Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000032757 - RSA Security Analytics - Working with Custom Keys in the CEF Parser

Document created by RSA Customer Support

on Jun 14, 2016•Last modified by RSA Customer Support

on Apr 21, 2017

Version 2Show Document

Like • Show 2 Likes2
Comment • 0
View in full screen mode

Article Content

Article Number	000032757
Applies To	RSA Product Set: Security Analytics RSA Product/Service Type: SA Security Analytics Server
Issue	The CEF format allows the use of custom keys such as cs1 and cs1Label. In a CEF log you may see the following: Jan 27 10:43:51 PROXYNAME CEF:0\|Bluecoat\|Proxy\|1.0\|OBSERVED\|OBSERVED\|5\|date=2016-01-27 time=10:43:51 ip.src=192.168.10.86 action=TCP_MISS ip.dst=192.168.11.252 cat=Content Servers requestMethod=GET dhost=eu-irl-00001.s3.amazonaws.com request=http://eu-irl-00001.s3.amazonaws.com/yKalk5gBT169iwsB8XFS?x-client-request-id=71445322-c4dd-11e5-b2dd-f23c91a872ff&Expires=1453892409&byte-range=4912-4943&AWSAccessKeyId=AKIAI3LLM7P3DRGCUSIA&bin=203000001&Signature=I0XwajzJOFKdFmj4wQ0%2B4vH7C%2Fo%3D dport=80 useragent=backupd (unknown version) CFNetwork/548.1.4 Darwin/11.0.0 out=418 outcome=206 in=484 errorcode=OBSERVED content=application/octet-stream daddr=54.231.133.9 dvchost=AE44PCCPWPXY02 sport=80 Version=HTTP/1.1 hostname=eu-irl-00001.s3.amazonaws.com cs1=com cs1Label=tld directory=/ path=/yKalk5gBT169iwsB8XFS filename=yKalk5gBT169iwsB8XFS Here we are using the custom keys cs1 and cs1Label to hold the Top Level Domain (TLD). We want to parse this meta into the TLD meta key.
Resolution	Add the following lines to the CEF parser (normally located on the log decoder at /etc/netwitness/ng/envision/etc/devices/cef/cef.xml) <ExtensionKey cefName="cs1" metaName="cs_fld" > <device2meta device="trendmicrodsa" metaName="context"/> <device2meta device="bluecat" metaName="action" label="query"/> <device2meta device="websense" metaName="policyname" label="Policy"/> <device2meta device="mcafeewg" metaName="virusname" label="Virus Name"/> <device2meta device="bluecoat_proxy" metaName="tld" label="tld" /> </ExtensionKey> In your table-map-custom.xml file add the following: <mapping envisionName="tld" nwName="tld" flags="None" format="Text"/> What this means is that if we have a device type of bluecoat_proxy and cs1label=tld then put the meta into meta key tld.
Notes	The meta key for custom extensions can be selected in 3 different ways. The following example has the meaning: If the device type is rsaecat and the cs1Label field is vlanName then put the value of cs1 into the meta vlan If the device type is rsaecat and the cs1Label field has value rsasubject then put the value of cs1 into the meta key subject If the device type is rsaflow then always put the value of cs1 into the meta key subject Otherwise put the value of cs1 into metakey context. ExtensionKey cefName="cs1" metaName="context"> <device2meta device="rsaecat" metaName="vlan" label="vlanName"/> <device2meta device="rsaecat" metaName="subject" label="rsasubject"/> <device2meta device="rsaflow" metaName="subject"/> </ExtensionKey>

Attachments

Outcomes

0 Comments

Recommended Content