You can import event source attributes from a CSV-formatted file. To import information from a configuration management database (CMDB), a spreadsheet, or other type of file, first convert or save the information to a CSV file.
Note: The following identification attributes are handled specially: IP, IPv6, Hostname, Event Source Type, Log Collector, and Log Decoder. If you import an event source that includes a different value for any of these fields (when compared with the value in Security Analytics), the original value in Security Analytics will not be overwritten.
The imported attributes are associated with the matched Event Source and are available for use in rules to create Event Source Groups.
RSA Security Analytics treats the import file as the correct, complete record. This assumption leads to the following behaviors related to importing event source attributes:
- By default, when you import attributes, the system updates attributes for existing event sources only.
- If the event source exists in the import file, but not in Security Analytics, the attributes for that event source are ignored. That is, Security Analytics does not create a new event source for these attributes.
- If the event source exists in both the import file and Security Analytics, values for that event source are overwritten.
- If an attribute is blank in the import file, it clears the corresponding attribute in Security Analytics.
- If an attribute is not specified in the import file, then the corresponding attribute is ignored in Security Analytics (that is, it is not cleared).
Note: There is a difference between a blank attribute vs. one that is not specified at all. If an attribute is specified but blank, the assumption is that it is meant to be blank, and Security Analytics clears that attribute for the corresponding event source. However, if an attribute is not specified at all, it is assumed that no change is expected.
The above behaviors are the defaults—you can change the behavior as specified in the following procedure.
Import Event Source Attributes
To import Event Source attributes from a file:
- In the Security Analytics menu, select Administration > Event Sources.
Select the Manage tab.
The Event Sources Manage tab is displayed.
The Import Event Sources dialog is displayed.
Navigate to the import file, and select the appropriate boxes:
- Default: The default behavior is described above.
- Add only: Imports an attribute only if the corresponding field in Security Analytics is blank. Thus, no existing values will be overwritten.
- Do not clear values: Does not clear attribute values in Security Analytics for items in the import file that are blank.
- Add Unknown Sources: Adds new event sources based on items in the import file.
Note: You can select multiple options.
- Click Import.
- Click Yes in the confirmation dialog to perform the import.
Troubleshooting the Import File
If your import file is not formatted correctly, or is missing required information, an error is displayed, and the file is not imported.
Check the following:
- If you are adding unknown sources, each line in the file must contain a combination of the required attributes:
- IP or IPv6 or Hostname, and
- Event Source Type
- The first line of the file must contain header names, and the names must match the names in Security Analytics. To get a list of correct column names, you can export a single event source. Examine the exported CSV file: the first row of the file contains the correct set of attribute/column names.