NetWitness Community

AntonioTeixeira · ‎2018-09-28

Hi! I like to enrichment a List (Create a Blacklist) using a rule, when an IP do a specific behavior add to a list, I try put something like this in the end of the rule, but don't work:

insert into BlackList
select ip_src;

I "call" the list in the beginning of the rule @UsesEnrichment(name="BlackList"),

Any suggestions?

BijuVasudevan · ‎2018-09-29

In case of RE you have to use the Dynamic list feature to update the list values. You can overwrite a list or append the values. Refer the details how to update the list values based on the rule you define below. Also, if you want the values to be updated at regular frequency then schedule a report using this rule and the list values will keep on updating based on what it matches the rule.

https://community.rsa.com/docs/DOC-84091

EricPartington · ‎2018-10-01

There is no current way to insert a value from ESA into a context hub list for use in another ESA rule. ONly reading from a list is supported. Writing to a list would be a very handy feature and has been asked for but .. not yet there.

BijuVasudevan · ‎2018-10-02

That's correct Eric, writing from ESA to CH list is not possible and its in the backlog for future release with some more additional capabilities planned for CH list from other components of NW Product. In 11.2 CSV feed file is automatically converted to CH list this capability was added

TiagoCardoso · ‎2018-10-09

But it there any way to Insert information from an ESA rule into a data base or something similar to a list?

JoshRandall · ‎2018-10-09

Maybe this can help: https://community.rsa.com/community/products/netwitness/blog/2018/10/09/auto-updating-context-hub-lists-from-esa-alerts.

Mr. Mongo

TiagoCardoso · ‎2018-10-09

Thanks a lot, Joshua. I got to test it asap.

AnkushBaveja · ‎2018-10-10

Great post Joshua!

NetWitness Community

Enrichment a List