000034574 - How to aggregate RSA NetWitness Endpoint alerts by hostname, agent ID or MAC address in Incident Management

Document created by RSA Customer Support Employee on Dec 29, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000034574
Applies ToRSA Product Set: NetWitness Logs and Packets (Security Analytics), NetWitness Endpoint (ECAT)
RSA Product/Service Type: Incident Management, Security Analytics Server
RSA Version/Condition: NetWitness Logs and Packets 10.6.x; NetWitness Endpoint 4.2.x, 4.1.x
IssueYou would like to aggregate RSA NetWitness Endpoint (formerly known as RSA ECAT) alerts sent over the Incident Management Message Bus by the ECAT agent ID, ECAT agent MAC address, or the ECAT agent hostname.
Out of the box, it is only possible to aggregate RSA ECAT alerts via the IP address of the agent. In an environment where the IP address is dynamically assigned, it is necessary to aggregate alerts using a different field.
ResolutionThe following steps are carried out on the RSA Security Analytics server:
In the file /opt/rsa/im/scripts/normalize/normalize_alerts.js under the following line:
normalized.groupby_detector_ip = Utils.generateFlattenedColumnValue(normalized.events, "detector.ip_address");

Add the lines:
normalized.groupby_detector_mac_address = Utils.generateFlattenedColumnValue(normalized.events, "detector.mac_address");
normalized.groupby_detector_dns_hostname = Utils.generateFlattenedColumnValue(normalized.events, "detector.dns_hostname");
normalized.groupby_detector_ecat_agent_id = Utils.generateFlattenedColumnValue(normalized.events, "detector.ecat_agent_id");

In the file /opt/rsa/im/fields/alert_rules.json at the end of the file, but before the FINAL ] add the following text:
,
     {
        "value":"alert.events.detector.ecat_agent_id",
        "name": "ECAT AgentID",
        "type": "textfield",
        "operators": [0, 1, 8, 9, 10, 11, 12, 13],
        "groupBy": true,
         "groupByField" : "alert.groupby_detector_ecat_agent_id"
     },
    {
        "value":"alert.events.detector.mac_address",
        "name":"ECAT Source MAC",
        "type":"textfield",
        "operators": [0, 1, 8, 9, 10, 11, 12, 13],
        "groupBy": true,
        "groupByField" : "alert.groupby_detector_mac_address"
    },
    {
        "value":"alert.events.detector.dns_hostname",
        "name":"ECAT Source Host",
        "type":"textfield",
        "operators": [0, 1, 8, 9, 10, 11, 12, 13],
        "groupBy": true,
        "groupByField":"alert.groupby_detector_dns_hostname"
    }

Sample files have been attached to this article with these alterations made.
After making these changes, restart the rsa-im service with the following command:
service rsa-im restart

You will then be able to use the fields below in your alert aggregation rules.
  • ECAT Source Host
  • ECAT Source MAC
  • ECAT Source AgentID
NotesIMPORTANT:  Make sure that all files that are altered are backed up before overwriting.

Outcomes