Live: Create a STIX Custom Feed

Document created by RSA Information Design and Development on Sep 12, 2017Last modified by RSA Information Design and Development on Nov 6, 2017
Version 9Show Document
  • View in full screen mode
  

You can create a custom feed using a .csv or STIX formatted feed data file in RSA NetWitness Suite.

Note: NetWitness Suite supports Structured Threat Information Expression (STIX) 1.0, 1.1 and 1.2 versions only.

Note: From 10.6.1 or later, Security Analytics supports Structured Threat Information Expression (STIX).

Structured Threat Information Expression (STIX™) is a structured language for describing cyber threat information so it can be shared, stored, and analyzed in a consistent manner. For more information about STIX, see https://stixproject.github.io/.

Caution: If STIX recurring feed is configured and you update Security Analytics from 10.6.x to NetWitness Suite 11.0, you must re-configure the STIX recurring feed.

In NetWitness Suite, STIX (.xml) feed of type Indicator or Observable which contains the properties such as the IP addresses, File hashes, Domain names, URIs and Email addresses are supported. The properties values in the Equals operator is only supported. And, the attributes such as Type and Title are also read from the STIX (.xml). The STIX (.xml ) with a single STIX_Package is only supported.

TAXII (Trusted Automated eXchange of Indicator Information) is the main transport mechanism for cyber threat information represented in STIX. Using the TAXII services, organizations can share cyber threat information in a secure and automated manner.

The STIX and TAXII communities work closely together to ensure that they continue to provide a full stack for sharing threat intelligence.

Apart from TAXII server, STIX data can also reside on REST server and you can fetch STIX file from the REST server by providing the URL of the REST server. For example, http://stixrestserver.internal.com.

The feed data file (.csv or STIX (.xml)) and optionally the feed definition file (.xml) must be available on the local file system for an on-demand custom feed. For a recurring custom feed, the files must be available at a URL that is accessible to the NetWitness Suite server.

To create a STIX custom feed:

  1. Go to Configure > Custom Feeds.

    The Feeds view is displayed.

  2. In the toolbar, click .

    The Setup Feed dialog is displayed.

  3. To select the feed type, click Custom Feed and Next.

    The Configure a Custom Feed wizard is displayed, with the Define Feed form open.

  4. To define a feed based on a STIX formatted .xml file, select STIX in the Feed Type field.

  5. To define an on-demand feed task that executes once, select Adhoc in the Feed Task Type field and do one of the following:

    1. (Conditional) To define a feed based on STIX formatted .xml file, type the feed Name, select a STIX  formatted .xml content File from the local file system, and click Next.

    2. (Conditional) To define a feed based on an XML feed file, select Advanced Options.

      The Advanced Options are displayed:

    3. Select an XML feed file from the local file system, choose the Separator (default is comma), and specify the Comment characters used in the feed data file (default is #), and click Next.
    4. The Select Services form is displayed. This is an example of the form for a feed based on a feed data file with no feed definition file. If you are defining a feed based on a feed definition file, the Define Columns tab is not needed.

  6. To define a recurring feed task that executes repeatedly at specified intervals, during a specified date range.

    1. Select Recurring in the Feed Task Type field.

      The Define Feed form includes the fields for a recurring feed.

    2. In the URL field, do one of the following:

      • To define a recurring feed based on STIX which pulls STIX packages from a TAXII Server, enter the TAXII server's discovery service URL, for example, http://hailataxii.com/taxii-discovery-service.

        Note: Context Hub service installed on Event Stream Analysis host must be reachable for the specified TAXII server.

      • To define a recurring feed based on a STIX formatted .xml file using REST Server, enter the URL of the REST server where the STIX data file is located, for example, http://stixrestserver.internal.com.

      NetWitness Suite verifies the connection to the server, so that NetWitness Suite can check for the latest file automatically before each recurrence.

    3. If you do not want NetWitness Suite to verify the REST server's SSL certificate, Select Trust All Certificate. This option is enabled by default (checked)
    4. For client authentication with the REST URL, in the Certificate field, click Browse and select the self signed certificate. The supported certificate formats are .cer, .crt with Base64 & DER encoded files.
    5. (Optional) If the URL has restricted access and requires authentication using your username and password, select Authenticated.

      NetWitness Suite provides your user name and password for authentication to the URL.

    6. Select TAXII Enabled Server, if you want to select a TAXII collection from the list.
      For a valid URL, one or more TAXII collections that contains the STIX data file is displayed based on your credentials. Select the required TAXII collection from the list. Only one collection can be added from a TAXII server for a feed.

      Note: Though multiple feeds from multiple TAXII servers are supported, only one account (username and password) is supported per TAXII server.

    7. If you want the NetWitness Suite server to access the Feed URL through a proxy, select Use Proxy. For more information on configuring a proxy, see the Configure Proxy for NetWitness Suite topic in the System Configuration Guide. By default, the Use Proxy checkbox is not selected.
    8. (Optional) Click Verify to test the settings.

    Note: Make sure all the required connection parameters such Authentication, Proxy, Certificate trust, TAXII Enabled Server etc. are configured before you click Verify.

    1. To define the interval of recurrence for pushing to Decoder or Log Decoder, do one of the following:

      • Specify the number of minutes, hours, or days between recurrences of the feed.
      • Specify recurrence every week, and select the days of the week.
    2. To define the date range for the execution of the feed to recur, specify the Start Date and time and the End Date and time. The Start Date should be defined from when you want to fetch the data. Make sure that the Start Date is not before 180 days from today.

  7. (Conditional) If you want to define a feed based on an XML feed file:

    • Type the feed Name, select Advanced Options.

      The Advanced Options fields are displayed.

    • Select an XML feed file from the local file system, choose the Separator (default is comma), specify the Comment characters used in the feed data file (default is #).

    • In the Remove STIX data older than field, specify the number of days for which STIX packages pulled from TAXII server is to be stored. The STIX packages older than the specified number of days is deleted automatically.
    • Click Next.
      The Select Services form is displayed.
  1. To identify services on which to deploy the feed, do one of the following:

    1. Select one or more Decoders and Log Decoders, and click Next.
    2. In case of STIX feed, Context Hub will be selected by default and you are not allowed to deselect it. In addition, you can select one or more Decoders and Log Decoders and click Next or Click the Groups tab and select a group. Click Next.

      If the data from the STIX server is large, the following message is displayed:

      • If you click Continue to Wait, it continues to wait till the sample data is fetched or timeout (10 minutes) whichever is sooner. In case of timeout no sample data is retrieved even after 10 minutes.
      • If you click Map Without Sample data, the mapping column is displayed without any sample data.

      The Define Columns form is displayed.

  2. To map columns in the Define Columns form:

    1. Define the Index type: IPIP Range, or Non IP, and select the index column.
    2. (Conditional) If the index type is IP or IP Range and the IP address is in CIDR notation, select CIDR.
    3. (Conditional) If the index type is Non IP, additional settings are displayed. Select the service type and Callback Keys, and optionally select the Truncate Domain option.

      Note:
      - If the Index Type is Non IP, you can select multiple index columns in the Index Column(S). The values from all the selected columns are merged in the first index column that you selected and the merged values are pushed to the Log Decoder for parsing. For example, in the Index Column(S) if you select 2,4,7 as index columns the values from the 2,4 and 7 columns are merged in the column 2 and the values are pushed to Log Decoder for parsing.
      - Indexing cannot be done for the columns such as Indicator Title, Indicator Description, Observable Title, Observable Description, as the look up cannot be performed for those columns.

    4. Select the language key to apply to the data in each column from the drop-down list. The meta displayed in the drop-down list is based on the meta available for the service define values. You can also add other meta based on advanced expertise.

    5. Click Next.

      The Review form is displayed.

  3. Anytime before you click Finish, you can:

    • Click Cancel to close the wizard without saving your feed definition.
    • Click Reset to clear the data in the wizard.
    • Click Next to display the next form (if not viewing the last form).
    • Click Prev to display the previous form (if not viewing the first form).
  4. Review the feed information, and if correct, click Finish.
  5. Upon successful creation of the feed definition file, the Create Feed wizard closes, and the feed and corresponding token file are listed in the Feed grid and progress bar tracks completion. You can expand or collapse the entry to see how many services are included, and which services were successful.

Note: Health and Wellness raises alerts when the available heap memory of Context Hub server is critically low. If the status of Context Hub server is Unhealthy due to low memory. For more information on how to troubleshoot OutOfMemoryError on Contexthub Server, refer to "Troubleshooting" in the Live Services Management Guide.

MetaCallback Feeds using CIDR Index Range for IPv4 and IPv6

This section describes how to use CIDR index ranges for IPv4 and IPv6 in custom MetaCallback feeds. As with other custom feeds, you must create feed data file in .csv format, and a feed definition file in .xml format.

Note: Using Metacallback feeds with CIDR index ranges is supported only through the Advanced Configuration wizard or the REST interface.

The following example shows the contents of both a .csv file and an .xml file for a MetaCallback feed using CIDR index ranges for IPv4 or IPv6.

.csv file:

192.168.0.0/24, Sydney
192.168.1.0/24, Melbourne

.xml file:

<?xml version="1.0" encoding="UTF-8"?>

<FDF xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="feed-definitions.xsd">

<FlatFileFeed name="ip_test" path="ip_test.csv" separator="," comment="#">

<MetaCallback name="DstIP" valuetype="IPv4" apptype="0" truncdomain="false">

<Meta name="ip.dst"/>

</MetaCallback>

<LanguageKeys>

<LanguageKey name="alert" valuetype="Text" />

</LanguageKeys>

<Fields>

<Field index="1" type="index" range="cidr"/>

<Field index="2" type="value" key="alert" />

</Fields>

</FlatFileFeed>

</FDF>

Note: To configure a CIDR index range for feeds with single or multiple MetaCallbacks of value type IPv4 or IPv6, the field of type index MUST contain a range attribute with range="cidr". Also, configuring "cidr" index ranges for feeds with MetaCallbacks of multiple different value types is not supported.

Previous Topic:Create a Custom Feed
You are here
Table of Contents > Additional Procedures > Manage Custom Feeds > Create a STIX Custom Feed

Attachments

    Outcomes