000032757 - RSA Security Analytics - Working with Custom Keys in the CEF Parser

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000032757
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Security Analytics Server
IssueThe CEF format allows the use of custom keys such as cs1 and cs1Label.
In a CEF log you may see the following:
Jan 27 10:43:51 PROXYNAME  CEF:0|Bluecoat|Proxy|1.0|OBSERVED|OBSERVED|5|date=2016-01-27 time=10:43:51 ip.src= action=TCP_MISS ip.dst= cat=Content Servers requestMethod=GET dhost=eu-irl-00001.s3.amazonaws.com request=http://eu-irl-00001.s3.amazonaws.com/yKalk5gBT169iwsB8XFS?x-client-request-id=71445322-c4dd-11e5-b2dd-f23c91a872ff&Expires=1453892409&byte-range=4912-4943&AWSAccessKeyId=AKIAI3LLM7P3DRGCUSIA&bin=203000001&Signature=I0XwajzJOFKdFmj4wQ0%2B4vH7C%2Fo%3D dport=80 useragent=backupd (unknown version) CFNetwork/548.1.4 Darwin/11.0.0 out=418 outcome=206 in=484 errorcode=OBSERVED content=application/octet-stream daddr= dvchost=AE44PCCPWPXY02 sport=80 Version=HTTP/1.1 hostname=eu-irl-00001.s3.amazonaws.com cs1=com cs1Label=tld directory=/ path=/yKalk5gBT169iwsB8XFS filename=yKalk5gBT169iwsB8XFS

Here we are using the custom keys cs1 and cs1Label to hold the Top Level Domain (TLD).
We want to parse this meta into the TLD meta key.
ResolutionAdd the following lines to the CEF parser (normally located on the log decoder at /etc/netwitness/ng/envision/etc/devices/cef/cef.xml)
<ExtensionKey cefName="cs1" metaName="cs_fld" > 
<device2meta device="trendmicrodsa" metaName="context"/>
<device2meta device="bluecat" metaName="action" label="query"/>
<device2meta device="websense" metaName="policyname" label="Policy"/>
<device2meta device="mcafeewg" metaName="virusname" label="Virus Name"/>
<device2meta device="bluecoat_proxy" metaName="tld" label="tld" />

In your table-map-custom.xml file add the following:
<mapping envisionName="tld" nwName="tld" flags="None" format="Text"/>

What this means is that if we have a device type of bluecoat_proxy and cs1label=tld then put the meta into meta key tld.

NotesThe meta key for custom extensions can be selected in 3 different ways.
The following example has the meaning:
  • If the device type is rsaecat and the cs1Label field is vlanName then put the value of cs1 into the meta vlan
  • If the device type is rsaecat and the cs1Label field has value rsasubject then put the value of cs1 into the meta key subject
  • If the device type is rsaflow then always put the value of cs1 into the meta key subject
  • Otherwise put the value of cs1 into metakey context.
ExtensionKey cefName="cs1" metaName="context">
<device2meta device="rsaecat" metaName="vlan" label="vlanName"/>
<device2meta device="rsaecat" metaName="subject" label="rsasubject"/>
<device2meta device="rsaflow" metaName="subject"/>