You can create a custom feed using a .csv or STIX formatted feed data file in RSA NetWitness Platform.
Structured Threat Information Expression (STIX) is a structured language for describing cyber threat information so it can be shared, stored, and analyzed in a consistent manner. For more information about STIX, see https://stixproject.github.io/.
In NetWitness Platform, STIX feeds are supported. STIX content (with version 11.x) can be uploaded in an ".xml" format. The constructs such as Indicator Title and Description, Observable Title and Description, and Indicator Sightings information are parsed from STIX and pushed to the decoders or log decoders that are selected during feed configuration. Information such as IP addresses, File hashes, Domain names, URIs, and Email addresses are extracted from the STIX observable to be included in the feed.
Make sure the following criterias are met before you upload the STIX file:
- Only STIX Observables with property values in the "Equals" operator
- The uploaded STIX xml file must have only one STIX_Package
TAXII (Trusted Automated eXchange of Indicator Information) is the main transport mechanism for cyber threat information represented in STIX. Using the TAXII services, organizations can share cyber threat information in a secure and automated manner.
The STIX and TAXII communities work closely together to ensure that they continue to provide a full stack for sharing threat intelligence.
Apart from TAXII server, STIX data can also reside on REST server and you can fetch STIX file from the REST server by providing the URL of the REST server. For example, http://stixrestserver.internal.com.
The feed data file (.csv or STIX (.xml)) and optionally the feed definition file (.xml) must be available on the local file system for an on-demand custom feed. For a recurring custom feed, the files must be available at a URL that is accessible to the NetWitness Platform server.
To create a STIX custom feed:
Go to Configure > Custom Feeds.
The Feeds view is displayed.
To select the feed type, click Custom Feed and Next.
The Configure a Custom Feed wizard is displayed, with the Define Feed dialog open.
To define a feed based on a STIX formatted .xml file, select STIX in the Feed Type field.
To define an on-demand feed task that executes once, select Adhoc in the Feed Task Type field and do one of the following:
(Conditional) To define a feed based on STIX formatted .xml file, type the feed Name, select a STIX formatted .xml content File from the local file system, and click Next.
(Conditional) To define a feed based on an XML feed file, select Advanced Options.
The Advanced Options are displayed:
- Select an XML feed file from the local file system, choose the Separator (default is comma), and specify the Comment characters used in the feed data file (default is #), and click Next.
The Select Services dialog is displayed. This is an example of the form for a feed based on a feed data file with no feed definition file. If you are defining a feed based on a feed definition file, the Define Columns tab is not needed.
Define a recurring feed task that executes repeatedly at specified intervals, during a specified date range.
Select Recurring in the Feed Task Type field.
The Define Feed dialog includes the fields for a recurring feed.
In the URL field, do one of the following:
To define a recurring feed based on STIX which pulls STIX packages from a TAXII Server, enter the TAXII server's discovery service URL, for example, http://hailataxii.com/taxii-discovery-service.
To define a recurring feed based on a STIX formatted .xml file using REST Server, enter the URL of the REST server where the STIX data file is located, for example, http://stixrestserver.internal.com.
NetWitness Platform verifies the connection to the server, so that NetWitness Platform can check for the latest file automatically before each recurrence.
- If you do not want NetWitness Platform to verify the REST server's SSL certificate, Select Trust All Certificate. This option is enabled by default (checked)
- For client authentication with the REST URL, in the Certificate field, click Browse and select the self signed certificate. The supported certificate formats are .cer, .crt with Base64 & DER encoded files.
(Optional) If the URL has restricted access and requires authentication using your username and password, select Authenticated.
NetWitness Platform provides your user name and password for authentication to the URL.
Select TAXII Enabled Server, if you want to select a TAXII collection from the list.
For a valid URL, one or more TAXII collections that contains the STIX data file is displayed based on your credentials. Select the required TAXII collection from the list. Only one collection can be added from a TAXII server for a feed.
- If you want the NetWitness Platform server to access the Feed URL through a proxy, select Use Proxy. For more information on configuring a proxy, see the Configure Proxy for NetWitness Platform topic in the System Configuration Guide. By default, the Use Proxy checkbox is not selected.
- (Optional) Click Verify to test the settings.
To define the interval of recurrence for pushing to Decoder or Log Decoder, do one of the following:
- Specify the number of minutes, hours, or days between recurrences of the feed.
- Specify recurrence every week, and select the days of the week.
To define the date range for the execution of the feed to recur, specify the Start Date and time and the End Date and time. The Start Date should be defined from when you want to fetch the data. Make sure that the Start Date is not before 180 days from today.
(Optional) If you want to define a feed based on an XML feed file:
Type the feed Name, select Advanced Options.
The Advanced Options fields are displayed.
Select an XML feed file from the local file system, choose the Separator (default is comma), specify the Comment characters used in the feed data file (default is #).
- In the Remove STIX data older than field, specify the number of days for which STIX packages pulled from TAXII server is to be stored. The STIX packages older than the specified number of days is deleted automatically.
- Click Next.
The Select Services dialog is displayed.
To identify services on which to deploy the feed, do one of the following:
- Select one or more Decoders and Log Decoders, and click Next.
In case of STIX feed, Context Hub will be selected by default and you are not allowed to deselect it. In addition, you can select one or more Decoders and Log Decoders and click Next or Click the Groups tab and select a group. Click Next.
If the data from the STIX server is large, the following message is displayed:
- If you click Continue to Wait, it continues to wait till the sample data is fetched or timeout (10 minutes) whichever is sooner. In case of timeout no sample data is retrieved even after 10 minutes.
- If you click Map Without Sample data, the mapping column is displayed without any sample data.
The Define Columns dialog is displayed.
To map columns in the Define Columns form:
- Define the Index type: IP, IP Range, or Non IP, and select the index column.
- (Optional) If the index type is IP or IP Range and the IP address is in CIDR notation, select CIDR.
(Optional) If the index type is Non IP, additional settings are displayed. Select the service type and Callback Keys, and optionally select the Truncate Domain option.
Select the language key to apply to the data in each column from the drop-down list. The meta displayed in the drop-down list is based on the meta available for the service define values. You can also add other meta based on advanced expertise.
The Review dialog is displayed.
- Define the Index type: IP, IP Range, or Non IP, and select the index column.
Anytime before you click Finish, you can:
- Click Cancel to close the wizard without saving your feed definition.
- Click Reset to clear the data in the wizard.
- Click Next to display the next dialog (if not viewing the last form).
- Click Prev to display the previous dialog (if not viewing the first form)
- Review the feed information, and if correct, click Finish.
- Upon successful creation of the feed definition file, the Create Feed wizard closes, and the feed and corresponding token file are listed in the Feed grid and progress bar tracks completion. You can expand or collapse the entry to see how many services are included, and which services were successful.
MetaCallback Feeds using CIDR Index Range for IPv4 and IPv6
This section describes how to use CIDR index ranges for IPv4 and IPv6 in custom MetaCallback feeds. As with other custom feeds, you must create feed data file in .csv format, and a feed definition file in .xml format.
The following example shows the contents of both a .csv file and an .xml file for a MetaCallback feed using CIDR index ranges for IPv4 or IPv6.
<?xml version="1.0" encoding="UTF-8"?>
<FDF xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="feed-definitions.xsd">
<FlatFileFeed name="ip_test" path="ip_test.csv" separator="," comment="#">
<MetaCallback name="DstIP" valuetype="IPv4" apptype="0" truncdomain="false">
<LanguageKey name="alert" valuetype="Text" />
<Field index="1" type="index" range="cidr"/>
<Field index="2" type="value" key="alert" />