This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Processing sequence

MaximilianoCitt
Frequent Contributor
Frequent Contributor

‎2017-11-08 11:23 AM

I know that in a Log Decoder Service, the log processing sequence is like:

Parsers --> Rules --> Feeds

but, I need to create an App Rule to generate meta based on other meta generated by a custom feed.

The use case is as follows:

 

I got a user.src and search that username in a custom feed. The feed enrich that meta with a new one: user.src.name. I want to generate an alert meta when in a log I got user.src but not user.src.name.

 

any ideas?

0 Likes
8 REPLIES 8

Anonymous
Not applicable

‎2017-11-08 11:26 AM

I believe feeds are applied before App Rules. Feeds should be applied right after the parsing stage, so you're able to refer to meta generated by them in App Rules. Note that App Rules are run in top-down fashion, like a firewall rule chain, so app rules can even refer to other app rules as long as they're placed below them in-order. 

Anonymous
Not applicable

‎2017-11-08 11:28 AM

Could be just as simple as

 

user.src exists && user.src.name !exists

 

You might want to add some additional context in there such as

 

medium=32 <-- logs only

device.type = xxxx <-- focus on one or n device types this should focus on

 

Ahearn

Anonymous
Not applicable

‎2017-11-08 11:29 AM

Also...

 

The common order of operations was Parsers, Feeds, then App rules. However, its really about tokens.

 

I've had parsers look for tokens that would only be created by app rules.

 

Anyways...just wanted to clarify.

 

Ahearn

JohnSnider
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2017-11-08 11:36 AM

Chris is correct on the order of operations, but as a note, ANY new meta generated (by app rule or parser or feed) will cause a re-processing of the feeds.  So it you generate a meta-value in an application rule or another feed, that could affect any other feeds (feeds using that meta-key as an index value) then those feeds will re-process and generate any meta values if the feed gets a hit, which could then cause other feed(s) to process, etc.

MaximilianoCitt
Frequent Contributor
Frequent Contributor
In response to Anonymous

‎2017-11-08 11:40 AM

So, this video is wrong?

Video Link : 21256 

0 Likes

Anonymous
Not applicable
In response to MaximilianoCitt

‎2017-11-08 11:59 AM

Not necessarily.

 

Feeds are triggered by matching against meta in a particular key or keys it is configured to look at.

 

App rules are made by combining 1 or more pieces of meta and calling it some other new piece of meta. They usually operate at the end of the session. If you took a close look at the meta in a session, note the order in which it is presented. That is the order in which the meta was generated as well. In many cases, app rules are toward the bottom.

 

Chris

MaximilianoCitt
Frequent Contributor
Frequent Contributor
In response to Anonymous

‎2017-11-08 12:05 PM

Thank you so much for your time and to clarify this.

0 Likes

Anonymous
Not applicable

‎2017-11-12 01:05 PM

Capture.PNG

 

Attached is a document I created to illustrate the processing order.

 

Contact me if you would like a copy of the original file.

0 Likes
li.common.scroll-to.top
© 2022 RSA Security LLC or its affiliates. All rights reserved.