About Policy-based Centralized Content Management

Legacy content management involves deploying and managing content in multiple places in the UI.

  • Live Content UI: Located under the Configuration interface, this allows a “push” deployment of Live content to one or more services, but does not provide any management of content once it is deployed

  • Service Config UI: Located under Admin > Services > View Config, this UI enables you to view, edit or delete content on individual services.

Policy-based Centralized Content Management is a unified approach to find, deploy, and manage content through the entire life cycle based on policies that can be assigned to groups of devices. It is a single location to view, modify and manage the content deployed across all services in the environment.

This approach consists of three elements:

  • Groups: A collection of NetWitness services (such as Decoders, Log Decoders, and Correlation Servers etc.) to assign and manage content.

  • Content Policies: A container of content and subscription settings used to assign and manage content within a Group.

  • Content Library: A local repository of content which resides on the Admin Server and is used to assign content to policies. This includes both Live and Custom content.

The Content Library contains Live content (synchronized with the Live CMS) and any custom content you create or import. To deploy, remove or manage content on your services, content is assigned from the Content Library to a Content Policy. Once that content policy is assigned to a group and Published, the content changes are put into effect on the services within the group.

netwitness_ccmdep.png

Benefits of Policy-based Centralized Content Management:

  • Add or remove content without repeating the process on each service.
  • Add content from RSA Live or add your custom content into a single content repository. You can add content from this repository to a policy.
  • Add a new service to an existing group to automatically deploy all necessary content.
  • One-click management of subscriptions and automatic updates
  • Provides highly responsive and updated UI for browsing RSA Live content that can help you with the following:
    • View Live content along with your content policies and click netwitness_addgroup.png to add content from Live.
    • Seamlessly view Live content along with your custom content.
  • Create and upload content to the Content Library easily by:
    • Importing log parsers as a zip file instead of converting to ".envision" format.

    • Cloning existing Application Rules and Network Rules.

  • Switch services between legacy Content Management UI and the new Centralized Content Management via Groups and Policies using the "toggle" feature. This can prevent content being mistakenly added or modified outside of a Policy, causing an out-of-sync issue.

  • Create, modify and publish policies and manage custom content in the Content Library even without an internet connection.

  • Find content, policies or groups of interest easily by using the Filtering capability of the UI.

  • Receives meta key and operator suggestions while creating Application Rule and Network Rule conditions. This eases the creation of error-free rules.

  • Manage ESA content and handle multiple deployments seamlessly using Policy.

  • Seamlessly view ESA Live content along with your own custom content.

  • Add and manage ESA Correlation servers as part of groups.

  • Manage all the data sources for the ESA Correlation servers from the Settings > Event Stream Analysis > Data Sources page seamlessly.

IMPORTANT: It is recommended not to use the Centralized Content Management and Service Config page or Live Content page simultaneously for managing the content. Using the Service Config UI to add or modify content can cause the content to become out-of-sync with the Content Policy.

Note: If Policy-based Centralized Content Management is enabled for a service, then the Policy-based Centralized Content Management enabled services will be disabled in Live content UI and user will not be able to manage content of these services from Service Config page as Service Config page becomes read only and no actions except 'export' can be performed from Service Config page.