000030353 - Incident Management customizations are lost after upgrading to RSA Security Analytics 10.4.1.1

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000030353
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Incident Management, Security Analytics UI, Security Analytics Server
RSA Version/Condition: 10.4.1.1
Platform: CentOS
O/S Version: EL6
IssueAfter upgrading to RSA Security Analytics 10.4.1.1, the following Incident Management customizations will be lost:
  • Mail notifications templates for Incidents and Remediation
    (Stored in the /opt/rsa/im/mailtemplates directory on the Security Analytics server)
  • Alert normalization and risk scores across Reporting Engine, ESA, ECAT, and Malware Analysis alerts
    (Stored in the /opt/rsa/im/scripts directory on the Security Analytics server)
  • Rule Builder fields in the alert_rules.json file
    (Stored in the /opt/rsa/im/fields directory on the Security Analytics server)
CauseThis issue occurs because the customized files are being overwritten during the re-install/upgrade of the Incident Management RPM package.
WorkaroundIn order to retain the customizations, it is necessary to create a backup of the affected directories before upgrading, using the commands below.
[root@SA-Server ~]# tar czf /opt/rsa/im/mailtemplates-bak-$(date +"%m-%d-%y").tar.gz /opt/rsa/im/mailtemplates
[root@SA-Server ~]# tar czf /opt/rsa/im/scripts-bak-$(date +"%m-%d-%y").tar.gz /opt/rsa/im/scripts
[root@SA-Server ~]# tar czf /opt/rsa/im/fields-bak-$(date +"%m-%d-%y").tar.gz /opt/rsa/im/fields

After upgrading to RSA Security Analytics 10.4.1.1, you will then be able to restore the customized files from the backup and restart the Incident Management service via the Security Analytics UI to resolve the issue.

Attachments

    Outcomes