Hi Xue,
You can import a CSV formatted list of IOCs into what's called a "feed" within NetWitness. This mechanism allows you to tag any traffic from that point forward that matches an entry in the list by adding metadata to the session that can then be searched or used in detection logic if you wish.
Instructions on using the feeds component can be found here: Live: Create a Custom Feed
While I'd recommend starting with the custom feed approach, you also have the ability to take advantage of the Context Hub for highlighting matching values for data that has already been captured. Feeds themselves will not not be processed on or tag data prior to the date they are enabled. The Context Hub approach is intended as a visual investigative aid, and requires the particular IOC value to be visible within the Investigate portion of the interface. A good blog post explaining this interaction can be found here: https://community.rsa.com/docs/DOC-63261
Hope this helps.
Sean
