This topic introduces the custom feed capability, which is implemented using the Custom Feed Wizard in RSA Security Analytics, to quickly populate Decoders with custom and identity feeds.
Custom Feed Creation
You use the Live > Feeds > Setup Feed > Configure a Custom Feed wizard to quickly create and deploy Decoder feeds based on deterministic logic that offers the meta keys specific to the selected Decoders and Log Decoders. Although the wizard guides you through the process to create both on-demand and recurring feeds, you should understand the form and content of a feed file when you create a feed.
Feed file names in RSA Security Analytics are in the form <filename>.feed. To create a feed, Security Analytics requires a feed data file in .csv or .xml (for STIX) format and a feed definition file in .xml format, which describes the structure of a feed data file. The Configure a Custom Feed wizard can create the feed definition file based on a feed data file, or based on a feed data file and the corresponding feed definition file.
The Custom Feed wizard can create the feed definition file based on a feed data file, or based on a feed data file and the corresponding feed definition file. Security Analytics supports CsvFileFeed and FlatFileFeed types of feed deployment files. The CsvFileFeed file type provides additional parser grammar than the FlatFileFeed file type, which means that more checks will be done on files if you use the CsvFileFeed file type.
The CsvFileFeed files support CSV grammar and escape definitions. The designated delimiter character is , (comma), and the designated escape character is " (double quote). Data values that contain a comma character must be enclosed in double quotes. Data values that contain double quotes are escaped with double quotes, and must be enclosed by double quotes to preserve the data value. Embedding the entire field inside a set of double quotes preserves leading and trailing white space characters.
The files that you use to create an on-demand feed must stored on your local file system. The files used to create a recurring feed must be stored at an accessible URL, whence Security Analytics can fetch the most current version of the file for each recurrence. After a Security Analytics feed is created, you can download the feed to your local file system, edit the feed files, and then edit the Security Analytics feed to use the updated feed files.
Sample Feed Definition File
This is an example of a feed definition file named dynamic_dns.xml, which Security Analytics creates based on your entries in the Feed wizards. It defines the structure of the feed data file named dynamic_dns.csv.
<?xml version="1.0" encoding="utf-8"?>
<FDF xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="feed-definitions.xsd">
<FlatFileFeed name="Dynamic DNS Domain Feed"
<LanguageKey name="threat.source" valuetype="Text" />
<LanguageKey name="threat.category" valuetype="Text" />
<LanguageKey name="threat.desc" valuetype="Text" />
<Field index="1" type="index" key="alias.host" />
<Field index="4" type="value" key="threat.desc" />
<Field index="2" type="value" key="threat.source" />
<Field index="3" type="value" key="threat.category" />
Feed Definition Equivalents for Custom Feed Wizard Parameters
The Security Analytics Feeds wizard provide options to define the structure of the data feed file. These correspond directly to attributes in the feed definition (.xml) file.