This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Investigations Feed Help??

Go to solution
DougLaing
Beginner
Beginner

‎2016-11-16 03:54 PM

Community,

 

I am looking to deploy the Hunt and Investigation Feeds.  The instructions talk about adding meta keys to the concentrator, but no details are given on how to add those meta keys to the decoders as well.  Aren't we supposed to add them in both locations?  Below I have added a link to the Investigations article

 

Thanks

 

 

https://community.rsa.com/docs/DOC-62303

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Anonymous
Not applicable
In response to DougLaing

‎2016-11-17 05:50 AM

No, they are not added to the index-decoder-custom.xml.

 

That file would only be used if I needed to manually add a meta key that wasn't created by a parser or a feed. I used to only do that for application rules going into a custom meta key's.

 

However, there are ways to have those keys for application rules automatically added to the index without having to modify the custom index file. Instead of selecting a key to write meta for an application rule, you could just write the name of the custom key.

 

Chris

 

Sent from my mobile device

View solution in original post

6 REPLIES 6

Go to solution
DavidWaugh1
Employee
Employee

‎2016-11-16 04:19 PM

Nope meta keys just have to be added on the concentrator

 

Sent from my iPhone

Go to solution
DougLaing
Beginner
Beginner
In response to DavidWaugh1

‎2016-11-16 07:30 PM

How does the decoder know where to put the meta it generates if it doesn't have keys?

0 Likes

Go to solution
Anonymous
Not applicable
In response to DougLaing

‎2016-11-16 08:31 PM

Actually, when deploying parsers or feeds, the decoder reads them and if it see's that the parser or feed is writing to a meta key that the decoder does not already have, it will automatically add it.  This has been the case since 9.8.x I think.

 

Therefore, you would only need to add the meta keys to the concentrator if you wish to index and query against that meta.

 

You can open a shell to the decoder, run   tail -f /var/log/messages  and then deploy the feed.  You should see the meta key get created.

 

Chris

Go to solution
DougLaing
Beginner
Beginner
In response to Anonymous

‎2016-11-16 10:54 PM

First really great answer, but it leads me to a follow up question...  In certain cases where white listing is used the meta generated may not be accessible via investigation since the new keys need to have access granted to them.  Since they are generated as a result of the loading of the feed or parser are these keys automatically added to the index-decoder-custom.xml so they can be read as new keys to secure?

0 Likes

Go to solution
AndreasFunk
Employee
Employee
In response to DougLaing

‎2016-11-17 05:37 AM

If you want to set permissions on the new meta keys, you will have to manually add them as IndexNone to the index-decoder-custom.xml. Otherwise the key will not be shown within the service's "Security" section to blacklist or whitelist.

 

Andreas

0 Likes

Go to solution
Anonymous
Not applicable
In response to DougLaing

‎2016-11-17 05:50 AM

No, they are not added to the index-decoder-custom.xml.

 

That file would only be used if I needed to manually add a meta key that wasn't created by a parser or a feed. I used to only do that for application rules going into a custom meta key's.

 

However, there are ways to have those keys for application rules automatically added to the index without having to modify the custom index file. Instead of selecting a key to write meta for an application rule, you could just write the name of the custom key.

 

Chris

 

Sent from my mobile device

© 2022 RSA Security LLC or its affiliates. All rights reserved.