NetWitness Community

CraigCameronWei · ‎2018-01-30

I have a custom parser that generates some custom metadata, and an ESA rule that triggers based on events from the custom parser. What I want is to be able to group alerts into incidents in Incident Management by the custom meta. Is this possible, and if so, how do I do it?

HamedTorabi · ‎2018-02-04

Hi Craig,

I have recently come across similar situation here and managed to do the following to resolve. Let me know how it goes:

1)Edit the java script file normalize_alerts.js located in opt/rsa/im/scripts/normalize on SA Webserver

2)In the normalizeAlert function , include the newly added event meta in the "else" section..In my case I wanted to add host_src.

---------------------------------------------------

else {

var normalized = transformer.normalizeAlert(headers, alert);

// Generate flattened column values for group by fields that can have multiple values

// Note: If you customize your normalization scripts to have multi-values fields that can be grouped in rules,

// you might have to add those here

normalized.groupby_source_ip = Utils.generateFlattenedColumnValue(normalized.events, "source.device.ip_address");

normalized.groupby_source_country = Utils.generateFlattenedColumnValue(normalized.source_country);

normalized.groupby_destination_ip = Utils.generateFlattenedColumnValue(normalized.events, "destination.device.ip_address");

normalized.groupby_destination_port = Utils.generateFlattenedColumnValue(normalized.events, "destination.device.port");

normalized.groupby_destination_country = Utils.generateFlattenedColumnValue(normalized.destination_country);

normalized.groupby_source_username = Utils.generateFlattenedColumnValue(normalized.events, "source.user.username");

normalized.groupby_detector_ip = Utils.generateFlattenedColumnValue(normalized.events, "detector.ip_address");

normalized.groupby_domain = Utils.generateFlattenedColumnValue(normalized.events, "domain");

normalized.groupby_c2domain = Utils.generateFlattenedColumnValue(normalized.events, "enrichment.normalized.full_domain");

//data field is an array and can have multiple file names within an event

normalized.groupby_filename = Utils.generateFlattenedColumnValue(normalized.events, "data.filename");

normalized.groupby_data_hash = Utils.generateFlattenedColumnValue(normalized.events,"data.hash");

normalized.groupby_host_src = Utils.generateFlattenedColumnValue(normalized.host_src);

normalized.groupby_type = Utils.generateFlattenedColumnValue(normalized.type);

return normalized;

}

--------------------------------------------------------------------------------------------------------

3)Edit alert_rule.json file located at /opt/rsa/im/fields on the SA web server

4) Add the newly added event attribute to the group by meta list, append this at the end of the file, the newly added field will come up in UI in group by options

{

"value": "alert.host_src",

"name": "Source Host",

"type": "textfield",

"operators": [0, 1, 8, 9, 10, 11, 12, 13],

"groupBy": true,

"groupByField" : "alert.groupby_host_src"

}

5) restart im service and you should be able to see the newly added meta key in the group by list

huanzhou1 · ‎2018-02-05

Support has Incident Management integration guide, you may get the details from them.

I found this is so difficult to do as if you missed out something, the IM will not tell you any error, and there will no incident created.

Not sure about V11.

CraigCameronWei · ‎2018-02-22

Hi Hamed.

The value I wanted to use appears in the dropdown after these changes, but when I create the rule to aggregate alerts in this fashion it doesn't actually work. Is there some official documentation that can explain these modifications better that might help me understand how to make this work the way I need it to that you're aware of?

thanks

NetWitness Community

Group by arbitrary meta in Incident Management>