Configure Feeds

NetWitness uses feeds to create metadata based on externally defined metadata values. A feed is a list of data that is compared to sessions as they are captured or processed. For each match, additional metadata is created. This data could identify and classify malicious IPs or incorporate additional information such as department and location based on internal network assignments. Some examples of feeds include threat feeds to identify BOTNets, DHCP mappings, or even Active Directory (AD) information such as physical location or logical department.

You can use the Live module in NetWitness to obtain feeds from outside sources. "Live Content in NetWitness" in the Live Services Management Guide provides an overview of the Live content management tool.

Within the NetWitness user interface, you can view the list of currently deployed feeds, along with an indicator if a feed that originated from Live was installed through NetWitness or manually. Feeds can be added, removed, and updated while a Decoder is running without affecting capture.