NetWitness Community

Anonymous · ‎2022-02-14

I was told that it's possible to use a context hub list or a feed in application rules to filter out/in values from those lists or feeds.

I'm unsure on what the syntax would be to accomplish this, could someone provide an example of how to achieve?

Thanks.

Anonymous · ‎2022-02-15

This is true for feeds and Stix/Taxii, which you subscribed via the Context Hub.

But Application Rules cannot make use of Context Hub Lists. Those are only available in Investigation and ESA Rules.

For Feeds you would have your Callback Meta, e.g. ip.src or username, and map then the additional fields in the feed to other meta, e.g. faciilty, location, department.
Any standard meta or custom meta can be addressed here.

Feed processing happens before Application rules are validated.
so in your application rule you are able to use the meta keys, which you have mapped in the feed.
This is done using the standard app rule syntax. nothing special about that.

Anonymous · ‎2022-02-16

Thanks @Anonymous that makes sense. And If I'm correct, adding a custom feed creates a ContextHub List as well based on the 'Converting Feed to ContextHub List' status I see when adding a feed.

What would be the best practice in terms of meta key to use for specifying these custom feeds? Is there a meta key in the data model that's recommended like 'Threat Source' or would I create a custom meta key myself? I seem to recall in one of the training there was reference to a 'SOC General' custom meta key to use.

Anonymous · ‎2022-02-23

I have seen all variations at my customers. some customer reuse existig keys, others have soc.xxxx or customername.xxxx as meta.

There is no best practice too my knowledge.

drewjc · ‎2022-04-04

I've created custom metakeys for our environment and used existing ones. Both work equally well. I think the decision would come down to what type of list you are planning to create.

NetWitness Community

Specifying feeds or context lists in application rules