Live: Manage Custom Feeds

Document created by RSA Information Design and Development on Jul 28, 2016Last modified by RSA Information Design and Development on Dec 19, 2016
Version 2Show Document
  • View in full screen mode
  

This topic introduces the custom feed capability, which is implemented using the Custom Feed Wizard in RSA Security Analytics, to quickly populate Decoders with custom and identity feeds.

Custom Feed Creation

You use the Live > Feeds > Setup FeedConfigure a Custom Feed wizard to quickly create and deploy Decoder feeds based on deterministic logic that offers the meta keys specific to the selected Decoders and Log Decoders. Although the wizard guides you through the process to create both on-demand and recurring feeds, you should understand the form and content of a feed file when you create a feed.

Feed filenames in RSA Security Analytics are in the form <filename>.feed. To create a feed, Security Analytics requires a feed data file in .csv format and a feed definition file in .xml format, which describes the structure of a feed data file. The Configure a Custom Feed wizard can create the feed definition file based on a feed data file, or based on a feed data file and the corresponding feed definition file.

The files that you use to create an on-demand feed must stored on your local file system. The files used to create a recurring feed must be stored at an accessible URL, whence Security Analytics can fetch the most current version of the file for each recurrence. After a Security Analytics feed is created, you can download the feed to your local file system, edit the feed files, and then edit the Security Analytics feed to use the updated feed files.

Sample Feed Definition File

This is an example of a feed definition file named dynamic_dns.xml, which Security Analytics creates based on your entries in the Feed wizards. It defines the structure of the feed data file named dynamic_dns.csv.

<?xml version="1.0" encoding="utf-8"?>
<FDF xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="feed-definitions.xsd">

    <FlatFileFeed name="Dynamic DNS Domain Feed"
        path="dynamic_dns.csv"
        separator=","
        comment="#"
        version="1">

        <MetaCallback
            name="alias.host"
            valuetype="Text"
            apptype="0"
            truncdomain="true"/>

        <LanguageKeys>
            <LanguageKey name="threat.source" valuetype="Text" />
            <LanguageKey name="threat.category" valuetype="Text" />
            <LanguageKey name="threat.desc" valuetype="Text" />
        </LanguageKeys>

        <Fields>
            <Field index="1" type="index" key="alias.host" />
            <Field index="4" type="value" key="threat.desc" />
            <Field index="2" type="value" key="threat.source" />
            <Field index="3" type="value" key="threat.category" />
        </Fields>
    </FlatFileFeed>

</FDF>

Feed Definition Equivalents for Custom Feed Wizard Parameters

The Security Analytics Feeds wizard provide options to define the structure of the data feed file. These correspond directly to attributes in the feed definition (.xml) file. 

                                                                         
Security Analytics ParameterFeed Definition File Equivalent
Define Feed tab
Feed Task Type Select: Adhoc - to create an on-demand feed. Recurring - to create a feed that recurs automatically.
Name The custom feed name in the feed data file. It corresponds to the flatfeedfile name attribute in the feed definition file; for example, Dynamic DNS Test Feed.
File/ Browse This is the name of the feed data file. It corresponds to the flatfeedfile path attribute in the feed definition file; for example, dynamic_dns.csv.
Define Feed tab - Advanced Options
 XML Feed FileThe name of the feed definition file, for example, dynamic_dns.xml.
Separator The separator character used to separate attributes in the feed data file. It corresponds to the flatfeedfile separator in the feed definition file; for example, a comma.
Comment The character used to identify a comment in the feed data file. It corresponds to the flatfeedfile comment attribute in the feed definition file; for example, #.
Select Services tabSelect the services to which you want to send the data feed.
(Define Columns tab, Define Index) Type

The type of lookup value in the index position of the feed data file.
IP means that each row in the feed data file contains an IP address in the lookup value position. The IP value is in dotted-decimal format (for example, 10.5.187.42).

IP Range means that each row in the feed data file contains a range of IP addresses in the lookup value position. The IP range is in CIDR format (for example, 192.168.2.0/24). Non IP means that the each row in the feed data file contains a metadata value other than IP address in the lookup value position. The Service Type and Truncate Domain, and Callback Keys fields become active for a Non IP index.
(Define Columns tab, Define Index) CIDRSpecifies that the IP value in the lookup position is in CIDR format. The CIDR attribute sets the IP address format in the field to Classless Inter-Domain Routing (CIDR) notation.
(Define Columns tab, Define Index)
Service Type
For a Non IP index, the integer service type to filter meta lookups. It corresponds to MetaCallback apptype attribute in the feed definition file. A value of 0 indicates no filtering by service type.
(Define Columns tab, Define Index) 
Truncate Domain
For a Non IP index, for meta values that contain domain names (for example, hostnames), the system can strip off the host specific element in the data. Truncate Domain corresponds to the MetaCallback truncdomain attribute. If the value is www.example.com, it is truncated to example.com. A value of False selects no truncation, and True selects truncation.
(Define Columns tab, Define Index) 
Callback Keys
For a Non IP index, the available meta keys to match on instead of ip.src/ip.dst (the defaults for IP index type) are selectable from the drop-down list. The Callback Key corresponds to the MetaCallback name attribute, and the index column of the csv file must contain data that can match the chosen meta key. For example, if the username meta key is chosen, the index column of the csv file needs to be populated with users to be matched.
(Define Columns tab, Define Index) 
Index Column
Identifies the column in the feed data file that provides the lookup value for the row. Each position in each row of the feed data file is identified by a Field index attribute in the feed definition file. A field with an index of 1 is the first entry in a row, the second field has an index of 2, the third field has an index of 3, and so on.
(DEFINE VALUES) Key The name of the LanguageKey, as defined in the feed definition file, for which meta is created from this row of the feed data file. It corresponds to the Field key attribute in the feed definition file. A key applies only to a field whose type is set to value. In the feed definition file, there is a list of LanguageKeys from index.xml, or a summary name if Source Name and Destination Name are used. For example, reputation is a summary name for reputation.src and reputation.dst). This value is referenced by the Field key attribute.
You are here
Table of Contents > Additional Procedures > Manage Custom Feeds

Attachments

    Outcomes