Sys Maintenance: Maintain Queries Using URL Integration

Document created by RSA Information Design and Development on May 12, 2016Last modified by RSA Information Design and Development on May 12, 2016
Version 2Show Document
  • View in full screen mode
 
  

A URL integration provide a way to represent the bread crumbs, or query path, you take when actively investigating a service in the Navigation view. You do not need to display and edit these objects very often.

A URL integration maps between a unique ID that is automatically created each time you click on a navigation link in the Navigation view to drill into data. When the drill down completes, the URL reflects the query IDs for the current drill point. The Display Name appears in the bread crumb in the Values panel.

The URL Integration panel provides a list of queries and allows users who have the proper permissions to modify this underlying source of data and analyze the query patterns of other users of the Security Analytics system. Within the panel, you can:

  • Refresh the list.
  • Edit a query.
  • Delete a query.
  • Clear all queries in the list.

Caution: After a query has been removed from the system, any Investigation URLs that included the ID of that query will no longer function.

Procedures

Edit a Query

  1. In the Security Analytics menu, click Administration > System.
  2. In the options panel, select URL Integration.
    adm_system_urlIntegration.PNG
     
  3. Select the row in the grid and either double-click the row or click icon-edit.png.
    The Edit Query Dialog is displayed.
    sys_urlInt_edit_query.PNG
  4. Edit the Display Name and the Query, but do not leave either field blank.
  5. To save the changes, click Save.

Delete a Query

Caution: After a query has been removed from the system, any Investigation URLs that included the ID of that query will no longer function.

To remove a query from Security Analytics entirely:

  1. Select the query.
  2. Click del_report.png
    A dialog requests confirmation that you want to delete the query.
  3. Click Yes.

Clear All Queries

To clear all queries from the list:

  • Click Icon-clear.png
    The entire list is cleared.

Use a Query in a URI

URL Integration facilitates integrations with third-party products by allowing a search against the Security Analytics architecture. By using a query in a URI, you can pivot directly from any product that allows custom links, into a specific drill point in the Investigation view in Security Analytics.

The format for entering a URI using a URL-encoded query is:

http://<sa host:port>/investigation/<serviceId>/navigate/query/<encoded query>/date/<start date>/<enddate>

where

  • <sa host: port> is the IP address or DNS, with or without a port, as appropriate (ssl or not). This designation is only needed if access is configured over a non-standard port through a proxy.
  • <serviceId>  is the internal Service ID in the  Security Analytics instance for the service to query against. The service ID can be represented only as an integer. You can see the relevant service ID from the url when accessing the investigation view within Security Analytics. This value will change based on the service being connected to for analysis.
  • <encoded query> is the URL-encoded Security Analytics query.  The length of query is limited by the HTML URL limitations.
  • <start date> and <end date> define the date range for the query. The format is  <yyyy-mm-dd>T<hh:mm>. The start and end dates are required. Relative ranges (for example, Last Hour) are not supported in this version. All times are run as UTC.

For example:
http://localhost:9191/investigation/12/navigate/query/alias%20exists/date/2012-09-01T00:00/2012-10-31T00:00

Examples

These are query examples where the Security Analytics server is 192.168.1.10 and the serviceID is identified as 2.

All activity on 03/12/2013 between 5:00 and 6:00 AM with a hostname registered

All activity on 3/12/2013 between 5:00 and 5:10 PM with http traffic to and from IP address 10.10.10.3

  • Custom Pivot: service=80 && (ip.src=10.10.10.3 || ip.dst=10.0.3.3)
  • Encoded Pivot Dissected:

Additional Notes

Some values may not need to be encoded as part of the query. For example, commonly the IP src and dst is used for this integration point. If leveraging a third-party application for integration of this feature, it is possible to reference those without encoding applied.

You are here: Monitor Health and Wellness of Security Analytics > Maintain Queries Using URL Integration

Attachments

    Outcomes