters, numbers, special characters, and
spaces for the name.
3. Click on the Type selection list to display available types of dashlets, and select the type of dashlet to add; for example, Admin
Service Monitor Dashlet.
Additional configurable fields become available in the Add a Dashlet dialog. For an Admin Service Monitor Dashlet, you
75
4. Type a title for the dashlet. In the example, Service Monitor Dashlet is also the title.
5. If there are additional configurable fields for the dashlet, set appropriate values. For example, this is the selection list for types of
services to monitor. You can select only one service type.
76
77
Overview
Delete a Dashlet
Overview
This topic explains how to delete a dashlet from a dashboard.
Introduction
To improve the readability and usefulness of the contents of a dashboard, you can remove unrelated, unnecessary, or
distracting dashlets from any dashboard.
78
2. If you want to delete it, click Yes. If you decided not to delete it, click No.
The dashlet is removed from the dashboard.
79
Overview
Introduction
Some dashlets are read-only and properties are not configurable. Other dashlets are configurable to allow users to
customize some aspect of the data displayed in that dashlet. A dashlet with editable properties has a settings icon
that displays the property sheet for editing.
A dashlet with no editable properties does not display the settings icon in the title bar.
Many dashlets have an editable title. An example of a dashlet with additional configurable properties is the Admin
Device Monitor Dashlet where you can edit the following properties:
Dashlet display title.
Type of devices to monitor; for example, show only Decoders, or show Decoders and Concentrators.
80
Introduction
Other dashlets have parameters that you define to specify the kind and amount of information you want to see in the
dashlet. The custom Investigation Dashboard has three dashlets. Each of the three displays the settings icon.
81
82
83
Overview
Maximize a Dashlet
Overview
This topic explains how to maximize a chart or an alert dashlet to full screen.
Introduction
This topic explains how to open a dashlet on the entire area of the main Security Analytics dashboard with the
same dashlet title.
For example, the Recent Alerts dashlet from the below figure must be viewed on the entire area of the Security Analytics
dashboard.
84
Maximize a Dashlet
Maximize a Dashlet
To maximize a chart or an alert dashlet:
1. Click the maximize control icon in the dashlet title bar:
The dashlet is displayed on full screen.
2. (Optional) In the Security Analytics interface, select Dashboard to restore the default dashboard.
85
Overview
Move a Dashlet
Overview
This topic explains how to move a dashlet to a different position in a Security Analytics module dashboard.
Introduction
Dashlets can be easily arranged to display according to your preference by dragging and dropping into a different order
on the dashboard.
3. Continue to hold the left mouse button and drag the window toward the new location.
4. Release the mouse button when the dashlet is in the desired location.
86
5. The image below shows the Featured Live Resources dashlet as it is moved from the bottom position of column 1 to the top
position of column 3.
87
Overview
Introduction
The Security Analytics Dashboard is the default dashboard displayed when you log into Security Analytics, and it is
populated with a few useful dashlets to get you started with your own customizations (see Composing Dashboards). In
this module, the dashlets for all Security Analytics modules are available to add to the default Security Analytics
Dashboard or a custom Security Analytics Dashboard.
You can juxtapose a list of newly featured Live resources with a summary of statistics about the Decoders in your
environment. The views in this module tie everything together in a way that works best for you.
88
Screen Capture
Screen Capture
How to Access
To display the Security Analytics dashboard, do one of the following:
Log into Security Analytics, and the application opens to the Security Analytics Dashboard.
In the Security Analytics menu, select Default.
Features
Dashlets for all Security Analytics modules are available to add in the default Security Analytics dashboard or a
custom Security Analytics dashboard. All dashlets have a common set of controls described in Dashboards Overview.
This is an example of some currently available dashlets.
89
Features
90
Overview
Introduction
This dashlet presents product information and updates for the Administration module.
Screen Capture
How to Access
To display this dashlet in the Security Analytics dashboard or as part of a custom dashboard, click Actions > Add a
Dashlet in the dashboard and select Admin News.
91
Overview
Introduction
The Administration Service List dashlet is a list of available services in Security Analytics with links to administrative
tasks that can be taken on those devices. In effect, this dashlet is a focused subset of the Administration Devices view.
Screen Capture
How to Access
To display this dashlet in the Security Analytics dashboard or as part of a custom dashboard, click Actions > Add
Dashlet in the dashboard and select Admin Service List.
92
Features
Features
0
) is a quick link to the View menu in the Administration Devices view. Select a device and click here to
The Navigate button is a quick link to the Navigation view in the Investigation module.
The Devices grid has a subset of the grid columns in the Administration Devices view. The columns presented in the dashlet by 0
default are:
Column
Description
Connection Status
Name
Address
Type
93
Overview
Introduction
The Admin Service Monitor dashlet summarizes device version and status information that appears in the Administration
Devices view. This is a subset of the columns in the Devices view.
Screen Capture
How to Access
To display this dashlet in the Security Analytics dashboard or as part of a custom dashboard, click Actions > Add a
Dashlet in the dashboard and select Admin Service Monitor. The Add a Dashlet dialog has an option to select the
device type for the new dashlet.
94
Features
Features
The dashlet includes this subset of the columns in the Devices view:
Name
Type
Version
Status
Memory usage
CPU
Procedures
Lock a Column While Scrolling Horizontally
To keep a column in view while scrolling to the right:
1. Click the drop-down menu icon (
3. Click Lock.
4. The column you selected moves to the left side of the grid and remains there when other columns scroll horizontally. In this
example, the Name column remains visible even when you scroll to the right. Notice that part of the Type column has scrolled to
95
Procedures
5. When you want to unlock the column, right-click and select Unlock.
96
Overview
Introduction
The Dashboard RSA First Watch dashlet delivers situational awareness and threat intelligence from across the RSA
research and incident-response community, providing customers the intelligence to prepare for, respond to, and mitigate
advanced cyber threats. The RSA First Watch, Incident Response, and CIRC teams track millions of IPs and domains,
as well as dozens of unique threat sources and threat actors.
Screen Captures
97
How to Access
How to Access
To display this dashlet in the Unified dashboard or as part of a custom dashboard, click Actions > Add Dashlet in the
dashboard and select Dashboard RSA First Watch.
Features
Column
Description
Date
Article
The article title, a sample of the article, and a "Read More" link to the full
article.
98
Overview
Introduction
The Dashboard Shortcuts dashlet offers quick links to common tasks in other areas of Security Analytics. It is a good
tool for first-time users who are trying to get a feel for the system.
Screen Capture
How to Access
To display this dashlet in the Security Analytics dashboard or as part of a custom dashboard, click Actions > Add
Dashlet in the dashboard and select Dashboard Shortcuts dashlet.
99
Features
Features
In addition to the standard dashlet controls, this dashlet has options that link to common Security Analytics tasks.
Option
Description
Add a Device
Investigate a Device
View My Jobs
View My Notifications
100
Overview
Introduction
The Dashboard What's New dashlet displays the latest product information and announcements for all Security Analytics
products.
Screen Capture
How to Access
To display this dashlet in the Security Analytics dashboard or as part of a custom dashboard, click Actions >
Add Dashlet in the dashboard and select Dashboard What's New dashlet.
101
How to Access
102
Overview
Introduction
The Investigation Jobs dashlet displays the status of all jobs in the Investigation module. The toolbar, grid, and job
management procedures are described under Jobs Tray.
Screen Captures
How to Access
To display this dashlet in the Unified dashboard or as part of a custom dashboard, click Actions > Add a Dashlet in the
dashboard and select Investigation Jobs.
103
Features
Features
The Investigation Jobs dashlet lists all jobs that you own, recurring and non-recurring, and lets you monitor their
progress.
Feature
Description
The Resume option applies only to recurring jobs that have been paused. When you resume
a paused job, the next execution of the job executes as scheduled.
The Pause option applies only to recurring jobs. When you pause a recurring job that is
running, it has no effect on that execution. The next execution (assuming the job is still
paused) is skipped.
Cancels a recurring or non-recurring job. You can cancel a job while it is running. If you
cancel a recurring job, it cancels that execution of the job. The next time the job is scheduled
to run, it executes normally.
Deletes a recurring or non-recurring job from the Jobs panel. When you delete a job, the job
is instantly deleted from the Jobs panel. No confirmation dialog is offered. If you delete a
recurring job, all future executions are removed as well.
104
Overview
Introduction
This dashlet allows you to inspect the top values for a specific time period and for a specific meta type on a given
appliance.
Screen Captures
105
How to Access
How to Access
To display this dashlet in the Security Analytics dashboard or as part of a custom dashboard, click Actions > Add a
Dashlet in the dashboard and select Investigation Top Values Dashlet.
Description
Title
Device
Time Range
Last Hour
Last 3 Hours
Last 6 Hours
Last 12 Hours
Last 24 Hours
Last 2 Days
Last 5 Days
106
Field
Description
Meta Type
Query
Result Limit
107
Overview
Introduction
This dashlet displays the list of Live resources that are tagged as featured for the configured Content Management
System (CMS) server.
Screen Capture
How to Access
To display this dashlet in the Security Analytics dashboard or as part of a custom dashboard, click Actions > Add a
Dashlet in the dashboard and select Live Featured Resources.
108
Features
Features
This dashlet has a paged view of featured Live resources and provides the following information about each resource.
Value
Description
Resource Name
The name of the resource, for example, NetWitness APT Threat IPs.
Clicking the Resource Name displays the detailed view of the
resource in the Live Resource view. The view opens in the current
browser tab.
Date Created
109
Overview
Introduction
This dashlet displays a list of Live CMS resources that are tagged as new for the configured Content Management
System (CMS) server. You can click a resource name to go to the detailed view of the resource.
Screen Capture
How to Access
To display this dashlet in the Security Analytics dashboard or as part of a custom dashboard, click Actions > Add a
Dashlet in the dashboard and select Live New Resources Dashlet.
110
Features
Features
This dashlet has a paged view of new Live resources and provides the following information about each resource.
Value
Description
Resource Name
Date Created
111
Overview
Introduction
The Live Subscriptions dashlet presents a listing of all Live resources to which this Security Analytics instance is
subscribed. This is simply a quick reference list. If you need to manage subscriptions, use the Subscriptions Tab in the
Live Manage view.
Screen Capture
How to Access
To display this dashlet in the Security Analytics dashboard or as part of a custom dashboard, click Actions > Add a
Dashlet in the dashboard and select Live Subscriptions.
2010 - 2014 RSA, The Security Division of EMC.
112
Features
Features
The grid is a subset of the subscriptions grid in the Live Manage View.
Value
Description
Name
Type
Description
113
Overview
Introduction
This dashlet displays a list of Live CMS resources that are tagged as updated for the configured Content Management
System (CMS) server. You can click on the resource title to go to a detailed view of the resource.
Screen Capture
How to Access
To display this dashlet in the Security Analytics dashboard or as part of a custom dashboard, click Actions > Add a
Dashlet in the dashboard and select Live Updated Resources.
114
Features
Features
This dashlet has a paged view of featured Live resources and provides the following information about each resource.
Value
Description
the icon in the screen capture represents a Decoder feed. Clicking the
Resource Type icon opens a new browser tab with the detailed view
of the resource in the Live Resource view.
Resource Name
Date Created
115
Overview
Context
The Malware Malware with High Confidence IOCs and High Scores dashlet presents the events that Malware Analysis
detected with Indicators of Compromise, high likelihood of harboring malware, and high scores in the scoring modules.
This dashlet is available in the Unified dashboard and in the Malware view. When a Malware Analyst first logs in to
Security Analytics, by default the only visible dashlet in the Unified view is the What's New dashlet. The analyst must
create any additional Malware dashlets.
The Malware Malware with High Confidence IOCs and High Scores dashlet is configurable. You can create multiple
copies of the dashlet, filter results, and configure the display of results as an Events List or a Files List.
116
Screen Capture
Screen Capture
How to Access
To display this dashlet in the Security Analytics Dashboard or as part of a custom dashboard, click Actions >
Add Dashlet in the dashboard and select Malware Malware with High Confidence IOCs and High Scores from
the Type drop-down menu.
Features
The following table lists configurable values for this dashlet.
Variable
Title
Description
117
Procedures
Variable
Description
Result Limit
Device
Time (Relative)
Procedures
To configure the dashlet:
1. In the dashlet title bar, select
118
Procedures
3.
4. In the Title field, enter a name of the dashlet.
5. Select or de-select the Influenced By High Confidence Only option.
6. In the Static, Network, Community, and Sandbox fields, drag the slider or type a number to set the filter for the score in that
scoring module. Select the operator from the drop-down list: =, <=, or >=.
7. In the Device field, select the device you want to monitor.
8. In the Time (Relative) field, select the range of time for displayed results.
9. In the Result Limit field, select the number of entries for the dashlet.
10. Select one of the formats: Show Events or Show Files.
11. Click Add.
12. The dialog closes and the dashlet is drawn as specified.
119
Overview
Introduction
This dashlet displays the same Scan Jobs List found in the Select a Malware Device dialog. You can open completed
scans directly from this dashlet.
Screen Captures
How to Access
To display this dashlet in the Security Analytics dashboard or as part of a custom dashboard, click Actions > Add a
Dashlet in the dashboard and select Malware Scan Jobs List.
Features
The columns in this Scan Jobs list are the same as those in the Scan Jobs List in the Select a Malware Device dialog.
120
Procedures
To configure the dashlet:
1. In the dashlet title bar, select
.
The options dialog for the dashlet is displayed.
121
Overview
Context
The Malware Top Listing of Highly Suspicious Malware dashlet presents the top 10 most suspicious events in the
Malware Events List or the Files List. This dashlet is available in the Unified dashboard and in the Malware view. When
a Malware Analyst first logs in to Security Analytics, by default the only visible dashlet in the Unified view is the What's
New dashlet. The analyst must create any additional Malware dashlets.
The Malware Top Listing of Highly Suspicious Malware dashlet is configurable. You can create multiple copies of the
dashlet, filter results, and configure the display of results as an Events List or a Files List.
122
Screen Capture
Screen Capture
How to Access
To display this dashlet in the Security Analytics Dashboard or as part of a custom dashboard, click Actions > Add
Dashlet in the dashboard and select Malware Top Listing of Highly Suspicious Malware from the Type drop-down
menu.
Features
The following table lists configurable values for this dashlet.
123
Procedures
Variable
Description
Title
Device
Time (Relative)
Result Limit
Procedures
To configure the dashlet:
124
Procedures
125
Overview
Context
The Top Listing of Possible Zero Day Malware dashlet presents the top 10 events indicative of a possible zero day
attack in the Malware Events List or the Files List. This dashlet is available in the Unified dashboard and in the Malware
view. When a Malware Analyst first logs in to Security Analytics, by default the only visible dashlet in the Unified view is
the What's New dashlet. The analyst must create any additional Malware dashlets.
The Top Listing of Possible Zero Day Malware dashlet is configurable. You can create multiple copies of the dashlet,
filter results, and configure the display of results as an Events List or a Files List.
From this dashlet, you can launch an Malware Analysis investigation of an event directly by double-clicking the event;
you do not have to go to the Investigation > Malware view to begin.
Screen Capture
This is an example of the dashlet configured to display the Files List.
126
How to Access
How to Access
To display this dashlet in the Security Analytics Dashboard or as part of a custom dashboard, click Actions > Add a
Dashlet in the dashboard and select Malware Top Listing of Possible Zero Day Malware from the Type drop-down
menu.
Features
The following table lists configurable values for this dashlet.
Variable
Title
Description
127
Procedures
Variable
Description
Device
Time (Relative)
Result Limit
Procedures
To configure the dashlet:
128
Procedures
129
Overview
Introduction
The Reports RE Top Alerts dashlet is a configurable dashlet that depicts top alerts in four chart types. You can
configure the results to include in the chart (from the top 2 alerts to the top 15 alerts in the specified time range).
The chart is summarized for each top alert against the number of events triggered by the alert for the defined time and
refresh intervals. The first data point in the chart defines the number of events (alert count) triggered by the alert for the
defined time. The subsequent data points are depicted by adding the alert count in the first data point and alert count in
the defined refresh intervals.
For example, if for the defined time range, the number of events (alert count) triggered by the alert is 10, then the first
data point in the chart is shown as 10. The subsequent data point = 10 + number of events (alert count) triggered by the
alert in the defined dashlet refresh interval.
130
Screen Captures
Screen Captures
How to Access
To display this dashlet in the Security Analytics Dashboard or as part of a custom dashboard, click Actions > Add
Dashlet in the dashboard and select Reports RE Top Alerts from the Type drop-down menu.
Features
This dashlet is a visual representation of the alerts most frequently triggered by the associated Reporting Engine.
Each chart type can be defined by the number of top alerts, the time from when the alerts needs to be fetched, and the
dashlet refresh interval for the chart to be refreshed.
Variable
Description
Chart Type
131
Procedures
Variable
Description
Title
Top
Past Hours
Procedures
Configure the Alerts Dashlet
You can configure the chart to display the top 2 through the top 15 most frequently triggered alerts. You can set the
number when adding a dashlet or in the dashlet options dialog.
To configure the dashlet:
1. In the dashlet title bar, select
.
The options dialog for the dashlet is displayed.
132
Procedures
133
Overview
Introduction
This dashlet displays one of the charts from the list of charts that you defined. The chart output is from the live data and
it refreshes itself based on the refresh interval that you set. Each chart is defined by Chart Type and Past Hours value
that you select.
You can select either the Time Line view of the series or the Summary view of the series. The chart graphs the current
data and does not display data points for historical data.
The chart is generated for data depending on the time interval that you defined in the chart definition. The data are
available from a maximum of the past 20 time intervals. For example, if in the chart definition you selected a refresh
interval as five minutes and past hour as one hour, the chart displays data from the past 60 minutes. The chart in the
dashlet refreshes itself based on the dashlet refresh interval that you have defined.
Note: The chart data will be plotted based on the date and time the chart is enabled. For more information,
see Add a Chart.
134
Screen Captures
Screen Captures
How to Access
To display this dashlet in the Security Analytics Dashboard or as part of a custom dashboard, click Actions > Add
Dashlet in the dashboard and select the Reports Realtime Chart from the Type drop-down menu.
Features
Chart options are listed in the following table.
Variable
Description
Title
Provide a name for the Reporting Realtime Chart dashlet. The name appears
in the title bar of the dashlet.
Chart
Select a chart from the already defined charts. You can select only one chart
per dashlet.
Series
Timeline: Renders the chart for the entire time range selected.
135
Procedures
Variable
Description
Chart Type
Select the type of chart that you want in the dashlet. The values provided in
the drop-down are: bar, column, and line.
Past Hours
Set the time interval in minutes at which the data in the dashlet gets
refreshed. The interval value ranges from 1-180 minutes.
Procedures
Configure the Dashlet
To configure the dashlet:
1. In the dashlet title bar, select
.
The options dialog for the dashlet is displayed.
136
Procedures
2. Select one of the charts from the charts that you have already defined. The drop-down list shows the charts that are defined in
the Reports > Charts panel.
3. In the Title field, enter the name of the chart.
4. In the Series drop-down list, select Timeline or Summarize.
5. Select the Chart Type from the drop-down list.
The available chart types depend on the Series that you have chosen. If you selected Summarize, the only options are Column
and Pie Chart.
6. In the Past Hours field, select the past time interval.
7. In the Dashlet Refresh Interval field, select the dashlet refresh interval.
8. Click Add.
The dialog closes and the dashlet is drawn as specified.
137
Overview
Introduction
The Reports Recent Run Report dashlet consists of a list of reports that were run recently in Security Analytics. The
recent reports displayed are from the last 24 hours.
Screen Captures
How to Access
To display this dashlet in the Unified dashboard or as part of a custom dashboard, click Actions > Add a Dashlet in the
dashboard and select Reports Recent Run Report dashlet.
Features
The columns present in the dashlet by default are:
Column
Description
Report Name
138
Features
Column
Description
Run Config
Time
Export
139
Overview
Introduction
The Reports RE Alert Variance dashlet is a configurable dashlet that depicts top alerts in four different time series chart
types. You can configure the results to include in the chart (from the top 2 alerts to the top 15 alerts in the specified time
range).
Screen Captures
How to Access
To display this dashlet in the Security Analytics Dashboard or as part of a custom dashboard, select Actions > Add
Dashlet in the dashboard drop-down and select Reports RE Alert Variance from the Type drop-down menu.
140
Features
Features
This dashlet is a visual representation of the alerts most frequently triggered by the associated Reporting Engine.
Each chart type can be defined by the number of alerts and past hours from when the alerts need to be fetched, and the
dashlet refresh interval for the chart to be refreshed.
Variable
Description
Type
Title
No of Alerts
Past Hours
Procedures
Configure the Reporting RE Alert Variance Dashlet
To configure the dashlet:
141
Procedures
142
Overview
Introduction
The Reports RE Recent Alerts dashlet displays the latest alerts on the dashboard. You can configure the number of
latest alerts to be displayed and also you can specify the time range from when the alerts needs to be fetched.
Screen Captures
How to Access
To display this dashlet in the Security Analytics Dashboard or as part of a custom dashboard, click Actions > Add
Dashlet in the dashboard and select Reports RE Recent Alerts from the Type drop-down menu.
Features
Column
Description
143
Features
Name
Detected
Displays the date and time that the alert fired. This detection time is when Security
Analytics detected the conditions for firing this alert.
Procedures
Configure the Recent Alerts Dashlet
To configure the recent alerts dashlet:
1. In the dashlet title bar, select
.
The options dialog for the dashlet is displayed.
144
Overview
Introduction
This guide is intended to help you identify the specifications for your RSA Security Analytics network in preparation for
installation. With distributed networks, Brokers, Concentrator, Decoders, and Log Decoders may be installed in diverse
geographical locations before the Security Analytics server appliance is installed and brought online. Even in small
networks, planning can ensure that all goes smoothly when you are ready to bring the devices.
145
Overview
Introduction
This section contains vital information to reduce the risk of bodily injury, electrical shock, fire, and equipment damage.
Read it thoroughly and observe all warnings and precautions prior to installing or maintaining your RSA devices.
Service
There are no userserviceable components inside of this device. Please contact Customer Care in the event of a
malfunction.
In a fault condition, high temperatures may arise inside the system causing an alarm signal. In the event of the alarm
signal, immediately disconnect the device from the power source and contact Customer Care. Further operation of the
device will be unsafe and may cause personal injury or property damage.
Safety Information
Site Selection
The system is designed to operate in a typical office environment. Choose a site that is:
Clean, dry, and free of airborne particles (other than normal room dust).
Wellventilated and away from sources of heat, including direct sunlight and
radiators.
Away from sources of vibration or physical shock.
Isolated from strong electromagnetic fields produced by electrical devices.
In regions that are susceptible to electrical storms, we recommend you plug your system into a surge suppressor.
2010 - 2014 RSA, The Security Division of EMC.
146
Safety Information
Antenna Placement
This equipment should be installed and operated with a minimum distance of 7cm between the radiator and your body.
The antennas used for this transmitter must not be colocated or operating in conjunction with any other antenna or
transmitter.
147
Overview
Deployment Overview
Overview
This topic introduces the general deployment process for Security Analytics systems.
Context
The components and topology of a Security Analytics network can vary greatly between installations, and should be
carefully planned before the process begins. After the initial planning, and consideration of site requirements and safety
requirements, the general sequence is:
1. Install appliances and connect to the network as described in the Hardware Setup Guides.
2. Set up licensing for Security Analytics as described in the Security Analytics Licensing Guide.
3. Configure individual appliances and services as described in Appliance and Service Configuration Guides.
148
Overview
149
Appliance
50006
Appliance (REST)
50106
Archiver
50008
Archiver (REST)
50108
Broker
50003
Broker (REST)
50103
rsaCAS
50010
CLDB
7222
7220
7221
Concentrator
50005
Concentrator (REST)
50105
Decoder
50004
Decoder (REST)
50104
ESA
50030
HBase Master
60000
Incident Management
50040
IPDB Extractor
50009
IPDB Extractor
50025
Security Analytics
Core SSL
56008
56003
56005
56004
56025
2010 - 2014 RSA, The Security Division of EMC.
150
Device/Service
50125
JobTracker
9001
JobTracker Web
50030
LDAP
389
Log Decoder
50002
50102
50202
56202
514
6514
Malware Analysis
60007
MFS Server
5660
NFS
2049
NFS Management
9998
9997
111
Reporting Engine
51113
SA Warehouse Agent
50020
SMTP
25
SSH
22
TaskTracker Web
50060
Warehouse Connector
50020
50120
Security Analytics
Core SSL
56001
56002
56020
151
Device/Service
Web UI HTTP
8080
Web UI HTTPS
8443
Workbench
50007
Workbench (REST)
50107
ZooKeeper
5181
2888
3888
Security Analytics
Core SSL
56007
152
Overview
Context
This document provides instructions for installing and configuring virtual instances of the following Security Analytics
devices:
Archiver
Broker
Concentrator
Event Stream Analysis
Log Decoder
Malware Analytics
Packet Decoder
Remote IPDB
Remote Log Collector
Security Analytics Server
Warehouse Connector
This document pertains only to elements for installation and configuration that are dependent on instances of Security
Analytics running in a virtualized environment.
153
Overview
Introduction
You can install the following Security Analytics devices in your virtual environment as a virtual appliance and inherit
features that are provided by your virtual environment:
Archiver
Broker
Concentrator
Event Stream Analysis
Log Decoder
Malware Analysis
Packet Decoder
Remote IPDB
Remote Log Collector
Security Analytics Server
Warehouse Connector
For information on these VMware concepts, refer to the VMware product documentation.
The virtual appliances are provided as an Open Virtual Appliance (OVA). You need to deploy the OVA file as a virtual
machine in your virtual infrastructure. You then need to configure the virtual appliance as a single appliance or as a
cluster.
154
Installation Media
Installation Media
Installation media are in the form of Open Virtual Appliance (OVA) packages, which are available for download and
installation from Download Central (https://knowledge.rsasecurity.com). As part of your RSA order fulfillment, you are
provided access to the OVFs that pertain to each component ordered.
Quantity of CPUs
CPU Specifications
RAM
Disk
Packet Decoder
16 GB
320 GB
Log Decoder
16 GB
320 GB
Concentrator
16 GB
320 GB
Archiver
16 GB
320 GB
Broker
16 GB
320 GB
155
Quantity of CPUs
CPU Specifications
RAM
Disk
Warehouse Connector
16 GB
320 GB
16 GB
320 GB
Cores
Memory
Disk
1k
2 GB
150 GB
2.5k
2.5 GB
150 GB
5k
3 GB
150 GB
156