Decoder: Services Config View - Feeds Tab

Document created by RSA Information Design and Development on Nov 23, 2016Last modified by RSA Information Design and Development on Mar 28, 2017
Version 4Show Document
  • View in full screen mode
  

This topic describes the features in the Decoder Services Config view > Feeds tab.

Feeds and parsers are FLEXPARSE programs loaded and compiled when either processing capture files in Investigation or capturing data with Decoders. Most commonly, they are used for static meta extraction and service identification.

Note: Unless otherwise stated, any reference to Decoders applies to Log Decoders as well.

Security Analytics uses feeds to create metadata based on externally defined meta values. A feed is a list of data that is compared to sessions as they are captured or processed. For each hit, additional metadata is created. This data can identify and classify malicious IPs or incorporate additional information such as department and location based on internal network assignments. Some examples of feeds include threat feeds to identify BOTNets, DHCP mappings, or even active directory information such as physical location or logical department.

Feeds can be added, removed, and updated while a Decoder is running without affecting capture. The Services Config View > Feeds Tab provides a user interface for managing feeds on Decoders.

To display this view, do the following:

  1. In the Security Analytics menu, select Administration > Services.
  2. Select a service and  ic-actns.png >View > Config.
    The Config view for the selected service is displayed.
  3. Click the Feeds Tab.

This is an example of the Feeds tab.

SvcsCfgFeedTbD.png

Features

The Feed Grid lists all feeds that are currently deployed on the Decoder. The Feeds Tab Toolbar has options to work with feeds in the grid.

Feeds Tab Toolbar

                 
FeatureDescription
IconFeedUpload.png Displays the Upload Feeds dialog.
Icon_Delete_sm.png Deletes the selected feeds.

Feed Grid

The Feed grid provides a listing of all currently deployed feeds for the Decoder.

                     
ColumnDescription
Name The name of the feed or the feed file.
Live Indicates if the feed originated from Live. Possible values are Yes, No, or N/A.
  • Yes = Installed through Live
  • No = Installed through Security Analytics
  • N/A = The feed has no attributes file created by Security Analytics to track the installation date. The feed may have been installed manually, not through Security Analytics or Live. Manually installed feeds still function properly.
Date Installed The date the feed was pushed to the service.

 

 

Topic

You are here
Table of Contents > References > Services Config View - Feeds Tab

Attachments

    Outcomes