Investigate-server Configuration

Investigate-server ConfigurationInvestigate-server Configuration

Name:
rsa.investigate.eventanalysis.legacy-events-enabled
Default value:
false
Type:
boolean
Description:
Flag to determine if legacy events tab and related links have to be enabled

Name:
rsa.investigate.incident.max-events-per-alert
Default value:
60
Type:
long
Description:
Max. number of events that should be added to a single alert when creating incidents from events

Name:
rsa.investigate.metakey.cache.cache-duration
Default value:
7
Type:
seconds
Description:
Number of seconds a metakey should live in the cache. Default: 1 WEEK

Name:
rsa.investigate.reconstruction.clear-cache-older-than
Default value:
24
Type:
seconds
Description:
Cache files which are older than this time interval would be cleared

Name:
rsa.investigate.reconstruction.content-type-file-extractor
-max-size
Default value:
4
Type:
bytes
Description:
From NetWitness Core documentation
The max number of bytes to return, zero means no limit. This parameter is used to control the maximum bytes that a large network session should return and is mainly meant to prevent an extraordinary large network session from consuming a large number of resources during the transfer. Be careful setting this parameter to zero.

Name:
rsa.investigate.reconstruction.email-full-render
Default value:
true
Type:
boolean
Description:
Flag to enable/disable full rendering of email messages.
When set to true email bodies will be fully reconstructed which will benefit email’s with HTML body content. Styling will be preserved as best as possible—external styles and references must be removed—and inline content (images), if included in the session, will be displayed. Placeholders will be shown for content that is not available or cannot be rendered and any inline script should be made inactive but displayed to the user for informational purposes.
If set to false, standard rendering is used which will render the email body as best as possible and return it as text in the bodyContent field of the {@link Email} object.
This setting is dependent on the Reconstruction Object Cache being enabled. (see {@link ReconstructionProperties#objectCacheEnabled}) It is ignored otherwise.

Name:
rsa.investigate.reconstruction.endpoint-enrichment-time-window
Default value:
30
Type:
seconds
Description:
Endpoint Enrichment Query time window in seconds. Network events will be correlated with endpoint events triggered within this time window of the network event’s time. If network event time is x, endpoint events will be queried from 'x - @endpointEnrichmentTimeWindow' time

Name:
rsa.investigate.reconstruction.endpoint-enrichment-time-window-buffer
Default value:
5
Type:
seconds
Description:
Additional buffer time range used to query for endpoint enrichment data. If network event time is x, endpoint events will be queried till 'x + @endpointEnrichmentTimeWindowBuffer' time

Name:
rsa.investigate.reconstruction.endpoint-events-query-time-out
Default value:
5
Type:
seconds
Description:
Max time allowed in seconds for all endpoint core queries to complete

Name:
rsa.investigate.reconstruction.enrichment-instance-init-delay
Default value:
1
Type:
seconds
Description:
Initial delay to fetch the investigate service details from all orchestrated endpoint services

Name:
rsa.investigate.reconstruction.image-placeholder-url
Default value:
Type:
uri
Description:
Url used in Email recon for web email when original images cannot be loaded

Name:
rsa.investigate.reconstruction.object-cache-enabled
Default value:
true
Type:
boolean
Description:
Flag to enable/disable reconstruction object cache. In addition to caching the content (protobuf files) that are downloaded from core devices, the investigate service will attempt to cache any objects and files that are created while reconstructing sessions. For this release (11.4—the first release with the object cache) this only pertains to email reconstruction.

Name:
rsa.investigate.reconstruction.reactive-message-size
Default value:
256
Type:
bytes
Description:
Used in reactive streaming to configure the maximum buffer size for holding reconstructed data.

Name:
rsa.investigate.reconstruction.reactive-text-streaming
Default value:
true
Type:
boolean
Description:
Flag to turn on reactive streaming for text reconstruction. Reactive streaming prevents web socket overload by sending as many reconstructed text blocks that fit into a known buffer size and stopping until the caller tells the service to proceed.

Name:
rsa.investigate.reconstruction.session-enrichment-time-out
Default value:
10
Type:
seconds
Description:
Max time allowed in seconds for all enrichment queries to complete including core, endpoint and other enrichment queries

Name:
rsa.investigate.reconstruction.support-script-urls
Default value:
Type:
uri[]
Description:
If html is generated in reconstruction, that is served to the UI via an IFRAME (as to not interfere with the functionality/styling of the main application) this setting stores an array of strings (url’s) to javascript files that will be injected into the html. The javascript is injected via