This topic provides instructions for using the Custom Feed Wizard in RSA Security Analytics, to quickly populate Decoders with custom feeds.
Security Analytics has a Custom Feed wizard to allow quick creation and deployment of custom Decoder feeds based on deterministic logic that offers the meta keys specific to the selected Decoders and Log Decoders. Although the wizard guides users through the process to create both on-demand and recurring feeds, it is helpful to understand the form and content of a feed file when you create a feed.
Feed filenames in Security Analytics are in the form <filename>.feed. To create a feed, Security Analytics requires a feed data file in .csv or .xml format and a feed definition file in .xml format, which describes the structure of a feed data file.
The Custom Feed wizard can create the feed definition file based on a feed data file, or based on a feed data file and the corresponding feed definition file. Security Analytics supports CsvFileFeed and FlatFileFeed types of feed deployment files. The CsvFileFeed file type provides additional parser grammar than the FlatFileFeed file type, which means that more checks will be done on files if you use the CsvFileFeed file type.
The CsvFileFeed files support CSV grammar and escape definitions. The designated delimiter character is , (comma), and the designated escape character is " (double quote). Data values that contain a comma character must be enclosed in double quotes. Data values that contain double quotes are escaped with double quotes, and must be enclosed by double quotes to preserve the data value. Embedding the entire field inside a set of double quotes preserves leading and trailing white space characters.
The files that you use to create an on-demand feed must be stored on your local file system. The files used to create a recurring feed must be stored at an accessible URL, from which Security Analytics can fetch the most current version of the file for each recurrence. After a Security Analytics feed is created, you can download the feed to your local file system, edit the feed files, and then edit the Security Analytics feed to use the updated feed files.
Sample Feed Definition File
This is an example of a FlatFileFeed definition file named dynamic_dns.xml, which Security Analytics creates based on your entries in the Custom Feed wizard. It defines the structure of the feed data file named dynamic_dns.csv.
<?xml version="1.0" encoding="utf-8"?>
<FDF xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="feed-definitions.xsd">
<FlatFileFeed name="Dynamic DNS Domain Feed"
<LanguageKey name="threat.source" valuetype="Text" />
<LanguageKey name="threat.category" valuetype="Text" />
<LanguageKey name="threat.desc" valuetype="Text" />
<Field index="1" type="index" key="alias.host" />
<Field index="4" type="value" key="threat.desc" />
<Field index="2" type="value" key="threat.source" />
<Field index="3" type="value" key="threat.category" />
Feed Definition Equivalents for Custom Feed Wizard Parameters
The Security Analytics Custom Feed wizard provides options to define the structure of the data feed file. These correspond directly to attributes in the feed definition (.xml) file.