NetWitness Community

Anonymous · ‎2014-01-28

I want to search in informer for email subjects of known malicious emails. It does not appear that the subject field is availbale when creating rules in Informer. Is there a way to make this field available?

Anonymous · ‎2014-01-29

Hi

Even meta keys not displayed in the "meta library" list in Informer can be used both as part of the select or where clauses in any rule, all you need to do is enter them manually!

However, the reason why they are not there is quite relevant, these keys are normally not indexed so performing queries on/with them will cause responses to be considerably slower.

If you need to regularly use these non-indexed keys on your queries, it is recommended that you consider turning them into IndexValues keys instead of their current default. This change should only be done on your Concentrators never on the Decoders.

Hope that helps!

Regards,

Rui

View solution in original post

Anonymous · ‎2014-01-29

Hi

Even meta keys not displayed in the "meta library" list in Informer can be used both as part of the select or where clauses in any rule, all you need to do is enter them manually!

However, the reason why they are not there is quite relevant, these keys are normally not indexed so performing queries on/with them will cause responses to be considerably slower.

If you need to regularly use these non-indexed keys on your queries, it is recommended that you consider turning them into IndexValues keys instead of their current default. This change should only be done on your Concentrators never on the Decoders.

Hope that helps!

Regards,

Rui

Anonymous · ‎2014-01-29

Thank you for that information. Is there a way to tell how much space an index is taking or will take on the concentrator?

Anonymous · ‎2014-01-31

There's an inspect command if you use Explorer under the "index" node.

So on your concentrator, right-click "Explorer", browse to "index", right-click "properties", select "inspect" from the dropdown and hit send.

Hope that helps!

Regards,

Rui

Anonymous · ‎2014-01-31

That was very helpful thank you. How do you read each of these lines?
size=1419360456 (Is this in bytes?) packets=21.... summary1=40151070 summary2=40361980 session1=232394857 session2=232593965 ]

Phil

Anonymous · ‎2014-01-31

Hi Phil,

I'll have to defer to someone else on exactly what each of those are, the only one I'm familiar with is "values" which is the count of unique/distinct values for that key in the time slice listed.

Sorry I can't be more help!

Regards,

Rui

RSAAdmin · ‎2014-02-03

After you get the subject indexed, you will want to create a Live Feed of your known malicious subjects. The SA Live Feed Wizard is great for this. Be sure you set it for a non-ip and use subject as the meta callback.

Anonymous · ‎2014-02-03

Hey Fielder,

Do you know any good sites that do this?

I am currently using phishtank for domains that are known phishing sites but I can't seem to find any with subject lines.

huanzhou1 · ‎2014-04-11

I don't think subject lines will be good idea to create feed. For example the top 5 phishing subject lines are very very common, you will have too many false positives.

1. Invitation to connect on LinkedIn

2. Mail delivery failed: returning message to
sender

3. Dear <insert bank name here> Customer

4. Comunicazione importante

5. Undelivered Mail Returned
to Sender

NetWitness Community

Searching the Subject