000038947 - Creating Custom Match Conditions and GroupBy Fields for Respond in RSA NetWitness Platform 11.4.x

Document created by RSA Customer Support Employee on Jun 5, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038947
Applies ToRSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: Respond Server
RSA Version/Condition: 11.4.x
IssueThis article describes how to create Custom Match Conditions and GroupBy Fields for Respond server in NetWitness Platform 11.4.x.
To prevent overwriting future customizations, custom normalization script files are available in NetWitness Platform 11.4 and later. 
TasksTo modify the available GroupBy and Match Conditions fields, two files below are required on NW Admin Server:


AND, depending on the source of the alert, it requires to modify one of the following files as well. 

Alert sources - ESA/Reporting Engine/NetWitness Investigate:

Alert source - NetWitness Endpoint:

Alert source - Malware Analysis:

Alert source - Web Threat Detection:

Alert source - UEBA:
ResolutionIn this example, used custom meta key named "Instance" and alert Source from ESA.
  1. Add the new lines highlighted in pink in the screenshot below in aggregation_rule_schema.json file.
    (Attention to the formatting and syntax within this file which is very important).

    # vi /var/lib/netwitness/respond-server/data/aggregation_rule_schema.json (Replace customkey with your real custom key)

        "value": "alert.events.<customkey>",
        "name": "<customkey>",
        "type": "textfield",
        "operators": [0, 1, 8, 9, 10, 11, 12, 13],
        "groupBy": true,
        "groupByField": "alert.groupby_<customkey>"

    aggregation rule schema json file modification

    If custom keys was added for use in the groupBy clause PRIOR to 11.4.x, modify the aggregation_rule_schema.json file and add the custom keys from the automatic backup file which is located in /var/lib/netwitness/respond-server/data and it is in the following format:

    aggregation_rule_schema.json.bak-<time of the backup>
  2. Add new lines that are highlighted in pink in the screenshots below for custom key to the following files.
    (See the screenshot below and attention to the formatting and syntax within these files which is very important).

    # vi /var/netwitness/respond-server/scripts/custom_normalize_core_alerts.js (Replace customkey with your real custom key)

    if (normalized.events != undefined) {
            custom_events = normalized.events;
        }else {
            custom_events = new Array();

        for (var i = 0; i < rawAlert.events.length; i++) {

        if(normalized.events == undefined) {
            normalized.events = custom_events;

    custom normalize core alerts js modification

    # vi /var/netwitness/respond-server/scripts/custom_normalize_alerts.js (
    Replace customkey with your real custom key).

    normalized.groupby_<customkey> = Utils.generateFlattenedColumnValue(normalized.events, "<customkey>");

    custom normalize alert js modification
  3. Restart Respond Server service, either from within the NW UI:
    NW UI > Admin > Services > Respond Server > Actions column > Restart

    Or command line from NW Admin Server.
    # systemctl restart rsa-nw-respond-server
2 people found this helpful