This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Maximizing SA-IM meta fields in event view

Go to solution
YahavLevin
Beginner
Beginner

‎2016-01-26 03:46 AM

Hello,

I'm very frustrated with trying to connect SA-IM 10.5.x to Archer SecOps 1.3

I'm stuck on SA side which i have to add the relevant meta keys to the SA-IM JSON Script that sits at opt/rsa/im/scripts/core-alerts.js

I tried adding JSON lines for new metas but what it did was breaking the SA-IM (it stopped working after saving and restarting the service)

I contacted support (both of SA and Archer, both of them have no idea what i'm talking about)

I tried to reach PS and they will give a visit really soon, next month, but i'd really like to start working on that before they arrive

Basically, before editing the UCF and Archer itself, i have to make the SA-IM ready with the base fields (metas) that i'd like to use

The script that i noted before controls the view of the event on the SA-IM gui itself

If you go to an incident and press on it twice till you get to the event and then press on the red wheel and view event details you will see some basic fields

Please let me know if you have any idea of how to work it out if you done it before

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
YahavLevin
Beginner
Beginner

‎2016-01-28 02:45 AM

So,

 

support helped me with that (Archer support)

 

basically you have to edit : opt/rsa/im/scripts/normalize_core_alerts.js

and add lines such as :

        category: Utils.stringValue(event.category),

        action: Utils.stringValue(event.action),

        event_source: Utils.stringValue(event.event_source),

        level: Utils.intValue(event.level),

        did: Utils.stringValue(event.did),

        risk_info: Utils.stringValue(event.risk_info),

        risk_warning: Utils.stringValue(event.risk_warning),

        risk_suspicious: Utils.stringValue(event.risk_suspicious),

 

after that part in the file :

generateEventInfo = function(headers, event){

    var normalizedEvent = {

 

 

you can add as many metas as  you want (they have to look like ESA metas) not with a dot but with a "_"

 

then it will show up on the event view when you enter an incident (you will not have to click "investigate")

 

if you have any queries feel free to send me a msg

View solution in original post

7 REPLIES 7

Go to solution
YahavLevin
Beginner
Beginner

‎2016-01-28 02:45 AM

So,

 

support helped me with that (Archer support)

 

basically you have to edit : opt/rsa/im/scripts/normalize_core_alerts.js

and add lines such as :

        category: Utils.stringValue(event.category),

        action: Utils.stringValue(event.action),

        event_source: Utils.stringValue(event.event_source),

        level: Utils.intValue(event.level),

        did: Utils.stringValue(event.did),

        risk_info: Utils.stringValue(event.risk_info),

        risk_warning: Utils.stringValue(event.risk_warning),

        risk_suspicious: Utils.stringValue(event.risk_suspicious),

 

after that part in the file :

generateEventInfo = function(headers, event){

    var normalizedEvent = {

 

 

you can add as many metas as  you want (they have to look like ESA metas) not with a dot but with a "_"

 

then it will show up on the event view when you enter an incident (you will not have to click "investigate")

 

if you have any queries feel free to send me a msg

Go to solution
DavidWaugh1
Employee
Employee
In response to YahavLevin

‎2016-01-28 10:30 AM

Thanks for sharing this. I think the actual path to the file might be

 

/opt/rsa/im/scripts/normalize/normalize_core_alerts.js

Go to solution
YahavLevin
Beginner
Beginner
In response to DavidWaugh1

‎2016-01-28 12:19 PM

Yep David you're totally right

By the way I tested it and it worked which is why i posted it so everyone can be sure 100% about the process

 

Hope you had a great meal with Leon, happy weekend !

Go to solution
DavidWaugh1
Employee
Employee
In response to YahavLevin

‎2016-01-28 01:26 PM

Just a heads up on this one.

After making the changes you need to restart the im service on the SA Server with service rsa-im-restart

 

Immediately after making this change the Incident Management GUI will be unavailable for some time. This is becasue the im database is having to be reindexed for these new keys.

 

If you look in /var/log/tokumx/tokumx.log on the ESA where the IM database resides you can track the rebuild process:

 

[root@ESA ~]# tail -f /var/log/tokumx/tokumx.log

{ originalAlert.instance_id: -1 }: 394000/2036102       19%     (estimated documents)

Thu Jan 28 18:24:37.049 [conn109]               Foreground index build progress (collect phase) for im.alert, key { originalAlert.instance_id: -1 }: 401000/2036102       19%     (estimated documents)

Thu Jan 28 18:24:40.145 [conn109]               Foreground index build progress (collect phase) for im.alert, key { originalAlert.instance_id: -1 }: 413000/2036102       20%     (estimated documents)

Thu Jan 28 18:24:43.183 [conn109]               Foreground index build progress (collect phase) for im.alert, key { originalAlert.instance_id: -1 }: 422000/2036102       20%     (estimated documents)

Thu Jan 28 18:24:46.165 [conn109]               Foreground index build progress (collect phase) for im.alert, key { originalAlert.instance_id: -1 }: 432000/2036102       21%     (estimated documents)

Thu Jan 28 18:24:49.000 [conn109]               Foreground index build progress (collect phase) for im.alert, key { originalAlert.instance_id: -1 }: 442000/2036102       21%     (estimated documents)

 

All the official steps to add new meta can be found here

 

RSA Archer Security Operations Management SecOps 1.3

 

In particular in the guide: https://community.rsa.com/servlet/JiveServlet/download/32552-13-40223/RSA_ArcherSecurityOperationsManagement_Customizati… 

Go to solution
YahavLevin
Beginner
Beginner
In response to DavidWaugh1

‎2016-01-28 02:26 PM

I'm literally speechless,

i didn't see this file and i literally downloaded every SecOps 1.3 file that i could find (on this page that you shared as well)

 

I just investigated the whole thing to understand the new UCF and SA alone, and i was only stuck at this level when i opened this topic of how to edit the SA IM Event metas

 

I can see that everything that i've done was correct (guessed right) so i'm very happy with it

 

I didn't know that when you edit the SA IM metas it re-indexes it, thats a very good point to tell me ! i will go ahead and give it a check next week when i add more meta keys

but to be honest, the process of the re-index was so fast that it didn't really matter at all

after i restarted the rsa-im service i waited around 1-2 minutes and shoot an alert to see if it works and it did

 

David why Leon couldn't ask you all of that - months ago?? before i started working on this project?

0 Likes

Go to solution
DavidWaugh1
Employee
Employee
In response to YahavLevin

‎2016-01-28 03:03 PM

Hi don't be too hard on Leon. It's a very new document that only just got posted. I've only just learnt this too.

It seems to do the reindex when you restart the im service. I have about 2 million alerts in my im database so it takes about 10 mins on a virtual machine.

Go to solution
YahavLevin
Beginner
Beginner
In response to DavidWaugh1

‎2016-01-28 03:05 PM

On the sa that i'm working (its a bank prod sa) we got around 2000 incidents thats why its so fast

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.