Implement Non-Standard Meta Keys Used in ESA Rules

Document created by RSA Information Design and Development on May 25, 2016Last modified by RSA Information Design and Development on Nov 15, 2018
Version 167Show Document
  • View in full screen mode
 

Overview

This topic tells you how to implement any non-standard data keys used in ESA alerts after you download them from Live.

Update XML Files

You need to update the table-map-custom.xml file on the Log Decoder and the index-concentrator-custom.xml file on the Concentrator.

Note: Do not update table-map.xml nor index-concentrator.xml files, as your changes will be overwritten when you update. Always make your edits to table-map-custom.xml and index-concentrator-custom.xml.

To update the table-map-custom.xml file:

  1. Depending on your version:

    • For Security Analytics 10.x: In the Security Analytics menu, select Administration > Services.
    • For NetWitness 11.x: In the NetWitness menu, select ADMIN > Services.
  2. Open the file as follows:

    1. In the Services grid, select a Log Decoder.
    2. From the Actions menu, select View > Config, then select the Files tab in the Services Config view.
    3. Select table-map-custom.xml from the drop-down list.

      The table-map-custom.xml file opens in edit mode.

  3. In the <mappings> section of the file, add an entry for the key, and set the value to None. For example, to add myNewKey, you would add the line shown in bold:

    <mappings>
        <!-- This is an example entry to use as a reference. Everything must be inside the toplevel element "mappings". -->
       <!-- <mapping envisionName="bytes" nwName="bytes" flags="None" format="UInt64" nullTokens="(null)|-"/> -->
        
       <mapping envisionName="myNewKey" nwName="myNewKey" flags="None" />
      
    </mappings>

  4. Click Apply to save your changes.
  5. Restart the Log Decoder.

To update the index-concentrator-custom.xml file:

  1. Depending on your version:

    • For Security Analytics 10.x: In the Security Analytics menu, select Administration > Services.
    • For NetWitness 11.x: In the NetWitness menu, select ADMIN > Services.
  2. In the Devices (or Services) grid, select the Concentrator.
  3. In the toolbar, select View > Config, then select the Files tab.

    The Device Config view is displayed with the Concentrator Files tab open.

  4. Select index-concentrator-custom.xml from the drop-down list.

    The index-concentrator-custom.xml file opens in edit mode.

  5. Insert the non-standard meta key parameter strings and click Apply. For example:

    <key description="my new parser meta key" format="Text" level="IndexKeys" name="myNewKey"/>

  6. Restart the Concentrator.
Previous Topic:Custom CEF Parser
You are here
Table of Contents > Content Development > Procedures > ESA > Implement Non-Standard Meta Keys Used in ESA Rules

Attachments

    Outcomes