Live: Create a Custom Feed

Document created by RSA Information Design and Development on Sep 12, 2017Last modified by RSA Information Design and Development on Sep 12, 2018
Version 14Show Document
  • View in full screen mode
 

This topic provides instructions for creating a custom feed using a .csv or STIX formatted feed data file in RSA NetWitness Platform.

Note: From 10.6.1 or later, NetWitness Platform supports Structured Threat Information Expression (STIX). For more information about STIX and creating a STIX custom feed, see Create a STIX Custom Feed.

You can easily create a custom feed using the Custom Feed wizard. To complete this procedure, you need a feed data file in .csvor .xml format. If you also have an associated feed definition file in .xml format, which describes the structure of the feed data file, you can use the feed definition file to create a feed. The Custom Feed wizard can create the feed based on a feed data file, or based on a feed data file and corresponding feed definition file.

After completing this procedure, you will have created a custom feed.

The feed data file (.csv or STIX (.xml)) and optionally the feed definition file (.xml) must be available on the local file system for an on-demand custom feed. For a recurring custom feed, the files must be available at a URL that is accessible to the NetWitness Platform server.

Note: Any feeds that are created in 11.2 release or prior will be automatically pushed to Context Hub as Lists. The lists can be looked up in the context lookup panel of the Respond and Investigate pages. If Context Hub is not configured or the service is down, then the feeds will be pushed to Context Hub the next time the server is available.

To create a custom feed:

  1. Go to t CONFIGURE > CUSTOM FEEDS.

    The Custom Feeds view is displayed.

    An example of the Feeds view

  2. In the toolbar, click .

    The Setup Feed dialog is displayed.

    An example of the Setup Feed dialog

  3. To select the feed type, click Custom Feed and Next.

    The Configure a Custom Feed wizard is displayed, with the Define Feed form open.

    An example of the Configure a Custom Feed Dialog

  4. To define a feed based on a .csv formatted feed data file, select CSV in the Feed Type field.

  5. To define an on-demand feed task that executes once, select Adhoc in the Feed Task Type field and do one of the following:

    1. (Conditional) To define a feed based on a .csv formatted feed data file, type the feed Name.
    2. Select the checkbox Upload As CSV File Feed, if required.
    3. Select a .csv content File from the local file system, and click Next.
    4. (Conditional) To define a feed based on an XML feed file, select Advanced Options.

      The Advanced Options are displayed:

    5. Select an XML feed file from the local file system, choose the Separator (default is comma), and specify the Comment characters used in the feed data file (default is #), and click Next.
    6. The Select Services form is displayed. This is an example of the form for a feed based on a feed data file with no feed definition file. If you are defining a feed based on a feed definition file, the Define Columns tab is not needed.

      Select Services view of Configure a Custom Feed dialog

  6. To define a recurring feed task that executes repeatedly at specified intervals, during a specified date range.

    1. Select Recurring in the Feed Task Type field.

      The Define Feed dialog includes the fields for a recurring feed.

    2. In the URL field, enter the URL where the feed data file is located, for example, http://<hostname>/<feeddatafile>.csv, and click Verify.

      NetWitness Platform verifiies the location where the file is stored, so that NetWitness Platform can check for the latest file automatically before each recurrence.

    3. (Optional) If the URL has restricted access and requires authentication using your username and password, select Authenticated.

      NetWitness Platform provides your user name and password for authentication to the URL.

    4. If you want the NetWitness Platform server to access the Feed URL through a proxy, select Use Proxy. For more information on configuring a proxy, see the Configure Proxy for NetWitness Platform topic in the System Configuration Guide. By default, the Use Proxy checkbox is not selected.
    5. To define the interval for recurrence, do one of the following:

      • Specify the number of minutes, hours, or days between recurrences of the feed.
      • Specify recurrence every week, and select the days of the week.
    6. To define the date range for the execution of the feed to recur, specify the Start Date and time and the End Date and time.

      An example of defining the date range

  7. (Conditional) If you want to define a feed based on an XML feed file:

    • Type the feed Name, select Advanced Options.

      The Advanced Options fields are displayed.

    • Select an XML feed file from the local file system, choose the Separator (default is comma), specify the Comment characters used in the feed data file (default is #) and click Next.

      The Select Services dialog is displayed.

      An example of the Select Services form

  8. To identify services on which to deploy the feed, do one of the following:

    1. Select one or more Decoders and Log Decoders, and click Next.
    2. Click the Groups tab and select a group. Click Next.

      The Define Columns dialog is displayed.

  9. To map columns in the Define Columns form:

    1. Define the Index type: IPIP Range, or Non IP, and select the index column.
    2. (Conditional) If the index type is IP or IP Range and the IP address is in CIDR notation, select CIDR.
    3. (Conditional) If the index type is Non IP, additional settings are displayed. Select the service type and Callback Keys, and optionally select the Truncate Domain option.

      An example of the Define Columns form

    4. Select the language key to apply to the data in each column from the drop-down list. The meta displayed in the drop-down list is based on the meta available for the service define values. You can also add other meta based on advanced expertise.

      Select language key

      Note: When a custom feed gets converted into a context hublist, you must map at least one meta key with one or more meta types by mapping a column header with a meta. However, you can add or edit the entity mapping of a list by clicking in the Lists tab. For more information, see the Context Hub Configuration Guide.

    5. Click Next.

      The Review dialog is displayed.

      An example of the Review form

  10. Anytime before you click Finish, you can:

    • Click Cancel to close the wizard without saving your feed definition.
    • Click Reset to clear the data in the wizard.
    • Click Next to display the next form (if not viewing the last form).
    • Click Prev to display the previous form (if not viewing the first form)
  11. Review the feed information, and if correct, click Finish.
  12. Upon successful creation of the feed definition file, the Create Feed wizard closes, and the feed and corresponding token file are listed in the Feed grid and progress bar tracks completion. You can expand or collapse the entry to see how many services are included, and which services were successful.

Note: When you create a feed, and if there is no entity mapping done such as in case of custom metas, then those columns in the List will not have entity mappings in Context Hub. You have to manually map the entities from the List page.

MetaCallback Feeds using CIDR Index Range for IPv4 and IPv6

This section describes how to use CIDR index ranges for IPv4 and IPv6 in custom MetaCallback feeds. As with other custom feeds, you must create feed data file in .csv format, and a feed definition file in .xml format.

Note: Using MetaCallback feeds with CIDR index ranges is supported only through the Advanced Configuration wizard or the REST interface.

The following example shows the contents of both a .csv file and an .xml file for a MetaCallback feed using CIDR index ranges for IPv4 or IPv6.

.csv file:

192.168.0.0/24, Sydney

192.168.1.0/24, Melbourne

.xml file:

<?xml version="1.0" encoding="UTF-8"?>

<FDF xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="feed-definitions.xsd">

<FlatFileFeed name="ip_test" path="ip_test.csv" separator="," comment="#">

<MetaCallback name="DstIP" valuetype="IPv4" apptype="0" truncdomain="false">

<Meta name="ip.dst"/>

</MetaCallback>

<LanguageKeys>

<LanguageKey name="alert" valuetype="Text" />

</LanguageKeys>

<Fields>

<Field index="1" type="index" range="cidr"/>

<Field index="2" type="value" key="alert" />

</Fields>

</FlatFileFeed>

</FDF>

Note: To configure a CIDR index range for feeds with single or multiple MetaCallbacks of value type IPv4 or IPv6, the field of type index MUST contain a range attribute with range="cidr". Also, configuring "cidr" index ranges for feeds with MetaCallbacks of multiple different value types is not supported.

Previous Topic:Manage Custom Feeds
You are here
Table of Contents > Additional Procedures > Manage Custom Feeds > Create a Custom Feed

Attachments

    Outcomes