Deploy Custom intelligence to RSA Security Analytics

1. Login to RSA security analytics GUI using your SA server IP address in your browser.2. Move in the Device menu by selecting Unified > Administration > Devices

3. Select the Decoder and move in Config menu by selecting Log Decoder > View > Config

4. Select the File Tab in Config menu of Decoder

5. Select index-concentrator-custom.xml file from the drop down

You will get a blank screen as below if we have not integrated any custom key before.

6. Add lines in blank field as per the requirement of the creation of new meta key. The line would be same as below:You have to change only in key description and name for the creation of new Meta keys<key description="Employee ID" format="Text" level="IndexValues" name="employee.id" valueMax="500000" defaultAction="Open" />

Note: - key description is name of Meta data that we will see in investigation and employee.id is the Meta key that we can select in rules.

After the addition of lines or values click on apply and we will get a notification popup that” index-concentrator-custom.xml file has been saved successfully”.

7. Click on Push and select the Concentrator to push the file on concentrator.

8. Now select index-decoder-custom.xml file from drop down menu

9. Add the same line here (The line you have added in index-concentrator-custom.xml), just remove the default action from the line.

10. Apply the changes and push the file on concentrator.Note: - Create as much Meta key that you want to see in investigation or reports.

11. Restart the concentrator and decoder services .

12. After the restarting of services just check the investigation menu, we should be able to check newly created meta key at there

Note: - You can see the newly created Meta key at below, because until you finish feed deployment for that Meta you can’t see any data under that Meta key.

13. Find any one value in investigation, from the data that you have to deploy in SA and then relate the remaining data to that value by using .CSV file format.

Like for HRMS data, we found Domain ID as Destination user account (user.dst) and then we relate the other field as below.

Here, first we have created new meta key for the new data on SA like employee ID, Supervisor ID, Designation, Department, Display name, Location, Email, Work type.Now, Using a CSV file we are creating feeds, in first column use only the value that we already getting in SA. In this case “Destination User Account for SA or domain ID for HRMS server”.Complete the other column with the respective information for column one values.Note: -feed are supported in .CSV format only.

14. Select Unified and move to Live > Feeds

You will get screen like this

15. Click on + and point custom feed and select Next. You will get a screen to upload custom feeds.

16. Type feed name and then browse the file that you have created in .CSV format with new information that you want to deploy on SA.

17. Select Next and check Decoder and Next

18. If you have created feeds included IP address select IP, if included IP range select IP range and if don’t have included IP select Non IP and provide the respective information. In this case we have non IP data

As we have Destination User Account in SA form the Feeds so in callback key we will select user.dst and we have user.dst value in 1st column so index column is 1.

In Define value select respective Meta key from drop down list for every column. If you are not able to select Meta key from drop down menu then type it manually but

please make sure that Meta key is exist in investigation value either with data or at below with no data.

19. Click on Next and review the information provided then Finish.20. Restart the concentrator service or device.21. Give it some time and then check in investigation, if you did all thing right then you

would be able to see newly created Meta key with data same as below screen shot.