Investigate-server ConfigurationInvestigate-server Configuration
AliasesPropertiesAliasesProperties
| Name | Default value | Type | Description |
|---|---|---|---|
|
rsa.investigate.aliases.cache-duration |
24 |
seconds |
Time it takes for the cache that stores aliases to expire |
|
rsa.investigate.aliases.retrieval-timeout |
30 |
seconds |
Timeout to wait for aliases sdk response |
ColumnGroupPropertiesColumnGroupProperties
| Name | Default value | Type | Description |
|---|---|---|---|
|
rsa.investigate.column.group.number-of-visible-columns |
15 |
integer |
EventAnalysisPropertiesEventAnalysisProperties
| Name | Default value | Type | Description |
|---|---|---|---|
|
rsa.investigate.eventanalysis.legacy-events-enabled |
false |
boolean |
Flag to determine if legacy events tab and related links have to be enabled |
|
rsa.investigate.eventanalysis.limit |
5000 |
integer |
The default event limit |
|
rsa.investigate.eventanalysis.role-event-limit |
map |
The per-role event limit |
IncidentPropertiesIncidentProperties
| Name | Default value | Type | Description |
|---|---|---|---|
|
rsa.investigate.incident.max-events-per-alert |
60 |
long |
Max. number of events that should be added to a single alert when creating incidents from events |
KeyrefsPropertiesKeyrefsProperties
| Name | Default value | Type | Description |
|---|---|---|---|
|
rsa.investigate.keyrefs.cache-duration |
2 |
seconds |
Time it takes for the cache that stores aliases to expire |
|
rsa.investigate.keyrefs.retrieval-timeout |
30 |
seconds |
Timeout to wait for aliases sdk response |
MetaKeyCachePropertiesMetaKeyCacheProperties
| Name | Default value | Type | Description |
|---|---|---|---|
|
rsa.investigate.metakey.cache.cache-duration |
7 |
seconds |
Number of seconds a metakey should live in the cache. Default: 1 WEEK |
ReconstructionPropertiesReconstructionProperties
| Name | Default value | Type | Description |
|---|---|---|---|
|
rsa.investigate.reconstruction.clear-cache-older-than |
24 |
seconds |
Cache files which are older than this time interval would be cleared |
|
rsa.investigate.reconstruction.compressed-file-password |
netwitness |
string |
Default zip file password for email recon downloads |
|
rsa.investigate.reconstruction.content-type-file-extractor |
4 |
bytes |
From NetWitness Core documentation <p> The max number of bytes to return, zero means no limit. This parameter is used to control the maximum bytes that a large network session should return and is mainly meant to prevent an extraordinary large network session from consuming a large number of resources during the transfer. Be careful setting this parameter to zero. |
|
rsa.investigate.reconstruction.email-attachment-hash-provider |
reconstructionproperties |
The calculated hash type for any email attachments |
|
|
rsa.investigate.reconstruction.email-full-render |
true |
boolean |
Flag to enable/disable full rendering of email messages. <p> When set to true email bodies will be fully reconstructed which will benefit email’s with HTML body content. Styling will be preserved as best as possible—external styles and references must be removed—and inline content (images), if included in the session, will be displayed. Placeholders will be shown for content that is not available or cannot be rendered and any inline script should be made inactive but displayed to the user for informational purposes. <p> If set to false, standard rendering is used which will render the email body as best as possible and return it as text in the |
|
rsa.investigate.reconstruction.endpoint-enrichment-time-window |
30 |
seconds |
Endpoint Enrichment Query time window in seconds. Network events will be correlated with endpoint events triggered within this time window of the network event’s time. If network event time is x, endpoint events will be queried from 'x - @endpointEnrichmentTimeWindow' time |
|
rsa.investigate.reconstruction.endpoint-enrichment-time-window-buffer |
5 |
seconds |
Additional buffer time range used to query for endpoint enrichment data. If network event time is x, endpoint events will be queried till 'x + @endpointEnrichmentTimeWindowBuffer' time |
|
rsa.investigate.reconstruction.endpoint-events-query-time-out |
5 |
seconds |
Max time allowed in seconds for all endpoint core queries to complete |
|
rsa.investigate.reconstruction.enrichment-instance-init-delay |
1 |
seconds |
Initial delay to fetch the investigate service details from all orchestrated endpoint services |
|
rsa.investigate.reconstruction.image-placeholder-url |
uri |
Url used in Email recon for web email when original images cannot be loaded |
|
|
rsa.investigate.reconstruction.object-cache-enabled |
true |
boolean |
Flag to enable/disable reconstruction object cache. In addition to caching the content (protobuf files) that are downloaded from core devices, the investigate service will attempt to cache any objects and files that are created while reconstructing sessions. For this release (11.4—the first release with the object cache) this only pertains to email reconstruction. |
|
rsa.investigate.reconstruction.reactive-message-size |
256 |
bytes |
Used in reactive streaming to configure the maximum buffer size for holding reconstructed data. |
|
rsa.investigate.reconstruction.reactive-text-streaming |
true |
boolean |
Flag to turn on reactive streaming for text reconstruction. Reactive streaming prevents web socket overload by sending as many reconstructed text blocks that fit into a known buffer size and stopping until the caller tells the service to proceed. |
|
rsa.investigate.reconstruction.session-enrichment-time-out |
10 |
seconds |
Max time allowed in seconds for all enrichment queries to complete including core, endpoint and other enrichment queries |
|
rsa.investigate.reconstruction.support-script-urls |
uri[] |
If html is generated in reconstruction, that is served to the UI via an IFRAME (as to not interfere with the functionality/styling of the main application) this setting stores an array of strings (url’s) to javascript files that will be injected into the html. The javascript is injected via <script /> elements at the time of HTML file creation and therefore will be saved to the object-cache. Any updates to this array would require clearing of the object-cache and/or a service restart. |
|
|
rsa.investigate.reconstruction.sync-core-timeout |
600 |
seconds |
Max time to wait for operations for caching core content to complete to prevent deadlocks. Internal setting. Not recommended for customer use. |
|
rsa.investigate.reconstruction.wire-size-provider |
reconstructionproperties |
The method used to determine object size when transmitting objects via websocket |
ResponsePropertiesResponseProperties
| Name | Default value | Type | Description |
|---|---|---|---|
|
rsa.investigate.response.events-batch-size |
5000 |
long |
Number of data size to send per message. If client send request with stream batch size and it is smaller than this, the client batch size will be used instead. |
EventsStreamPropertiesEventsStreamProperties
| Name | Default value | Type | Description |
|---|---|---|---|
|
rsa.investigate.stream.events.factor-of-multiple-meta-values-with-same-key |
5 |
integer |
Like the above property. This property is used to calculate a safety threshold if not specified. It’s a factor to allow for multiple meta values existing in the same key and should be something reasonably high. |
|
rsa.investigate.stream.events.safe-num-of-column-selected |
50 |
integer |
Used to calculate a safety value for "threshold" in the query to avoid the query going unbounded if threshold is not specified. The value of threshold is calculate by the formula below: threshold = (num of sessions desired) * (num of column selected) * (factor of multiple meta values with same key) If the above (num of column selected) can’t be inferred from "select" field, this default value would be used. |
