000035375 - How to identify which feed is generating particular meta data in RSA Security Analytics

Document created by RSA Customer Support Employee on Aug 5, 2017Last modified by RSA Customer Support Employee on Aug 18, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000035375
Applies ToRSA Product Set: Security Analytics, NetWitness Logs & Packets
RSA Product/Service Type: Log Decoder
RSA Version/Condition: 10.4.x,10.5.x,10.6.x
Issue
 
TasksFollow the instructions in this article if you want to check the feeds in the Log decoder generating a particular meta key.
ResolutionAll of the commands below need to be applied on the Log Decoder via an SSH session:
If you do have "SSL trustmode"  enabled on the Log Decoder service then please issue below commands:
NwConsole -c login localhost:56004 admin <admin_password> -c /decoder/parsers/feeds ls depth=2 | egrep "(feed.meta)" | grep "<meta_name>" | awk -F\/ '{print $5}'
If you don't have "SSL trustmode" enabled on the Log Decoder service then please issue below commands: 
NwConsole -c login localhost:50004 admin <admin_password> -c /decoder/parsers/feeds ls depth=2 | egrep "(feed.meta)" | grep "<meta_name>" | awk -F\/ '{print $5}'
Variables:
Replace <admin_password> with the password of admin account.
Replace <meta_name> with the meta key required.
Example for "threat.desc" meta:
[root@LDecoder ~]# NwConsole -c login localhost:50002 admin Password123! -c /decoder/parsers/feeds ls depth=2 | egrep "(feed.meta)" | grep "threat.desc" | awk -F\/ '{print $5}'
MaliciousUAString.feed
dynamic_dns.feed
nwconst_apt_attachments.feed
nwconst_apt_domain.feed
nwconst_apt_ip.feed
nwconst_c2_domains.feed
nwconst_c2_ips.feed
nwconst_exploit_domains.feed
nwconst_exploit_ips.feed
nwconst_insider_domain.feed
nwconst_insider_ip.feed
nwconst_reputation_ips.feed
nwconst_socks_proxies_ip_recent.feed
nwconst_socks_user_ip_recent.feed
nwconst_vpn_entry_domain_recent.feed
nwconst_vpn_entry_ip_recent.feed
nwconst_vpn_exit_domain_recent.feed
nwconst_vpn_exit_ip_recent.feed
nwhijacked.feed
nwidefthreatindicators_domain.feed
nwmalwaredomainlist.feed
nwmalwaredomains.feed
nwmalwareiplist.feed
nwrsa_third_party_ioc_domain.feed
nwrsa_third_party_ioc_ip.feed
nwrsafraudactiondomain.feed
nwrsafraudactionip.feed
nwspamhaus_drop_list_ip.feed
nwspamhaus_edrop_list_ip.feed
nwspyeyedomains.feed
nwspyeyetracker.feed
nwsriattacker.feed
nwtor_exit_nodes_ip_recent.feed
nwtor_nodes_ip_recent.feed
nwzeusdomains.feed
nwzeustracker.feed

Attachments

    Outcomes