RSA Live Feed Change

Document created by RSA Admin Employee on Mar 18, 2015
Version 1Show Document
  • View in full screen mode

Dear RSA Live Customers,

 

In order to provide a more consistent analytical experience, the threat sources in the intelligence feeds produced by the RSA FirstWatch Team will be modified to have a common value within the ""threat.source"" key index. On May 4th, 2015 the ""threat.source"" meta key will be change from ""netwitness"" to ""rsa-firstwatch"" for the following list of feeds:


RSA FirstWatch APT Attachments            

RSA FirstWatch APT Threat Domains                  

RSA FirstWatch APT Threat IPs                          

RSA FirstWatch Criminal Socks User IPs               

RSA FirstWatch Criminal SOCKS node IPs           

RSA FirstWatch Criminal VPN Entry Domains        

RSA FirstWatch Criminal VPN Entry IPs                

RSA FirstWatch Criminal VPN Exit Domains

RSA FirstWatch Criminal VPN Exit IPs                


 

If you have any custom application rules, reporting, or ESA rules that reference the ""threat.source"" value ""netwitness"", these rules will need to be changed to reference the new value of ""rsa-firstwatch"" in order to function as designed.


 

Regards,

RSA FirstWatch

Attachments

    Outcomes