NetWitness Community

Bhavani_Kari · 2 weeks ago

Hi NetWitness family,

I want to create many metakeys that fall under the 'msg' meta category. Does anyone have a step-by-step process for creating custom metakeys? Please help!

JohnKisner · a week ago

@Bhavani_Kari

Can you provide an example of one of the metakeys you would like to create?

When it comes to creating metakeys under existing meta language keys such as msg it really depends on what you are wanting to accomplish and how you can go about accomplishing it. Currently the three ways you can create meta under language keys such as msg is: parsers, application rules, and feeds.

If you want to create it using a feed, you can look at my last response in https://community.netwitness.com/t5/netwitness-discussions/how-to-use-external-lists-in-making-rules-queries-alerts-when/td-p/716109.

Here is the instructions for creating application rules: https://community.netwitness.com/t5/netwitness-platform-online/configure-decoder-rules/ta-p/669145

This talks about creating custom log parsers: https://community.netwitness.com/t5/netwitness-platform-online/create-custom-log-parser-rules/ta-p/669376

When it comes to packet parsers you have to understand LUA. We currently do not have a public facing guide that I can find for creating these. I do know you really have to understand how sessions are put together to know how to make these work correctly.

I hope this helps.

Bhavani_Kari · Thursday

@JohnKisner

Thank you for your response.

In my scenario, I want to create a rule that triggers an alert from the SIEM whenever changes occur in the firewall, such as when an object is added or a policy or rule is created, modified, or deleted.

We have meta keys like ec.activity and ec.outcome for user login and logout events. However, when a user updates any policy or rule, that log is recorded through the message field. How can I create a custom meta key for that requirement?

JohnKisner · Tuesday

@Bhavani_Kari

First thing that is needed is you need to get the pieces into their own meta first. Based on the images that you have provided the only way to do this is via a custom parser rule. The other way is to look over all the current meta data available for the current log and see if there are any other meta keys that contain the information you can key off of. If there is none then a custom parser rule is the only way.

The instructions for custom log parsers that I have provided you previously is what you will need to follow to pick apart the information that shows up in the msg meta. This msg meta is what is in the raw log minus the time stamp information. The instructions in the link provided above will walk you through the process.

If you are looking for NetWitness to create the log parser for you then there are two options.

The first is to open a support case, provide a sample of the log that you want parsed. Support will pass it to our Content team and the default log parser may be updated to accommodate your request. However, this can take weeks or months before the update is put into Live. If the data is something that our Content team feels is not forensically important, they will not may any updates.

The second option is to use our Professional Services to create the custom log parser for you. This does cost money but they will work with you directly to address your request.

Personally I would suggest reviewing the document linked about and coming to Support if there are any questions about what you have read. I think you may find it more rewarding creating your own parser as you will be able to customize your environment faster the next time you need to pull out meta that doesn't already exist.

I hope this helps.

NetWitness Community

How to create a custom meta key?