This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Managing 3rd party feeds

TomiReiman
Beginner
Beginner

‎2014-08-07 05:05 PM

I have few questions regarding Live feeds:

 

1. Is there a best practice for finding out which feed generated which meta and based on what observation? If one log entry results in meta generated from multiple feeds it is hard to find what came from where. I'm hoping for built-in functionality for SA to for example populate the feed.name meta based on the feed (feed name / file name) - at the moment that particular meta does not seem to be used that widely, which is a shame.

 

2. Linked to the first questions is how to filter out certain values that are looked for in 3rd party feeds. I tried adding a .filter file named similarly to the feed which I was quite sure of to be generating the false positives I wanted to leave out. I tried this both in the /etc/netwitness/ng/ and ../feeds paths but to no avail. Services were not restarted, but I issued the /decoder/parsers a reload instruction. I understand I could create an application rule to create a meta value describing that particular domain, IP or whatever to be "whitelisted", but I want to cut down on the meta that is currently populated to threat.category etc. based on false positives.

 

Am I doing something wrong or did I just presume wrong about the feed name that is generating the false positives. And if so, we're back at question number 1: How can I find out for sure what is creating what based on what? I had hard time finding anything regarding feed filters in the SA documentation.

0 Likes
1 REPLY 1

Anonymous
Not applicable

‎2014-08-12 01:13 PM

Current SA Version = 10.3.3

 

Going to attempt to help with question 1 first.  So feed.name from what I know is carry over from netwitness and is not widly used now.  The new uses is threat.source, threat.desc, threat.category. 

 

Assuming we are talking about the third party feeds in RSA Live.

 

The feed name will look almost identical to the live information inside the meta of threat.source.  The netwitness feed will bring more default information like default passwords/accounts. 

 

If you are talking about feeds that you are importing from other places via the feeds management window, you have the ability to label during the initial configuration. 

 

Second question:

 

Because the way SA ingests data I don't think the filtering will work nicely without app rules.  I believe when the data comes in it hits the parsers -> hits feeds -> hits app rules -> hits correlation rules.   So from my knowledge you would only be able to do it with an app rule then filter based on that.  It could be possible to use the filters you added but I do not have that knowledge to help you out on that part. 

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.