1 2 Previous Next 11 Replies Latest reply on Apr 4, 2014 12:30 PM by mepplin

    Custom Types

    pfabrizi

      I have an RSA Netwitness parser that I need to add some custom data types to. When I go to the system properties and I select custom type, add them I am not able to see but the first custom type I added in the parser. AM I following a procedure incorrectly?

        • 1. Re: Custom Types
          pauliet

          Hi

           

          Custom Types you create can only be seen in the policy you are editing if a type that is already being used by that rule does not mach the events field type for the custom type you have created.

           

          Add_Custom_Type.jpg.

           

          So, if a custom type you are using has the same event field type, e.g. Custom Field - 1 (short) as an existing custom field in that particular rule, e.g. Application_Protocol, then it won't be displayed. Here's an extract from a McAfee document that covers this subject.

           

          It is very important to note that the Custom Fields can only be used once, but there are several custom types that map to the same custom field. This means that if you select the custom type Confidence (which uses Custom Field – 8), then you will not be able to use any other custom type that shares Custom Field – 8, such as Cc, Contact_Nickname or Database_Name. You can always define a new custom type that maps to a different Custom Field in the event of a conflict, up to the limit of the number of custom fields available.

           

          Hope that helps.

          • 2. Re: Custom Types
            pfabrizi

            I went through all fields in my NetWitness parser and then when through all the custom data types. I created a field called threat and gave it a string custom type 8 since no other custom type was using it and I still can't see that custom type when I am in the field assignment section of the edited policy.

            • 3. Re: Custom Types
              pauliet

              Hi.

               

              I can see 12 Custom Types with custom type 8 (short), are you sure none of those fields are currently being used in that particular rule?

              • 4. Re: Custom Types
                pfabrizi

                Here is what my parser looks like for Field assignment. We made a copy of the out of the box parser and have been modifing that one.

                netwitnesscustom.jpg

                • 5. Re: Custom Types
                  pauliet

                  Hi

                   

                  Not sure then, is the custom type you've created indexed?

                  • 6. Re: Custom Types
                    pfabrizi

                    I am I following the correct steps?

                     

                    - open the system properties and select custom types

                    - add a new custom type

                    - open the policy editor from my data source

                    - edit the policy and from the field assignment tab select the '+' for custom types

                    • 7. Re: Custom Types
                      pauliet

                      Hi.

                       

                      Yes, that is the correct procedure. Going back to my image above, did you select the "Index Data" box? Not sure if that's important, but its something we've done in the past.

                      • 8. Re: Custom Types
                        pfabrizi

                        I created a custom type called 'server' and I was able to see that in the parser and add it the field assignment. I then created a custom ftype called 'threat' but that or any others I try to create are not visible

                         

                        Can I create as many custom types as I want, but only add 1 to the parser rule?

                        • 9. Re: Custom Types
                          pauliet

                          Hi

                           

                          Yes, you can create as many custom types as you need, and you can use as many as you need within a specific parser - as long as it meets the criteria in my first post. Simple rule of thumb, each custom type must have a different custom field type, e.g. 1-9 (short) 21-27 (long) in each rule parser, I seem to recall.

                           

                          As an example, we've been able to create 5 custom types for our Peakflow SP ASP rules, and they work fine - they all have different custom field types, and don't clash with existing custom fields.

                           

                          Maybe Scott Tashler can throw some further light on your problem?

                           

                          Message was edited by: pauliet on 04/04/14 11:14:06 CDT
                          1 2 Previous Next