This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Security Analytics Threat Feeds

WardellMotley1
Beginner
Beginner

‎2016-07-28 10:46 AM

What kind of format does Security Analytics  ingest for threat feeds?

4 REPLIES 4

EricPartington
Employee
Employee

‎2016-07-28 11:04 AM

pre 10.6.1 feeds are in csv format

https://community.rsa.com/docs/DOC-41996

 

10.6.1 and after you have the ability to also read STIX formatted data.

 

most use cases will require a script that can be crontab run from the SA head server to reach out and grab threat data from an external site then write it to the SA webserver root directory (/var/netwitness/srv/www/feedname.csv) where you can run a recurring custom feed to read from that localhost directory to pull that data into SA on a schedule (http://127.0.0.1/feedname.csv)

EricPartington
Employee
Employee

‎2016-07-28 01:09 PM

If you are looking for an example of how the feed should be structured this is an old post but an interesting use case to look at

 

Import This Malicious User-Agent String Feed

0 Likes

Anonymous
Not applicable

‎2016-08-02 12:11 AM

There is also the product documentation available here that describes how to create a custom feed using CSV for STIX files: Manage Custom Feeds - RSA Security Analytics Documentation

0 Likes

KyleHowson
Beginner
Beginner

‎2016-08-04 01:09 PM

I also have this question as I'm finding while looking through the feeds that there are a LOT of false positives and looking for strategies to sort through the noise. One question I posed in another thread is about RSA feeds not publishing further meta such as threat.category or more data we can flag on.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.