This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Creating Domain Feeds

Go to solution
RSAAdmin
Beginner
Beginner

‎2012-10-04 04:44 PM

Does anyone have a good example for creating domain based netwitness feeds? We have Live Manager and many of the domains feeds enabled, but would like to deploy custom domain feeds from other internal threats or intel. Any assistance would be greatly appreciated, thanks!

0 Likes
13 REPLIES 13

Go to solution
RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2013-01-09 02:19 PM

You are referencing a key of watchlisthostname:

<Field index="1" type="index" key="watchlisthostname"/>

 

Does that key exist in your index?  If not, try just

<Field index="1" type="index" />

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2014-02-05 12:19 PM

Sorry to bump this thread but it describes exactly what I am trying to do. I understand the XML. What I don't understand is where hits on this feed will appear within Investigator, e.g. in which report. What report type will this Meta appear under (e.g. 'risk: informational' or 'risk: warning' etc etc)? Where is this set?

More generally, does anyone have a document they are willing to share on creation of custom feeds? The userguide is a bit vague in this area!

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2014-02-05 01:04 PM

Are you running SA?  Or still using 9.8?

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2014-02-06 04:49 AM

Hi

Thanks for getting back to me

Still on 9.8 but plan to move to SA quite soon.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.