Skip to content
  • There are no suggestions because the search field is empty.

Creating Custom Match Conditions and GroupBy Fields for Respond in RSA NetWitness Platform 11.4.x

Issue

This article describes how to create Custom Match Conditions and GroupBy Fields for Respond server in NetWitness Platform 11.4.x.
To prevent overwriting future customizations, custom normalization script files are available in NetWitness Platform 11.4 and later.

Tasks

To modify the available GroupBy and Match Conditions fields, two files below are required on NW Admin Server:
/var/lib/netwitness/respond-server/data/aggregation_rule_schema.json
/var/lib/netwitness/respond-server/scripts/custom_normalize_alerts.js
AND, depending on the source of the alert, it requires modifying one of the following files as well. 

Alert sources - ESA/Reporting Engine/NetWitness Investigate:
/var/lib/netwitness/respond-server/scripts/custom_normalize_core_alerts.js

Alert source - NetWitness Endpoint:
/var/lib/netwitness/respond-server/scripts/custom_normalize_ecat_alerts.js

Alert source - Malware Analysis:
/var/lib/netwitness/respond-server/scripts/custom_normalize_ma_alerts.js

Alert source - Web Threat Detection:
/var/lib/netwitness/respond-server/scripts/custom_normalize_wtd_alerts.js

Alert source - UEBA:
/var/lib/netwitness/respond-server/scripts/custom_normalize_ueba_alerts.js

Resolution

In this example, using a custom meta key named "Instance" and alert Source from ESA.
  1. Add the new lines highlighted in pink in the screenshot below in aggregation_rule_schema.json file.
    (Attention to the formatting and syntax within this file which is very important.)

    # vi /var/lib/netwitness/respond-server/data/aggregation_rule_schema.json (Replace customkey with your real custom key.)
    },
    {
    "value": "alert.events.<customkey>",
    "name": "<customkey>",
    "type": "textfield",
    "operators": [0, 1, 8, 9, 10, 11, 12, 13],
    "groupBy": true,
    "groupByField": "alert.groupby_<customkey>"
    }

    Example:
    aggregation

    If custom keys were added for use in the groupBy clause PRIOR to 11.4.x, modify the aggregation_rule_schema.json file and add the custom keys from the automatic backup file which is located in /var/lib/netwitness/respond-server/data and it is in the following format:

    aggregation_rule_schema.json.bak-
  2. Add new lines that are highlighted in pink in the screenshots below for a custom key to the following files.
    (See the screenshot below and attention to the formatting and syntax within these files which is very important.)

    # vi /var/netwitness/respond-server/scripts/custom_normalize_core_alerts.js (Replace  with your real custom key)
    var custom_events;
    if (normalized.events != undefined) {
    custom_events = normalized.events;
    }else {
    custom_events = new Array();
    }

    for (var i = 0; i < rawAlert.events.length; i++) {
    custom_events[i]. <customkey>=Utils.stringValue(rawAlert.events[i]. <customkey>);
    }

    if(normalized.events == undefined) {
    normalized.events = custom_events;
    }

    Example:
    var custom_events;
    if (normalized.events != undefined) {
    custom_events = normalized.events;
    }else {
    custom_events = new Array();
    }

    for (var i = 0; i < rawAlert.events.length; i++) {
    custom_events[i].file_hash=Utils.stringValue(rawAlert.events[i].file_hash);
    custom_events[i].event_computer=Utils.stringValue(rawAlert.events[i].event_computer);
    custom_events[i].risk_info=Utils.stringValue(rawAlert.events[i].risk_info);
    custom_events[i].alias_host=Utils.stringValue(rawAlert.events[i].alias_host);
    custom_events[i].url=Utils.stringValue(rawAlert.events[i].url);
    custom_events[i].sensor=Utils.stringValue(rawAlert.events[i].sensor);
    }

    if(normalized.events == undefined) {
    normalized.events = custom_events;
    }

    # vi /var/netwitness/respond-server/scripts/custom_normalize_alerts.js (Replace with your real custom key).
    normalized.groupby_ <customkey> = Utils.generateFlattenedColumnValue(normalized.events, " <customkey>");

    Example:
    custom
     
  3. Restart Respond Server service, either from within the NW UI:
    NW UI > Admin > Services > Respond Server > Actions column > Restart

    Or command line from NW Admin Server.
    # systemctl restart rsa-nw-respond-server
     

Product Details

RSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: Respond Server
RSA Version/Condition: 11.4.x, 11.5.X

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue