This topic provides instructions for using the Custom Feed Wizard in RSA Security Analytics, to quickly populate Decoders with custom feeds.
RSA Security Analytics has a Custom Feed wizard to allow quick creation and deployment of custom Decoder feeds based on deterministic logic that offers the meta keys specific to the selected Decoders and Log Decoders. Although the wizard guides users through the process to create both on-demand and recurring feeds, it is helpful to understand the form and content of a feed file when you create a feed.
Feed filenames in RSA Security Analytics are in the form <filename>.feed. To create a feed, Security Analytics requires a feed data file in .csv or .xml format and a feed definition file in .xml format, which describes the structure of a feed data file. The Custom Feed wizard can create the feed definition file based on a feed data file, or based on a feed data file and the corresponding feed definition file.
The files that you use to create an on-demand feed must be stored on your local file system. The files used to create a recurring feed must be stored at an accessible URL, whence Security Analytics can fetch the most current version of the file for each recurrence. After a Security Analytics feed is created, you can download the feed to your local file system, edit the feed files, and then edit the Security Analytics feed to use the updated feed files.
Sample Feed Definition File
This is an example of a feed definition file named dynamic_dns.xml, which Security Analytics creates based on your entries in the Custom Feed wizard. It defines the structure of the feed data file named dynamic_dns.csv.
<?xml version="1.0" encoding="utf-8"?>
<FDF xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="feed-definitions.xsd">
<FlatFileFeed name="Dynamic DNS Domain Feed"
<LanguageKey name="threat.source" valuetype="Text" />
<LanguageKey name="threat.category" valuetype="Text" />
<LanguageKey name="threat.desc" valuetype="Text" />
<Field index="1" type="index" key="alias.host" />
<Field index="4" type="value" key="threat.desc" />
<Field index="2" type="value" key="threat.source" />
<Field index="3" type="value" key="threat.category" />
Feed Definition Equivalents for Custom Feed Wizard Parameters
The Security Analytics Custom Feed wizard provides options to define the structure of the data feed file. These correspond directly to attributes in the feed definition (.xml) file.