Some threat data vendors provide a compiled .feed file as a potential output for use with RSA NetWitness (such as Crowdstrike).
Working with Joshua Waterloo we came up with an better solution than manually uploading each .feed file to each decoder by using NwConsole to script the upload of the feeds (you can also upload parsers and other config items with NwConsole)
This is the result of that work, a script that can be run from the SA server (with the feed files in the same directory as the script) and it will push out the .feed files to the log or packet decoders listed in the script using NwConsole. Thanks to David Waugh for the original idea for a script like this.
At this time the RSA Live > Feeds function is not able to distribute .feed files so this script is required to fill that gap.
You could modify the script to pull down the feed files from a central internal server and then crontab the script to perform this on a regular schedule to keep the .feed files updated on all the *Decoders in your environment
This also takes a first swing at writing a log message from the script when its completed to create a log message that you could use in RSA NW to correlate or chart (or forward to another SIEM).
Also as a side note if you get a .feed file and are wondering what metadata keys are used to write into you can always look at the decoder > explore /decoder/parsers/feeds and locate the feed there where you will be able to see stats about the feed including which metakeys are read from (feed.callbacks) and written to (feed.meta) (but not the actual values that may be written)
an example from the Crowdstrike email feed
1 Comment
