This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Platform Threat Intelligence Documentation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Versions
Collections
All Downloads

Product Resources

Create Meta and Feed for Lateral Movement

This topic provides instructions for creating a custom feed and meta required for the Lateral Movement content (rule, report, etc.).

Context

You need to index the meta, and then create a custom feed, before you can take advantage of the Lateral Movement Content (available in Live).

Index Meta in the Concentrator

You need to index the meta in the Concentrator.

  1. Depending on your version:

    • For NetWitness 11.x: Go to ADMIN > Services, and select a Concentrator.
    • For Security Analytics 10.x: From the Security Analytics menu, select Administration > Services, and select a Concentrator.
  2. Select View > Config from the Actions menu.
  3. Select the Files tab, then select the index-concentrator-custom.xml file.

  4. Add the following lines:

    <key description="HVA Escalation Contact" level="IndexValues" name="fd.escalate" format="Text"/>
    <key description="High Value Asset Group" level="IndexValues" name="fd.hva.group" format="Text"/>
    <key description="High Value Asset Type" level="IndexValues" name="fd.hva.type" format="Text"/>
    <key description="HVA Product Line" level="IndexValues" name="fd.prod.line" format="Text"/>
    <key description="High Value Asset Description" level="IndexValues" name="fd.hva.desc" format="Text"/>

    Note: The first two lines (in bold) are required: the others are optional.

Create the Feed

The feed data file (.csv) must be available on the local file system.

To create the custom feed:

  1. Create a file, HighValue.csv, with the following format:

     feedname,event.computer,fd.hva.type,fd.hva.desc,fd.hva.group,fd.prod.line,fd.escalate

    These are the column names.

    Note: Only the fd.hva.group (High Value Asset Group) and fd.escalate (HVA Escalation Contact) columns are required. These fields are used in the Lateral Movement Indicators report.

  2. Depending on your version:

    • For NetWitness 11.x: In the NetWitness menu, select CONFIGURE > Custom Feeds.
    • For Security Analytics 10.x: In the Security Analytics menu, select Live > Feeds.

  3. In the toolbar, click icon-add.png.

    The Setup Feed dialog is displayed.

  4. To select the feed type, click Custom Feed and Next.

    The Configure a Custom Feed wizard is displayed, with the Define Feed form open.

  5. Fill in the following values:

    • For the Name, enter HighValue.
    • For the file, navigate to your HighValue.csv file, using the Browse button.

  6. Click Next.

    The Select Services form is displayed.

  7. To identify services on which to deploy the feed, select one or more Decoders, and click Next.
    The Define Columns form is displayed.

  8. To map columns in the Define Columns form:

    1. Select Non IP for the Index type, and select 1 for the index column.
    2. From the Callback Key drop-down list, select event.computer.

  9. Click Next, then review the feed information, and if correct, click Finish.

If you created the feed with all of the optional columns listed in step 1, your Review form would look similar to the following:

highValFeed.png

docFeedback.png

You are here
Table of Contents > Create Meta and Feed for Lateral Movement
Was this article helpful? Yes No
No ratings

On this page

© 2022 RSA Security LLC or its affiliates. All rights reserved.