This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enhanced Threat Intel support via STIX in NetWitness

DevCK
Occasional Contributor Occasional Contributor
Occasional Contributor
‎2020-09-28 12:38 PM

RSA NetWitness has been supporting Structured Threat Information eXpression (STIX™) as it has been the industry standard for Open Source Cyber Threat Intelligence for quite some time. 

 

 

In NetWitness v11.5 we take the power of Threat Intelligence coming from STIX to the next level. When in Investigate or Respond views, you will now see context of the Intel delivered by STIX right there next to the meta like this:pastedImage_3.png

 

For this - NetWitness Platform’s has enhanced the existing integration with STIX to improve the threat detection capabilities with improved Threat Intel information to detect and respond to attacks in a timely manner. Now, when an analyst investigates threat intelligence information retrieved from a STIX data source, the context for each indicator is displayed. The context information includes viewing the adversary and the attack details directly from Context Hub, in both Investigate and Respond views.

 

Note that for the analyst to use this capability, an administrator needs to configure the STIX data sources to retrieve the threat intelligence data from the specified STIX source as below.

 

 

  1. Add & Configure STIX/TAXII as a 'Data Source' (note that you can add TAXII server/REST server/STIX file): Add source 1.JPG
  2. Create Feeds: Setup STIX feed from Custom Feeds section. Note that you can now see all the existing STIX Data Sources (as added in pervious step) to create feeds out of them. See Decoder: Create a STIX Custom Feed  for more details.Custom Feed.png
  3. Context Lookup SummarypastedImage_2.png
  4. Context Lookup Details:pastedImage_1.png

Here are the links to detailed documentation around STIX: 

 

Check it out and let us know what you think!

 

We strongly believe in the power of feedback! And thus please leave any feedback or suggestions on how to make this experience even better. To see what else may be in store for future releases, go to the RSA Ideas portal for the RSA NetWitness Platform to see enhancements that have been suggested, vote on them, and submit your own. 

© 2022 RSA Security LLC or its affiliates. All rights reserved.