NetWitness Community

KyleHowson · ‎2016-08-04

Hello,

Recently I've noticed that the threat source has disappeared 'rsa-firstwatch' and are left with only a threat desc of http://firstwat.ch/amgxxb or whatever it may be. In an attempt to filter through the noise, I tried to flag only on IOC's that provide a threat category and it seems as soon as you do this, you lose all firstwatch data feed information. Is there a reason that firstwatch isn't generating this meta or is there a meta I am missing?

EricPartington · ‎2016-08-08

can you check the REST interface of the feeds you are seeing as having reduced meta written for them ?

decoder/log decoder > explore > decoder > parsers > feeds > "feedname"

select the feed name you have subscribed to

you will see the feed details listed on the page

feed.callbacks are the metakeys that the feed matches on (primary key)

feed.meta are the metakeys that are written when a match is located with the feed.callbacks keys.

check the keys that you are seeing only the one meta value written and see if any of the feeds only have one metakey in the feed.meta entry.

I also have a script that can grab all the feeds that are subscribed to in an environment if you want to grab the details en masse for operational purposes or archiving.

KyleHowson · ‎2016-08-08

Thank you, that is extremely helpful and shows that the FirstWatch feeds are supposed to populate the threat.desc meta field but it still seems as though RSA is not doing this yet. You can see that the feed is generating that Meta but if you filter on a RSA FirstWatch as a threat.src and look at the threat.desc, they are all empty. Thank you for where to look at this though, this was extremely helpful for another issue I was having with a custom feed.

NetWitness Community

RSA FirstWatch Feeds