000035988 - How To Add Additional Fields Under Grouping Options For Incident Configuration Aggregation Rules in RSA Security Analytics

Document created by RSA Customer Support Employee on Feb 16, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035988
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Incident Management
RSA Version/Condition: 10.6.x
Platform: CentOS
O/S Version: 6
IssueHow to add additional fields/event meta under Grouping Options for Incident Configuration Aggregation Rules while creating an incident if required.
Resolution

Below are the steps to add a new field to group by ( Incidents > Configure > Aggregation Rules>Grouping Options(additional fields required)):

1)Edit the java script file normalize_alerts.js located in opt/rsa/im/scripts/normalize on SA Webserver.
2)In the normalizeAlert function , include the newly added event meta in the "else" section.
3)Edit alert_rule.json file located at opt/rsa/im/fields on the SA web server.
4) Add the newly added event attribute to the group by meta list, append this at the end of the file, the newly added field will come up in UI in group by options.
5) Restart the im service:
     service rsa-im stop
     service rsa-im start


The newly added event meta/added field can be now visible under Incidents > Configure > Aggregation Rules>Grouping Options.

Example : Adding host_src as additional event meta under grouping option:

1)Edit the java script file normalize_alerts.js located in opt/rsa/im/scripts/normalize on SA Webserver.

2)In the normalizeAlert function ,include the newly added event meta in the "else" section..In this case add host_src.

else {
        var normalized =  transformer.normalizeAlert(headers, alert);
        // Generate flattened column values for group by fields that can have multiple values
        // Note: If you customize your normalization scripts to have multi-values fields that can be grouped in rules,
        // you might have to add those here
        normalized.groupby_source_ip = Utils.generateFlattenedColumnValue(normalized.events, "source.device.ip_address");
        normalized.groupby_source_country = Utils.generateFlattenedColumnValue(normalized.source_country);
        normalized.groupby_destination_ip = Utils.generateFlattenedColumnValue(normalized.events, "destination.device.ip_address");
        normalized.groupby_destination_port = Utils.generateFlattenedColumnValue(normalized.events, "destination.device.port");
        normalized.groupby_destination_country = Utils.generateFlattenedColumnValue(normalized.destination_country);
        normalized.groupby_source_username = Utils.generateFlattenedColumnValue(normalized.events, "source.user.username");
        normalized.groupby_detector_ip = Utils.generateFlattenedColumnValue(normalized.events, "detector.ip_address");
        normalized.groupby_domain = Utils.generateFlattenedColumnValue(normalized.events, "domain");
        normalized.groupby_c2domain = Utils.generateFlattenedColumnValue(normalized.events, "enrichment.normalized.full_domain");
        //data field is an array and can have multiple file names within an event
        normalized.groupby_filename = Utils.generateFlattenedColumnValue(normalized.events, "data.filename");
        normalized.groupby_data_hash = Utils.generateFlattenedColumnValue(normalized.events,"data.hash");
        normalized.groupby_host_src = Utils.generateFlattenedColumnValue(normalized.host_src);
        normalized.groupby_type = Utils.generateFlattenedColumnValue(normalized.type);
        return normalized;
    }


3)Edit alert_rule.json file located at /opt/rsa/im/fields on the SA web server.

4) Add the newly added event attribute to the group by meta list, append this at the end of the file, the newly added field will come up in UI in group by options.

   {
        "value": "alert.host_src",
        "name": "Source Host",
        "type": "textfield",
        "operators": [0, 1, 8, 9, 10, 11, 12, 13],
        "groupBy": true,
        "groupByField" : "alert.groupby_host_src"
    }



5) Restart im service and should be able to see the newly added meta key in the group by list:

User-added image

Attachments

    Outcomes