NetWitness Community

KyleHowson · ‎2017-01-24

Hello,

There are a bunch of lists of IP addresses and Domains from various public and private lists we currently pull into Netwitness Logs and Packets for alerts and looking for threats.

I was hoping to be able to pull some of these same lists into Netwitness Endpoint into the Custom: Bad IP and Custom: Bad Domain but unfortunately all I can find is the import function which is manual and doesn't account for the removal of False Positives, etc like they do in Logs and Packets.

Can anyone tell me if there is a way to do this especially in an automated pull just like the RSA Live feed works.

Regards,

Kyle

Anonymous · ‎2017-01-24

I've been working on this myself and the solution I've come up with is a bunch of scripts that take the various feed information like domain name and IP addresses and output them to a CSV type file on a web server.

Then within Live create a recurring feed that maps the information to appropriate meta keys.

I haven't implemented it in our system just yet, this is just what I've come to the conclusion on based on my investigation.

KyleHowson · ‎2017-01-24

Thanks Jeremy. I've got it working properly in Logs and Packets but can't seem to find a place to configure or set this up in Netwitness Endpoint. I have a feed with values in a .CSV file the Logs and Packets takes in and the .xml file that maps the entries to Meta but There doesn't seem to be a way to do this in endpoint and the closest I've found is possibly with the REST client...

Anonymous · ‎2017-01-24

Ahhh.. I missed the part where you said Endpoint. I still call it ECAT. 🙂

NetWitness Community

Threat Intelligence Feeds into RSA Netwitness Endpoint