Article Content
Article Number | 000038947 |
Applies To | RSA Product Set: RSA NetWitness Platform RSA Product/Service Type: Respond Server RSA Version/Condition: 11.4.x |
Issue | This article describes how to create Custom Match Conditions and GroupBy Fields for Respond server in NetWitness Platform 11.4.x. To prevent overwriting future customizations, custom normalization script files are available in NetWitness Platform 11.4 and later. |
Tasks | To modify the available GroupBy and Match Conditions fields, two files below are required on NW Admin Server:
/var/lib/netwitness/respond-server/data/aggregation_rule_schema.json /var/lib/netwitness/respond-server/scripts/custom_normalize_alerts.js
AND, depending on the source of the alert, it requires to modify one of the following files as well.
Alert sources - ESA/Reporting Engine/NetWitness Investigate: /var/lib/netwitness/respond-server/scripts/custom_normalize_core_alerts.js
Alert source - NetWitness Endpoint: /var/lib/netwitness/respond-server/scripts/custom_normalize_ecat_alerts.js
Alert source - Malware Analysis: /var/lib/netwitness/respond-server/scripts/custom_normalize_ma_alerts.js
Alert source - Web Threat Detection: /var/lib/netwitness/respond-server/scripts/custom_normalize_wtd_alerts.js
Alert source - UEBA: /var/lib/netwitness/respond-server/scripts/custom_normalize_ueba_alerts.js |
Resolution | In this example, used custom meta key named "Instance" and alert Source from ESA.
- Add the new lines highlighted in pink in the screenshot below in aggregation_rule_schema.json file.
(Attention to the formatting and syntax within this file which is very important). # vi /var/lib/netwitness/respond-server/data/aggregation_rule_schema.json (Replace customkey with your real custom key) }, { "value": "alert.events.<customkey>", "name": "<customkey>", "type": "textfield", "operators": [0, 1, 8, 9, 10, 11, 12, 13], "groupBy": true, "groupByField": "alert.groupby_<customkey>" }
Example:  If custom keys was added for use in the groupBy clause PRIOR to 11.4.x, modify the aggregation_rule_schema.json file and add the custom keys from the automatic backup file which is located in /var/lib/netwitness/respond-server/data and it is in the following format: aggregation_rule_schema.json.bak-<time of the backup> - Add new lines that are highlighted in pink in the screenshots below for custom key to the following files.
(See the screenshot below and attention to the formatting and syntax within these files which is very important). # vi /var/netwitness/respond-server/scripts/custom_normalize_core_alerts.js (Replace customkey with your real custom key) if (normalized.events != undefined) { custom_events = normalized.events; }else { custom_events = new Array(); }
for (var i = 0; i < rawAlert.events.length; i++) { custom_events[i].<customkey>=Utils.stringValue(rawAlert.events[i].<customkey>); }
if(normalized.events == undefined) { normalized.events = custom_events; }
Example:  # vi /var/netwitness/respond-server/scripts/custom_normalize_alerts.js (Replace customkey with your real custom key).
normalized.groupby_<customkey> = Utils.generateFlattenedColumnValue(normalized.events, "<customkey>");
Example:  - Restart Respond Server service, either from within the NW UI:
NW UI > Admin > Services > Respond Server > Actions column > Restart Or command line from NW Admin Server. # systemctl restart rsa-nw-respond-server
|
2 people found this helpful