Decoder: Configure Feeds

Document created by RSA Information Design and Development Employee on Jan 31, 2020Last modified by RSA Information Design and Development Employee on Sep 8, 2020
Version 6Show Document
  • View in full screen mode
 

NetWitness Platform uses feeds to create metadata based on externally defined metadata values. A feed is a list of data that is compared to sessions as they are captured or processed. For each match, additional metadata is created. This data could identify and classify malicious IPs or incorporate additional information such as department and location based on internal network assignments. Some examples of feeds include threat feeds to identify BOTNets, DHCP mappings, or even Active Directory (AD) information such as physical location or logical department.

You can use the Live module in NetWitness Platform to obtain feeds from outside sources. "Live Content in NetWitness Platform" in the Live Services Management Guide provides an overview of the Live content management tool.

Within the NetWitness Platform user interface, you can view the list of currently deployed feeds, along with an indicator if a feed that originated from Live was installed through NetWitness Platform or manually. Feeds can be added, removed, and updated while a Decoder is running without affecting capture.

You are here
Table of Contents > Configure Parsers and Feeds > Configure Feeds

Attachments

    Outcomes