Configure Archer as Data Source
You can configure Archer as a data source for Context Hub and use the Context Hub service to fetch contextual information from Archer. Use the procedures in this topic to add Archer as a data source for Context Hub service and configure the settings (if required) for Archer.
Prerequisites
Before you configure Archer data source, ensure that:
- Context Hub service is available in (Admin) > Services view of NetWitness.
- Archer is installed with Licensed Devices application.
To add Archer as a data source for Context Hub:
-
Go to (Admin) > Services.
The Services view is displayed.
-
Select the Context Hub service, and click > View > Config.
The Services Config view is displayed.
-
In the Data Sources tab, click > Archer.
The Add Data Source dialog is displayed.
-
Provide the following information:
- By default, the Enable checkbox is selected. If this option is unchecked, the save button is disabled, you cannot add the data source, and cannot view the contextual information.
-
Context Highlighting: This highlights the meta values (in the Investigate > Events, Event details and Nodal graph) for which the contextual information is available for this data source in the Context Hub. By default, this option is enabled.
Note: You can disable the context highlighting globally in the Context Hub explorer view. After you disable this option, the entity values for all the data sources configured will not be highlighted if there are any contextual information.
-
Enter the following fields:
- Name: Enter a name for Archer data source.
- Host: Enter the hostname or IP address where Archer server is installed.
- SSL: By default this option is selected and enables SSL communication to Archer .
- Trust All Certificates: Select this checkbox to add the data source without validating the certificate. If you uncheck this option, you need to upload a valid Archer server certificate for the connection to be successful.
- Port: The default port is 443.
- Username: Enter the Archer Server username.
- Password: Enter the Archer Server password.
- Instance: Enter the Instance name from which you want to extract data. An Archer instance is a single set up that includes unique content in a database, the connection to the database, the interface, and log-in. You might have individual instances for each office location or region or for development, test, and production environments. The Instance Database stores the Archer content for a specific instance.
- Context Base: Enter the virtual directory name where the files are stored. For example, rsaarcher located at the Archer web address https://archer.company.com/rsaarcher/default.aspx. If the files are stored in the IIS default web address https://archer.company.com/default.aspx, then this field must be empty.
- Max. Concurrent Queries: You can configure the maximum number of concurrent queries defined by the Context Hub service to be run against the configured data sources. The default value is 10.
- Click Test Connection to test the connection between Context Hub and the Archer data source.
-
Click Save.
Archer is added as a data source for Context Hub and is displayed in the Data Sources tab.
After adding the data source, you can configure data source settings. For instructions, see Configure Context Hub Data Source Settings . And View the contextual data in the Context Summary Panel of the Respond view or Investigate view. For instructions, see the NetWitness Respond User Guide and Investigate User Guide.
Configure Archer Data Source
After you have configured the required data sources you can customize the settings for the data sources based on your requirement.
To access and configure settings:
-
Go to (Admin) > Services.
The services view is displayed.
-
In the Services panel, select the Context Hub service and click > View > Config.
The Services Config view of Context Hub is displayed.
-
Select the data source for which you want to configure the settings and click in the Actions column.
The following screenshot is an example of the Configure Archer dialog:
-
In the Settings tab. Configure the following fields:
Field Description Enable This option is enabled by default (checked) and can be used to enable or disable the response from the selected data source. Cache Settings Any lookup from Context Hub can be stored in the Context Hub cache for a configured time. Response to any subsequent matching request will be fetched from the Context Hub cache.
Use this section to define the following cache settings for query lookup:- Cache Enabled: By default, this checkbox is selected and the query response is cached.
- Cache Expiration (Minutes): The maximum time the query lookup is retained in cache. The default time is 30 minutes and maximum is 7200 minutes that you can configure.
-
Click Cache Settings. Configure the following fields.
Field Description Export Attributes Configuration In Settings, Export Attributes Configuration, click Export to export the Archer Attributes Configuration. These are the attributes visible in Context Lookup while viewing Archer details for a IP, Host, or Mac. A JSON configuration file gets downloaded and the order of the attributes in sync with the listing in the context panel is maintained in the JSON file.
Import Attributes Configuration If you want to update or edit the configuration settings, in Settings, Import Attributes Configuration, click Browse. Select the JSON file containing the configuration attributes.
The attributes appear in the Context Lookup panel when a user views the context, in the order which they were imported.
Note: You can backup the previous attributes before importing any changes made to existing attributes.
Data Prefetch Settings In Settings, Data Prefetch Settings helps prefetch the data. Configure the Schedule Recurrence to provide data faster when you hover over the intended entity in Respond.
Schedule Recurrence In the Recur Every field, enter a value or use the drop-down to configure the recurrence for prefetch. The default time duration can be selected from the drop-down list for configuring the duration of recurrence. Available values are minutes, hours, days, or weeks.
-
Click any one of the following options:
- Cancel - select this option to cancel the changes.
- Save - select this option to save the changes.
-
Save and Close - select this option to save and close the dialog.
Note: After you configure the data source settings, you can configure the Context Hub configuration parameters by navigating to (Admin) > Services> View > Explore view. Make sure you restart the Context Hub service if you make any configuration changes in the Explore view.