ESA Config: Set Up Custom Meta Collection

Document created by RSA Information Design and Development Employee on Jun 25, 2017
Version 1Show Document
  • View in full screen mode

In most cases, the administrator will receive a request for custom meta from threat hunter. At this point, administrator performs the following steps to set up custom meta collection from a data feed.

  1. Reviews the request for custom meta with the threat hunter (requester).
  2. Collect custom meta.

Create Custom Meta Keys Using Custom Feed

This topic provides information on how to add custom meta keys, using custom feed in Decoder.

Here is a example of creating the custom meta key in Decoder. In this scenario, an organization wants to identify the criticality of an asset. To do this, a custom meta key criticality is introduced to assign a criticality state (that is High, Medium, or Low) through a data feed to the IP address of each asset.

Note: Custom meta keys can be created in Log Decoder as well. Make sure to select the index-logdecoder-custom.xml file when you create a custom meta in the Log Decoder.


Add custom meta key in Decoder

To add custom meta keys using custom feed:

  1. In the Security Analytics menu, select Administration > Services > Decoder.
  2. Select a service and click ic-actns.png> View > Config > Files tab > index-decoder-custom.xml.

 <?xml version="1.0" encoding="utf-8"?>
 <Language level="IndexNone" defaultAction="Auto">
 <!-- Reserved Meta key for Feed -->
 <Key description="Asset Criticality" level="IndexNone" name="criticality" format="Text"/>

  1. Restart the Decoder service. In the Services view, click ic-actns.png > Restart.

Deploy feed in Live

To deploy the feed in the live environment:

  1. In the Security Analytics menu, select Live Feed.
  2. In the toolbar, click Icon-Add.png.
    The Setup Feed dialog is displayed.


    To select the feed type, click Custom Feed and Next.
    The Configure a Custom Feed wizard is displayed, with the Define Feed form open.
    Enter the name and upload the Feed CSV file.

    Note: For a STIX feed you must upload the .xml file.

  1. Click Next.

    The CSV file contains the following two columns:

    • IP addresses that typically identify the assets of an organization.
    • Criticality of these assets.

  2. Select the Decoder service, where the feed needs to be uploaded and click Next.
  3. In the Define Index section, select the index type, index column, and callback key. In the Define Values section, enter the custom meta key.
    The contents of the .csv file are displayed in the feed wizard. In this case, the first column displays the IP address and the second column indicates the criticality.

Note: The Source IP should be indexed by selecting the type as IP as the ip.src. and ip.dst are in IPv4 format. 

In this scenario, you add the criticality custom meta key by indexing the IP.

  1. Click Next.
  2. Click Done.

For more information on the feed wizard, see Create and Deploy Custom Feed Using Wizard.

Add the custom meta entry in Concentrator index file

To add the custom meta entry in the concentrator index file:

  1. In the Security Analytics menu, select Administration Services > Concentrator.
  2. Click ic-actns.png > View > Config > Files tab > index-concentrator-custom.xml.
  3. Add the custom meta entry in the Concentrator index file.

  <?xml version="1.0" encoding="utf-8"?>
  <Language level="IndexNone" defaultAction="Auto">
  <!-- Reserved Meta key for Feed -->
  <Key description="Asset Criticality"  level="IndexValues" name="criticality" format="Text"                 valueMax="10000" defaultAction="Open"/>

  1. Restart the Concentrator services. In the Services view, click ic-actns.png > Restart.

Note: In case of the Broker, the Broker derives its index from the Concentrator from which it aggregates. So you do not need to create custom meta in the broker. If you have not indexed the meta key in the concentrator, the broker will not display in the investigation.

Update the Schema in ESA 

Before you update the schema in ESA, the custom meta key should be indexed in the concentrator.

To update the schema ESA rules and to be able to use the new custom meta keys:

  1. In the Security Analytics menu, select Administration > Services > ESA- Event Stream Analysis > View > Config.
  2. Edit the Concentrator Datasource.
  3. Click Test Connection.

  1. Click Save after the connection is successful.
  2. Click Apply.

Note: If the test connection fails, restart the ESA service or delete and add the concentrator data source from ESA service.

  1. Navigate to Alerts > Configure Settings.
  2. Click the Search tab and search for the name of the custom meta key.
    The custom meta key name and type is displayed.
You are here
Table of Contents > ESA Config: Set Up Custom Meta Collection