Article Number
000002830
Applies To
RSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics UI
RSA Version/Condition: 10.4 and above
Issue
When working in the Investigation module, some traffic may be identified as suspicious, although further investigation reveals that it is safe traffic.
The article explains how to tag this traffic as safe so that it can be excluded from future investigations.
This allows you to concentrate on events that may be suspicious by excluding events that you know to be safe.
An alternative method would be to edit rules downloaded from RSA Live, but if these rules changed in the future, any modification made would be overwritten.
Notes
Below is a sample index-concentrator-custom.xml file.
<?xml version="1.0" encoding="utf-8"?>
<language level="IndexNone" defaultAction="Auto">
<key description="RiskyIPs" format="Text" level="IndexValues" name="risk.ip" valueMax="100000" defaultAction="Open"/>
<key description="LogCollectorID" format="Text" level="IndexValues" name="lc.cid" valueMax="100000" defaultAction="Open"/>
<key description="SrcPort" format="Text" level="IndexValues" name="ip.srcport" valueMax="100000" defaultAction="Open"/>
<key description="ecat.macaddress" level="IndexValues" name="ecat.macaddress" format="Text" valueMax="100000" defaultAction="Open"/>
<key description="ecat.OS" level="IndexValues" name="ecat.OS" format="Text" valueMax="100000" defaultAction="Open"/>
<key description="ecat.AgentID" level="IndexValues" name="ecat.AgentID" format="Text" valueMax="100000" defaultAction="Open"/>
<key description="ecat.stime" level="IndexValues" name="ecat.stime" format="Text" valueMax="100000" defaultAction="Open"/>
<key description="ecat.ctime" level="IndexValues" name="ecat.ctime" format="Text" valueMax="100000" defaultAction="Open"/>
<key description="ecat.score" level="IndexValues" name="ecat.score" format="Text" valueMax="100000" defaultAction="Open"/>
<key description="gateway.ip" level="IndexValues" name="Gateway.ip" format="Text" valueMax="100000" defaultAction="Open"/>
<key description="local.ip" level="IndexValues" name="Local.ip" format="Text" valueMax="100000" defaultAction="Open"/>
<key description="remote.ip" level="IndexValues" name="Remote.ip" format="Text" valueMax="100000" defaultAction="Open"/>
<key description="host.dst" level="IndexValues" name="host.dst" format="Text" valueMax="1000000" defaultAction="Open"/>
<key description="result.code" level="IndexValues" name="result.code" format="Text" valueMax="1000000" defaultAction ="Open"/>
<key description="safe.traffic" level="IndexValues" name="safe.traffic" format="Text" valueMax="1000" defaultAction="Open"/>
</language>