Dear RSA Live Customers,
In order to provide a more consistent analytical experience, the threat sources in the intelligence feeds produced by the RSA FirstWatch Team will be modified to have a common value within the ""threat.source"" key index. On May 4th, 2015 the ""threat.source"" meta key will be change from ""netwitness"" to ""rsa-firstwatch"" for the following list of feeds:
RSA FirstWatch APT Attachments
RSA FirstWatch APT Threat Domains
RSA FirstWatch APT Threat IPs
RSA FirstWatch Criminal Socks User IPs
RSA FirstWatch Criminal SOCKS node IPs
RSA FirstWatch Criminal VPN Entry Domains
RSA FirstWatch Criminal VPN Entry IPs
RSA FirstWatch Criminal VPN Exit Domains
RSA FirstWatch Criminal VPN Exit IPs
If you have any custom application rules, reporting, or ESA rules that reference the ""threat.source"" value ""netwitness"", these rules will need to be changed to reference the new value of ""rsa-firstwatch"" in order to function as designed.
Regards,
RSA FirstWatch