NetWitness Platform Online Documentation

Browse the official NetWitness Platform Online documentation for helpful tutorials, step-by-step instructions, and other valuable resources.

Options

Subscribe to RSS Feed

Bookmark

Subscribe

Printer Friendly Page

Report Inappropriate Content

Versions

Collections

All Downloads

Table of Contents

Respond-server ConfigurationRespond-server Configuration

MigrationPropertiesMigrationProperties

Name	Default value	Type	Description
rsa.migration.im-data-path	/opt/rsa/im	string	The location of the 10.x IM service
rsa.migration.max-retries	200	integer	Number of time respond attempts to run the migration in case unable to connect mongo or mongo is down.
rsa.migration.time-to-wait-between-retries	60	seconds	Frequency (in seconds) how often respond try to connect mongo

RespondPrimaryPropertiesRespondPrimaryProperties

Name	Default value	Type	Description
rsa.primary.host	true	boolean	Determine whether the current respond service is running on the primary
rsa.primary.mode		respondprimaryproperties$scheduledjobsmode	Mode of current respond server

AlertRulePropertiesAlertRuleProperties

Name	Default value	Type	Description
rsa.respond.alertrule.batch-size	1000	long	The number of alerts to be processed by rule in a batch
rsa.respond.alertrule.counter-reset-interval-days	7	integer	How often should rule counters be reset
rsa.respond.alertrule.enabled	true	boolean	Alert rules enabled
rsa.respond.alertrule.frequency	5	seconds	The frequency of the alert rule job
rsa.respond.alertrule.last-counter-reset-time	0	long	Timestamp for when the rule counters were reset

ArcherIntegrationPropertiesArcherIntegrationProperties

Name	Default value	Type	Description
rsa.respond.archer.export.user-domain		string	Archer UserDomain, to be set only when LDAP is enabled on Archer

RespondCachePropertiesRespondCacheProperties

Name	Default value	Type	Description
rsa.respond.cache.user-cache-expiry	2	seconds	How often to query security server for the latest user information like their email
rsa.respond.cache.user-cache-size	1000	integer	Total size of the user cache

DataRetentionConfigurationDataRetentionConfiguration

Name	Default value	Type	Description
rsa.respond.dataretention.enabled	false	boolean	Is the data retention job enabled
rsa.respond.dataretention.execution-hour	0	integer	Hour at which to run the job
rsa.respond.dataretention.frequency	24	seconds	How often should the job to delete old alerts/incidents run
rsa.respond.dataretention.retention-period	90	seconds	How long should alerts/incidents be stored

IndicatorAggregationJobConfigIndicatorAggregationJobConfig

Name	Default value	Type	Description
rsa.respond.indicatoraggregationrule.schedule-delay	0	long	Delay and frequency of indicator aggregation jobs
rsa.respond.indicatoraggregationrule.schedule-rate	5000	long
rsa.respond.indicatoraggregationrule.seek-ahead-days	0	integer	How many days ahead should indicator aggregation go from incident window close time.
rsa.respond.indicatoraggregationrule.seek-back-days	1	integer	How many days back should indicator aggregation go from first alert received time when aggregating indicators

IntegrationExportPropertiesIntegrationExportProperties

Name	Default value	Type	Description
rsa.respond.integration.export.archer-exchange-name	incidents.archer	string
rsa.respond.integration.export.archer-sec-ops-integration-enabled	false	boolean
rsa.respond.integration.export.breach-integration-enabled	false	boolean
rsa.respond.integration.export.escalation-settings		map
rsa.respond.integration.export.export-incident-enabled	true	boolean
rsa.respond.integration.export.help-desk-integration-enabled	false	boolean

NormalizationPropertiesNormalizationProperties

Name	Default value	Type	Description
rsa.respond.normalization.alerts-queued	100	integer	The number of alerts to queue from rabbit before waiting to consume further The more you increase it, the higher chance of losing alerts if respond goes down during normalization
rsa.respond.normalization.custom-script-filename	custom_normalize_alerts.js	string	The name of the main custom JavaScript file used to normalize alerts.
rsa.respond.normalization.indicator-normalization-enabled	true	boolean	Determines whether the legacy and indicator bindings should be created or not
rsa.respond.normalization.max-legacy-consumers	10	integer	The maximum number of consumers that can consume from the legacy alerting exchange.
rsa.respond.normalization.script-directory	scripts	string	The name of the directory, relative to the service home directory, that contains the normalization JavaScript files.
rsa.respond.normalization.script-filename	normalize_alerts.js	string	The name of the main JavaScript file used to normalize alerts.
rsa.respond.normalization.shutdown-timeout	30	seconds	The maximum amount of time to wait to finish processing alerts that have been received before shutting down the service.
rsa.respond.normalization.thread-count	4	integer	The number of threads to use to normalize and persist alerts.
rsa.respond.normalization.transient-indicator-normalization-enabled	true	boolean	Determines whether the low priority transient alerts binding should be created or not

QueryPropertiesQueryProperties

Name	Default value	Type	Description
rsa.respond.query.default-batch-size	100	long	Default chunk/batch size to send a stream of items to the client (client may override)
rsa.respond.query.default-query-limit	1000	long	Default number of items to send to the client in response to a single request (client may override)
rsa.respond.query.max-query-limit	5000	long	Max number of items to send to the client in response to a single request

RiskProcessingPropertiesRiskProcessingProperties

Name	Default value	Type	Description
rsa.respond.risk.alert.processing.concurrent-processors	4	integer	Concurrent number of staging that should be done.
rsa.respond.risk.alert.processing.context-limit	1000	integer	Maximum number of alert contexts per rule in a category
rsa.respond.risk.alert.processing.default-files	cmd.exe, powershell.exe, wscript.exe, cscript.exe, rundll32.exe	string	Name of files those are considered to be default OS provided files
rsa.respond.risk.alert.processing.page-size	100	integer	Page size for query while querying for persisted alerts
rsa.respond.risk.alert.processing.persisted-collection-interval	30	seconds	Interval at which alert collection should be queried for persisted alerts
rsa.respond.risk.alert.processing.staging-cleanup-interval	5	seconds	Cleanup interval for processed AlertRule from staging collection
rsa.respond.risk.alert.processing.staging-fetch-size	5000	integer	Number of AlertRule to be fetched from staging in a single request
rsa.respond.risk.alert.processing.staging-work-interval	10	seconds	Frequency (in seconds) how often staged entries need to fetched for processing
rsa.respond.risk.alert.processing.track-file-name-change	false	boolean	Over time file-name might change for a hash, should that changes be tracked and latest name should be saved
rsa.respond.risk.alert.processing.track-host-name-change	true	boolean	Over time host-name might change for a host, should that changes be tracked and latest name should be saved

RiskCachingPropertiesRiskCachingProperties

Name	Default value	Type	Description
rsa.respond.risk.caching.expiration-time	60	seconds	Time (in minutes) since last access of entry post which it will expire from cache.
rsa.respond.risk.caching.grouped-cache-expiration-time	5	seconds	Time (in minutes) since last access of entry post which it will expire from grouped cache
rsa.respond.risk.caching.grouped-cache-size	10000	integer	Max number of entries to be stored in the grouped cache
rsa.respond.risk.caching.size	500000	integer	Size of entries to be stored in cache

RiskRetentionPropertiesRiskRetentionProperties

Name	Default value	Type	Description
rsa.respond.risk.data.retention.frequency	1	seconds	Frequency to run the retention job
rsa.respond.risk.data.retention.retention-period	30	seconds	The retention threshold specified (in days)
rsa.respond.risk.data.retention.roll-up-to-day	false	boolean	Controls if the rollup-time needs to be calculate from start of the day when the task is executed.

RespondScheduledJobsPropertiesRespondScheduledJobsProperties

Name	Default value	Type	Description
rsa.respond.scheduled.jobs.aggregation-job-enabled	true	boolean	Determine whether the aggregation job enabled/disabled
rsa.respond.scheduled.jobs.data-retention-job-enabled	true	boolean	Determine whether the data retention job enabled/disabled
rsa.respond.scheduled.jobs.risk-scoring-enabled	true	boolean	Determine whether the risk scoring functionality enabled/disabled

SecurIdIntegrationPropertiesSecurIdIntegrationProperties

Name	Default value	Type	Description
rsa.respond.securid.alert-page-size	100	integer	Alerts are fetched from incidents pagewise. This property controls the maximum number of alerts to be fetched per page
rsa.respond.securid.alert-scan-json-paths	$.events[*]..	list	List of JSONPaths to scan the given userMetas in an alert. By default, it has just one JSONPath enough to read all direct occurrences of the given userMeta values from source and destination metas in all events in an alert.
rsa.respond.securid.incident-processing-threads	3	integer	Number of threads to process the incident update events
rsa.respond.securid.max-incident-queue-size	100	integer	Maximum size of the queue used to hold the incident change events for processing.
rsa.respond.securid.secur-id-list-update-task-interval	15 minutes	seconds	Interval of the periodic task which updates the high-risk users' list in the SecurId cloud
rsa.respond.securid.secur-id-request-batch-size	100	integer	Maximum number of users to be sent in a single request to SecurId cloud.
rsa.respond.securid.user-meta	email_address	string	The "respond specific" meta in an alert that identifies the user to be added to SecurID high-risk users' list Defaults to email_address

On this page