The content you are looking for has been archived. View related content below.
Below are the steps to add a new field to group by ( Incidents > Configure > Aggregation Rules>Grouping Options(additional fields required)):
1)Edit the java script file normalize_alerts.js located in opt/rsa/im/scripts/normalize on SA Webserver.
2)In the normalizeAlert function , include the newly added event meta in the "else" section.
3)Edit alert_rule.json file located at opt/rsa/im/fields on the SA web server.
4) Add the newly added event attribute to the group by meta list, append this at the end of the file, the newly added field will come up in UI in group by options.
5) Restart the im service:
service rsa-im stop
service rsa-im start
The newly added event meta/added field can be now visible under Incidents > Configure > Aggregation Rules>Grouping Options.
Example : Adding host_src as additional event meta under grouping option:
1)Edit the java script file normalize_alerts.js located in opt/rsa/im/scripts/normalize on SA Webserver.
2)In the normalizeAlert function ,include the newly added event meta in the "else" section..In this case add host_src.
else {
var normalized = transformer.normalizeAlert(headers, alert);
// Generate flattened column values for group by fields that can have multiple values
// Note: If you customize your normalization scripts to have multi-values fields that can be grouped in rules,
// you might have to add those here
normalized.groupby_source_ip = Utils.generateFlattenedColumnValue(normalized.events, "source.device.ip_address");
normalized.groupby_source_country = Utils.generateFlattenedColumnValue(normalized.source_country);
normalized.groupby_destination_ip = Utils.generateFlattenedColumnValue(normalized.events, "destination.device.ip_address");
normalized.groupby_destination_port = Utils.generateFlattenedColumnValue(normalized.events, "destination.device.port");
normalized.groupby_destination_country = Utils.generateFlattenedColumnValue(normalized.destination_country);
normalized.groupby_source_username = Utils.generateFlattenedColumnValue(normalized.events, "source.user.username");
normalized.groupby_detector_ip = Utils.generateFlattenedColumnValue(normalized.events, "detector.ip_address");
normalized.groupby_domain = Utils.generateFlattenedColumnValue(normalized.events, "domain");
normalized.groupby_c2domain = Utils.generateFlattenedColumnValue(normalized.events, "enrichment.normalized.full_domain");
//data field is an array and can have multiple file names within an event
normalized.groupby_filename = Utils.generateFlattenedColumnValue(normalized.events, "data.filename");
normalized.groupby_data_hash = Utils.generateFlattenedColumnValue(normalized.events,"data.hash");
normalized.groupby_host_src = Utils.generateFlattenedColumnValue(normalized.host_src);
normalized.groupby_type = Utils.generateFlattenedColumnValue(normalized.type);
return normalized;
}
3)Edit alert_rule.json file located at /opt/rsa/im/fields on the SA web server.
4) Add the newly added event attribute to the group by meta list, append this at the end of the file, the newly added field will come up in UI in group by options.
{
"value": "alert.host_src",
"name": "Source Host",
"type": "textfield",
"operators": [0, 1, 8, 9, 10, 11, 12, 13],
"groupBy": true,
"groupByField" : "alert.groupby_host_src"
}
5) Restart im service and should be able to see the newly added meta key in the group by list: