AnsweredAssumed Answered

RSA-IM group by custom meta or non default UI listed keys?

Question asked by Vladimir Previn on Jan 30, 2017
Latest reply on Jan 4, 2018 by Volodymyr Rozhniatovskyi

Hello RSA customers and RSA folk. 

 

wondering if anyone had much luck getting a specific answer on how to do IM 10.6.2 grouping for ESA alerts by keys not listed in the UI. 

e.g threat.desc threat.category <-- fairly standard RSA meta we decided to reuse , and a couple of custom company_intel_tier/kc/type meta keys for us.

 

at a high level we were told:

 

 

a) 'modify /opt/rsa/im/fields/alert_rules.json'

 

we sort of did - modelling it on alias_host/domain in the same file. Added 

 , {
"value": "alert.events.threat_desc",
"name": "Threat Description",
"type": "textfield",
"operators": [0, 1, 8, 9, 10, 11, 12, 13],
"groupBy": true,
"groupByField" : "alert.groupby_threat_desc"
},
{
"value": "alert.events.threat_category",
"name": "Threat Category",
"type": "textfield",
"operators": [0, 1, 8, 9, 10, 11, 12, 13],
"groupBy": true,
"groupByField" : "alert.groupby_threat_category"
}

 

 

b) modify the normalize file for any unrolling of array values 

we sort of did: 

/opt/rsa/im/scripts/normalize/normalize_alerts.js added

 

normalized.groupby_threat_category = Utils.generateFlattenedColumnValue(normalized.events,"threat_category");
normalized.groupby_threat_desc = Utils.generateFlattenedColumnValue(normalized.events,"threat_desc");

pretty sure adding the extra groupby bits or not doing it doesn't seem to make a difference to it not aggergating alerts into incidents for us. (well, if you don't include the groupByField , don't include the normalize bit. hope that makes sense) 

c) Restart RSA-IM, check im.log - in the UI: resave alert->indecent groupping with the new group by, recheck im.log retrigger alert.

 

 

 

we're finding after that 

a) group by threat.desc (meta) aka threat_desc(esa)  is not working.  IM is just not aggregating alerts with that meta from ESA grouped into an incident. (just sits in alerts ungrouped) 

despite 

https://xxxx/incident/alerts#detail/588f0ad8f280cc6d1b824bf8
show raw alert shows

Raw Alert Data
{
"instance_id": "493e91297b40825023fd8bc8da1bed8b",
"engineUri": "default",
"events": [
{

 

"coname_intel_tier": "Tier 4",
"coname_kc": "KC1 - Recon",
"alias_host": [
"test.com.au",
"pcxxxx"
],

 

"threat_desc": "test.com.au",
"threat_category": "Test domain feed"


....

 

 

b) meta unrolling doesn't seem to work either. (partially works in alias_host/domain, but not at all for our keys, although I guess for our keys - not aggregating = not populating into incidents)

 

 

a fuller description of what we did is this:

 

#backup the custom keys/group bys

#cp /opt/rsa/im/scripts/normalize/normalize_alerts.js /opt/rsa/im/scripts/normalize/normalize_alerts.jsOrg30012017

#cp /opt/rsa/im/fields/alert_rules.json /opt/rsa/im/fields/alert_rules.json30012017

 

 

#peek at meta keys in IM DB:

 

mongo im -u im -p --authenticationDatabase im

*pw in erpm

 

#find the alert we want to work on (needs to be aggregating i think, but just make it by ip.src)

 

>db.alert.find({$and: [{ "alert.name": "ALERT - Tier 1 - KC7 - Sig - Endpoint AV"},{"incidentCreated" : {$gte: ISODate("2017-01-15T01:00:34.872Z")}}]}).pretty()

>db.alert.find({ "alert.name": "ALERT - Tier 4 - KC? - Intel - Feed - Allow All"}).pretty().limit(1)

 

 

inspect the attached the short version is the interesting ESA raw alert data is (I think the Meta we check is originalAlert, but could be wrong, or is it alert? IM translates originalAlert->Alert with groupby_extra_meta_fields I take it?)

                alert.events:threat_desc,threat_category,

 

 

 

add the custom meta keys mimicing the alias host/domain meta into

                vi /opt/rsa/im/fields/alert_rules.json

add extra array meta unroll group by helper bits into

                vi /opt/rsa/im/scripts/normalize/normalize_alerts.js

 

 

 

 

restart Im, save the alert definition. Retrigger alert

 

heh, any help would be greatly appreciated. our local support basically gave up on it being not properly documented (probably not a bad point and it'll break again after an upgrade) 

Outcomes