Decoder: Create and Deploy Custom Feed Using Wizard

Document created by RSA Information Design and Development on Apr 21, 2016
Version 1Show Document
  • View in full screen mode
 
  

This topic provides instructions for using the Custom Feed Wizard in RSA Security Analytics, to quickly populate Decoders with custom feeds.

RSA Security Analytics has a Custom Feed wizard to allow quick creation and deployment of custom Decoder feeds based on deterministic logic that offers the meta keys specific to the selected Decoders and Log Decoders. Although the wizard guides users through the process to create both on-demand and recurring feeds, it is helpful to understand the form and content of a feed file when you create a feed.

Feed filenames in RSA Security Analytics are in the form <filename>.feed. To create a feed, Security Analytics requires a feed data file in .csv format and a feed definition file in .xml format, which describes the structure of a feed data file. The Custom Feed wizard can create the feed definition file based on a feed data file, or based on a feed data file and the corresponding feed definition file.

The files that you use to create an on-demand feed must be stored on your local file system. The files used to create a recurring feed must be stored at an accessible URL, whence Security Analytics can fetch the most current version of the file for each recurrence. After a Security Analytics feed is created, you can download the feed to your local file system, edit the feed files, and then edit the Security Analytics feed to use the updated feed files.

Sample Feed Definition File

This is an example of a feed definition file named dynamic_dns.xml, which Security Analytics creates based on your entries in the Custom Feed wizard. It defines the structure of the feed data file named dynamic_dns.csv.

<?xml version="1.0" encoding="utf-8"?>
<FDF xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="feed-definitions.xsd">

    <FlatFileFeed name="Dynamic DNS Domain Feed"
        path="dynamic_dns.csv"
        separator=","
        comment="#"
        version="1">

        <MetaCallback
            name="alias.host"
            valuetype="Text"
            apptype="0"
            truncdomain="true"/>

        <LanguageKeys>
            <LanguageKey name="threat.source" valuetype="Text" />
            <LanguageKey name="threat.category" valuetype="Text" />
            <LanguageKey name="threat.desc" valuetype="Text" />
        </LanguageKeys>

        <Fields>
            <Field index="1" type="index" key="alias.host" />
            <Field index="4" type="value" key="threat.desc" />
            <Field index="2" type="value" key="threat.source" />
            <Field index="3" type="value" key="threat.category" />
        </Fields>
    </FlatFileFeed>

</FDF>

Feed Definition Equivalents for Custom Feed Wizard Parameters

The Security Analytics Custom Feed wizard provides options to define the structure of the data feed file. These correspond directly to attributes in the feed definition (.xml) file. 

                                                         
Security Analytics ParameterFeed Definition File Equivalent
(Define Feed tab) NameThe custom feed name in the feed data file. It corresponds to the flatfeedfile name attribute in the feed definition file. For example, Dynamic DNS Test Feed.

Note: You can now use special characters to define the name of the custom feed.

(Define Feed tab) File/ BrowseThis is the name of the feed data file. It corresponds to the flatfeedfile path attribute in the feed definition file. For example, dynamic_dns.csv.
(Advanced Options tab) XML Feed FileThe name of the feed definition file. For example, dynamic_dns.xml.
(Advanced Options tab) SeparatorThe separator character used to separate attributes in the feed data file. It corresponds to the flatfeedfile separator in the feed definition file. For example, a comma.
(Advanced Options tab) CommentThe character used to identify a comment in the feed data file. It corresponds to the flatfeedfile comment attribute in the feed definition file. For example, #.
(Define Columns tab, Define Index) TypeThe type of lookup value in the index position of the feed data file.
IP means that each row in the feed data file contains an IP address in the lookup value position. The IP value is in dotted-decimal format (for example, 10.5.187.42). IP Range means that each row in the feed data file contains a range of IP addresses in the lookup value position. The IP range is in CIDR format (for example, 192.168.2.0/24). Non IP means that the each row in the feed data file contains a metadata value other than IP address in the lookup value position. The Service Type and Truncate Domain, and Callback Keys fields become active for a Non IP index.
(Define Columns tab, Define Index) CIDRSpecifies that the IP value in the lookup position is in CIDR format. The CIDR attribute sets the IP address format in the field to Classless Inter-Domain Routing (CIDR) notation.
(Define Columns tab, Define Index)
Service Type
For a Non IP index, the integer service type to filter meta lookups. It corresponds to the MetaCallback apptype attribute in the feed definition file. A value of 0 indicates no filtering by service type.
(Define Columns tab, Define Index) 
Truncate Domain
For a Non IP index, for meta values that contain domain names (for example, hostnames), the system can strip off the host specific element in the data. Truncate Domain corresponds to the MetaCallback truncdomain attribute. If the value is www.example.com, it is truncated to example.com. A value of False selects no truncation, and True selects truncation.
(Define Columns tab, Define Index) 
Callback Keys
For a Non IP index, the available meta keys to match on instead of ip.src/ip.dst (the defaults for IP index type) are selectable from the drop-down list. The Callback Key corresponds to the MetaCallback name attribute, and the index column of the csv file must contain data that can match the chosen meta key. For example, if the username meta key is chosen, the index column of the csv file needs to be populated with users to be matched.
(Define Columns tab, Define Index) 
Index Column
Identifies the column in the feed data file that provides the lookup value for the row. Each position in each row of the feed data file is identified by a Field index attribute in the feed definition file. A field with an index of 1 is the first entry in a row, the second field has an index of 2, the third field has an index of 3, and so on.
(DEFINE VALUES) KeyThe name of the LanguageKey, as defined in the feed definition file, for which meta is created from this row of the feed data file. It corresponds to the Field key attribute in the feed definition file. A key applies only to a field whose type is set to value. In the feed definition file, there is a list of LanguageKeys from index.xml, or a summary name if Source Name and Destination Name are used. For example, reputation is a summary name for reputation.src and reputation.dst. This value is referenced by the Field key attribute.
You are here: Additional Procedures > Configure Feeds and Parsers > Decoder: Create and Deploy Custom Feed Using Wizard

Attachments

    Outcomes