Does SSL/TLS traffic stay encrypted when passing through Security Analytics? Is there a way to decrypt it onbox?  

Security Analytics is a passive capture device.  If traffic is encrypted, it will stay encrypted when captured by Security Analytics.  The traffic would need to be decrypted somewhere upstream for SA to be able to see into the encrypted packets.  A device like SSL Visibility would accomplish this.