This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Custom Feed - Domains not indexed in Investigation

EvanRamos1
Beginner
Beginner

‎2017-08-24 01:31 PM

Howdy all.

 

Just recently created two custom feeds. One is IPs , the other attempt is unique domain names going into custom meta. The domain names are not being indexed, and no errors are seen on my log decoder.  For the most part, i followed this: https://community.rsa.com/docs/DOC-78049  , everything is lowercase being imported.

 

Any ideas what might be wrong? Or setup incorrectly?

 

My feed setup is as follows -

Type: Non-IP

Index Column: 1

Service Type: 0

Truncate Domain: Enabled

Callback Key(s): domain.dst (i've tried alias.host, domain too).

 

XML -

<FlatFileFeed comment="#" separator="," path="otxdomainiocs.csv" name="otxdomainiocs">
<MetaCallback truncdomain="true" apptype="0" valuetype="Text" name="domain.dst"/>
<LanguageKeys><LanguageKey valuetype="Text" name="otxc2.domainioc"/>
</LanguageKeys><Fields><Field type="index" index="1"/>
<Field key="otxc2.domainioc" type="value" index="2"/>

 

Example data being imported and wanting to index. 

 

anh.phimhainhat.net,otx_c2domainioc
dalat.dalat.dulichovietnam.net,otx_c2domainioc
dalat.dulichovietnam.net,otx_c2domainioc
dalat.hanoi.dulichovietnam.net,otx_c2domainioc
danang.dalat.dulichovietnam.net,otx_c2domainioc

0 Likes
7 REPLIES 7

david_waugh
Beginner
Beginner

‎2017-08-24 01:44 PM

In you metacallback line you need ignorecase="true"

 

Sent from my iPhone

0 Likes

EvanRamos1
Beginner
Beginner
In response to david_waugh

‎2017-08-24 02:25 PM

Thanks David. I tired that and still no go. Hmmmmm....I'll keep messing with values in the xml i guess.

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<FDF>
  <FlatFileFeed comment="#" separator="," path="otxdomainiocs.csv" name="otxdomainiocs">
    <MetaCallback truncdomain="true" apptype="0" valuetype="Text" ignorecase="true" name="domain.dst" />
    <LanguageKeys>
      <LanguageKey valuetype="Text" name="otxc2.domainioc"/>
    </LanguageKeys>
    <Fields>
      <Field type="index" index="1"/>
      <Field key="otxc2.domainioc" type="value" index="2"/>
    </Fields>
  </FlatFileFeed>
</FDF>
0 Likes

BrianKeenan
Beginner
Beginner

‎2017-08-24 02:56 PM

Since this is new meta you are creating have you added the otxc2.domainioc to your concentrator custom index file and set it to index values?

0 Likes

EvanRamos1
Beginner
Beginner
In response to BrianKeenan

‎2017-08-24 04:24 PM

Yup. Here is what i put in the index files -

 

index-concentrator-custom.xml - 

<key description="otxc2-domainioc" format="Text" level="IndexValues" name="otxc2.domainioc" valueMax="250000" />

 

index-logdecoder-custom.xml -

<key description="otxc2-domainioc" format="Text" level="IndexNone" name="otxc2.domainioc" />

 

index-decoder-custom.xml -

<key description="otxc2-domainioc" format="Text" level="IndexNone" name="otxc2.domainioc" />
0 Likes

SravanKoneti1
Beginner
Beginner
In response to EvanRamos1

‎2017-08-25 02:43 AM

Hi Evan,

 

Please try below xml contents.

 

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<FDF>
<FlatFileFeed comment="#" separator="," path="otxdomainiocs.csv" name="otxdomainiocs">
<MetaCallback valuetype="Text" ignorecase="true" name="domain.dst" />
<LanguageKeys>
<LanguageKey valuetype="Text" name="otxc2.domainioc"/>
</LanguageKeys>
<Fields>
<Field type="index" index="1" key="domain.dst"/>
<Field type="value" index="2" key="otxc2.domainioc"/>
</Fields>
</FlatFileFeed>
</FDF>

0 Likes

EricPartington
Employee
Employee

‎2017-08-28 01:39 PM

can you post the link if possible to the original feed data from  OTX? i'd like to see if there is a better way to import this that does not require a manual XML and custom metakey to  make your life a bit easier.

0 Likes

EvanRamos1
Beginner
Beginner
In response to EricPartington

‎2017-10-04 02:10 PM

Hey Eric,

 

Sorry for a late reply. Yeah, i can give a snippet of the original feed data from OTX (pre adjusting data to NW feed).  Since this is public API stuff, no big deal.    https://file.io/45PGV6    <-just a .zip file , no tricks. lol. 

 

So i did test the feed by putting in a domain (that is indexed already in domain metakey) , and it worked. So i'm guessing this is setup right i just dont have any of the bad domain IOCs in my network.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.