This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

ir.general first_carve

RSAAdmin
Beginner
Beginner

‎2014-12-30 09:07 AM

I was looking through some logs, and noticed that some of the ir.general fields are populated with 'first_carve', and 'first_carve_!dns'. Does anybody know what these mean?

0 Likes
3 REPLIES 3

Anonymous
Not applicable

‎2014-12-30 10:21 AM

Yes.  From my observations, that meta is created for analysts (IR) to perform a first round of meta reduction from the field of view. By creating those kinds of tactical pivots, analysts can exclude a lot of data that may not be necessary for an initial triage assessment.

 

For example, if I wanted to focus on outbound traffic of my users, I would look for RFC1918 addresses as a source and something OTHER than an RFC1918 as a destination.

 

The 'ir.general' meta key is a custom meta key that can be used by analysts to carve up data they know about their networks for either inclusion or exclusion in other searches.

 

Chris

0 Likes

RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-12-30 10:57 AM

thanks chris! So, I get that the IR general provides more context, but what would the keys 'first_carve', and 'first_carve_!dns'. mean?

0 Likes

Anonymous
Not applicable
In response to RSAAdmin

‎2014-12-30 11:03 AM

I believe those are application rules, so you could check in the decoder for the exact content.  Those are to create meta around sessions that would typically be excluded. 

 

Typically, you would right-click !EXISTS on that meta value (first_carve) and reduce the amount of data to sift through.

 

They could also be used in other application rules to further refine those rules and provide better focus on specific content you would be looking for.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.