.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
RSA Security Analytics - Working with Custom Keys in the CEF Parser
Issue
The CEF format allows the use of custom keys such as cs1 and cs1Label.In a CEF log you may see the following:
Jan 27 10:43:51 PROXYNAME CEF:0|Bluecoat|Proxy|1.0|OBSERVED|OBSERVED|5|date=2016-01-27 time=10:43:51 ip.src=192.168.10.86 action=TCP_MISS ip.dst=192.168.11.252 cat=Content Servers requestMethod=GET dhost=eu-irl-00001.s3.amazonaws.com request=http://eu-irl-00001.s3.amazonaws.com/yKalk5gBT169iwsB8XFS?x-client-request-id=71445322-c4dd-11e5-b2dd-f23c91a872ff&Expires=1453892409&byte-range=4912-4943&AWSAccessKeyId=AKIAI3LLM7P3DRGCUSIA&bin=203000001&Signature=I0XwajzJOFKdFmj4wQ0%2B4vH7C%2Fo%3D dport=80 useragent=backupd (unknown version) CFNetwork/548.1.4 Darwin/11.0.0 out=418 outcome=206 in=484 errorcode=OBSERVED content=application/octet-stream daddr=54.231.133.9 dvchost=AE44PCCPWPXY02 sport=80 Version=HTTP/1.1 hostname=eu-irl-00001.s3.amazonaws.com
cs1=com
cs1Label=tld directory=/ path=/yKalk5gBT169iwsB8XFS filename=yKalk5gBT169iwsB8XFS
Here we are using the custom keys cs1 and cs1Label to hold the Top Level Domain (TLD).
We want to parse this meta into the TLD meta key.
Resolution
Add the following lines to the CEF parser (normally located on the log decoder at /etc/netwitness/ng/envision/etc/devices/cef/cef.xml)
<ExtensionKey cefName="cs1" metaName="cs_fld" >
<device2meta device="trendmicrodsa" metaName="context"/>
<device2meta device="bluecat" metaName="action" label="query"/>
<device2meta device="websense" metaName="policyname" label="Policy"/>
<device2meta device="mcafeewg" metaName="virusname" label="Virus Name"/>
<device2meta device="bluecoat_proxy" metaName="tld" label="tld" />
</ExtensionKey>
In your table-map-custom.xml file add the following:
<device2meta device="trendmicrodsa" metaName="context"/>
<device2meta device="bluecat" metaName="action" label="query"/>
<device2meta device="websense" metaName="policyname" label="Policy"/>
<device2meta device="mcafeewg" metaName="virusname" label="Virus Name"/>
<device2meta device="bluecoat_proxy" metaName="tld" label="tld" />
</ExtensionKey>
<mapping envisionName="tld" nwName="tld" flags="None" format="Text"/>
What this means is that if we have a device type of bluecoat_proxy and cs1label=tld then put the meta into meta key tld.
Notes
The meta key for custom extensions can be selected in 3 different ways.The following example has the meaning:
- If the device type is rsaecat and the cs1Label field is vlanName then put the value of cs1 into the meta vlan
- If the device type is rsaecat and the cs1Label field has value rsasubject then put the value of cs1 into the meta key subject
- If the device type is rsaflow then always put the value of cs1 into the meta key subject
- Otherwise put the value of cs1 into metakey context.
ExtensionKey cefName="cs1" metaName="context">
<device2meta device="rsaecat" metaName="vlan" label="vlanName"/>
<device2meta device="rsaecat" metaName="subject" label="rsasubject"/>
<device2meta device="rsaflow" metaName="subject"/>
</ExtensionKey>
<device2meta device="rsaecat" metaName="vlan" label="vlanName"/>
<device2meta device="rsaecat" metaName="subject" label="rsasubject"/>
<device2meta device="rsaflow" metaName="subject"/>
</ExtensionKey>
Product Details
RSA Product Set: Security AnalyticsRSA Product/Service Type: SA Security Analytics Server
Summary
This article describes how to work with custom keys in the CEF parser.
Approval Reviewer Queue
ASOC Approval Group