|Applies To||RSA Product Set: RSA NetWitness Platform|
RSA Product/Service Type: Respond Server
RSA Version/Condition: 11.4.x
|Issue||This article describes how to create Custom Match Conditions and GroupBy Fields for Respond server in NetWitness Platform 11.4.x.|
To prevent overwriting future customizations, custom normalization script files are available in NetWitness Platform 11.4 and later.
|Tasks||To modify the available GroupBy and Match Conditions fields, two files below are required on NW Admin Server:|
AND, depending on the source of the alert, it requires to modify one of the following files as well.
Alert sources - ESA/Reporting Engine/NetWitness Investigate:
Alert source - NetWitness Endpoint:
Alert source - Malware Analysis:
Alert source - Web Threat Detection:
Alert source - UEBA:
|Resolution||In this example, used custom meta key named "Instance" and alert Source from ESA.|