This topic describes the features in the Decoder Services Config view > Feeds tab.
Feeds and parsers are FLEXPARSE programs loaded and compiled when either processing capture files in Investigation or capturing data with Decoders. Most commonly, they are used for static meta extraction and service identification.
Note: Unless otherwise stated, any reference to Decoders applies to Log Decoders as well.
Security Analytics uses feeds to create metadata based on externally defined meta values. A feed is a list of data that is compared to sessions as they are captured or processed. For each hit, additional metadata is created. This data can identify and classify malicious IPs or incorporate additional information such as department and location based on internal network assignments. Some examples of feeds include threat feeds to identify BOTNets, DHCP mappings, or even active directory information such as physical location or logical department.
Feeds can be added, removed, and updated while a Decoder is running without affecting capture. The Services Config View > Feeds Tab provides a user interface for managing feeds on Decoders.
To display this view, do the following:
- In the Security Analytics menu, select Administration > Services.
- Select a service and >View > Config.
The Config view for the selected service is displayed.
- Click the Feeds Tab.
This is an example of the Feeds tab.
The Feed Grid lists all feeds that are currently deployed on the Decoder. The Feeds Tab Toolbar has options to work with feeds in the grid.
Feeds Tab Toolbar
The Feed grid provides a listing of all currently deployed feeds for the Decoder.
|Name||The name of the feed or the feed file.|
|Live||Indicates if the feed originated from Live. Possible values are Yes, No, or N/A. |
|Date Installed||The date the feed was pushed to the service.|