Whois Lookup Service Configuration (11.1.x to 11.4.x)Whois Lookup Service Configuration (11.1.x to 11.4.x)
Note: The information in this topic applies ONLY to NetWitness® Platform versions 11.1.x to 11.4.x.
The Whois Lookup Service and ESA Analytics are not supported in NetWitness Platform 11.5 and later versions.
In the Whois Lookup Configuration panel (Admin > System > Whois), you configure a connection to the Whois Lookup service for your preconfigured ESA Analytics modules used in RSA Automated Threat Detection. The Whois Service enables you to get accurate data about domains that you connect to. In order to ensure effective scoring, it is important that you configure the Whois service settings.
You must have an RSA Live account to use this service.
If you configured a Live account in the Live Services panel (Admin > System > Live Services), the Whois Lookup Service is automatically configured for you. You just need to check the connection of the Whois Lookup service.
Note: If you do not have an RSA Live account, you can create one at the RSA Live Registration Portal: https://cms.netwitness.com/registration/ The Live Services Management Guide provides additional information.
What do you want to do?
| Role | I want to ... | Show me how |
|---|---|---|
| Administrator |
Configure the Whois Lookup service. |
See "Configure the Whois Lookup Service" in the ESA Configuration Guide for NetWitness Platform 11.4. |
| Administrator |
Check the connection of the Whois Lookup service. |
See "Configure the Whois Lookup Service" in the ESA Configuration Guide for NetWitness Platform 11.4. |
Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.
Related Topics
- See "ESA Analytics Mappings" in the ESA Configuration Guide for NetWitness Platform 11.4.
Quick Look
To access the Whois Lookup Service Configuration, go to Admin > System and in the options panel, select Whois.
The ESA Analytics Server service must be available (shows a green circle) in the Admin > Services view. If you do not have an ESA Analytics Server service available, you will see the following panel.
If you have an ESA Analytics Server service available, you will see the following panel.
The following table describes the listed Whois Lookup Service configuration settings.
| Parameter | Description |
|---|---|
| Live Username |
Required only if you did not already configure the Whois Lookup service. Enter the authentication credential for the Whois Server. This is the same as your RSA Live User ID. If you have not configured an RSA Live account, you will need to do so. The default value is "whois." |
| Live Password |
Required only if you did already configure the Whois Lookup service. Enter the authentication credential for the Whois Server. This is the same as your RSA Live password. If you have not configured an RSA Live account, you will need to do so. The default value is null. |
| Allowed Requests |
(Optional) Enter how many queries you want to allow before you start throttling the Whois service. This parameter works with Allowed Requests Interval (in seconds), where you set the interval for queries. For example, if you set Allowed Requests to 100 and Allowed Requests Interval to 60, you are allowed 100 requests in any 60 second interval. The default value is 100. |
| Allowed Requests Interval |
(Optional) If you set the Allowed Requests parameter, you need to also configure this setting to determine the interval. This value should be tuned for your environment. The default setting is 60 seconds. |
| Queue Max Size |
(Optional) Specify the maximum size of the queue of the domains whose information will be requested of the Whois Service. The default is 100,000. |
| Cache Max Size |
(Optional) Specify the maximum number of cached Whois entries. Once this limit is reached, the least recently used entry will be removed to accommodate a new entry. The default is 50,000. |
| Refresh Interval (Days) |
(Optional) Specify the number of days for the refresh interval. If requested Whois information is found in the cache, and the cache entry has been there for more than the specified number of days, the entry is removed from the cache and the domain returned to the queue to be looked up. (The cache entry is returned for the request that identified it as stale.) The default setting is 30 days. |
| Wait For HTTP Request |
(Optional) Requires that the ESA wait for the Whois service to respond before it can complete running the module. This ensures that the Whois data is always included in the results, but it can negatively impact performance as the ESA pauses up to 30 seconds to wait for the Whois service response. If you do not configure this setting, and the response time is slow, the ESA completes running the analysis for a given event without the Whois data, and calculates the score without the data. The default setting is true. |
| Query URL |
(Optional) Enter the URL to obtain Whois data from the Whois service. The trailing slash ('/') is required. Otherwise, requests will fail. The default value is: https://cms.netwitness.com/whois/v2/query/ |
| Authentication URL |
(Optional) Enter the URL to obtain authentication tokens from the Whois service. The default value is: https://cms.netwitness.com/authlive/authenticate/WHOIS |
