|Applies To||RSA Product Set: NetWitness Logs and Packets (Security Analytics), NetWitness Endpoint (ECAT)|
RSA Product/Service Type: Incident Management, Security Analytics Server
RSA Version/Condition: NetWitness Logs and Packets 10.6.x; NetWitness Endpoint 4.2.x, 4.1.x
|Issue||You would like to aggregate RSA NetWitness Endpoint (formerly known as RSA ECAT) alerts sent over the Incident Management Message Bus by the ECAT agent ID, ECAT agent MAC address, or the ECAT agent hostname.|
Out of the box, it is only possible to aggregate RSA ECAT alerts via the IP address of the agent. In an environment where the IP address is dynamically assigned, it is necessary to aggregate alerts using a different field.
|Resolution||The following steps are carried out on the RSA Security Analytics server:|
In the file /opt/rsa/im/scripts/normalize/normalize_alerts.js under the following line:
normalized.groupby_detector_ip = Utils.generateFlattenedColumnValue(normalized.events, "detector.ip_address");
Add the lines:
normalized.groupby_detector_mac_address = Utils.generateFlattenedColumnValue(normalized.events, "detector.mac_address");
In the file /opt/rsa/im/fields/alert_rules.json at the end of the file, but before the FINAL ] add the following text:
Sample files have been attached to this article with these alterations made.
After making these changes, restart the rsa-im service with the following command:
service rsa-im restart
You will then be able to use the fields below in your alert aggregation rules.
|Notes||IMPORTANT: Make sure that all files that are altered are backed up before overwriting.|