Decoder: Use Custom Feeds

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by RSA Information Design and Development on Oct 11, 2017
Version 6Show Document
  • View in full screen mode
 

The NetWitness Suite Custom Feed wizard allows creation and deployment of custom Decoder feeds based on deterministic logic that offers the meta keys specific to the selected Decoders and Log Decoders. Although the wizard guides users through the process to create both on-demand and recurring feeds, it is helpful to understand the form and content of a feed file when you create a feed.

Feed filenames in RSA NetWitness Suite are in the form <filename>.feed. To create a feed, NetWitness Suite requires a feed data file in .csv or .xml format and a feed definition file in .xml format, which describes the structure of a feed data file. The Custom Feed wizard can create the feed definition file based on a feed data file, or based on a feed data file and the corresponding feed definition file.

The files that you use to create an on-demand feed must be stored on your local file system. The files used to create a recurring feed must be stored at an accessible URL, whence NetWitness Suite can fetch the most current version of the file for each recurrence. After a NetWitness Suite feed is created, you can download the feed to your local file system, edit the feed files, and then edit the NetWitness Suite feed to use the updated feed files.

Sample Feed Definition File

This is an example of a feed definition file named dynamic_dns.xml, which NetWitness Suite creates based on your entries in the Custom Feed wizard. It defines the structure of the feed data file named dynamic_dns.csv.

Note: The feed file path should be .csv regardless of the Feed Type (Default or STIX).

<?xml version="1.0" encoding="utf-8"?>
<FDF xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="feed-definitions.xsd">


    
<FlatFileFeed name="Dynamic DNS Domain Feed"
        path="dynamic_dns.csv"
        separator=","
        comment="#"
        version="1">


        
<MetaCallback
            name="alias.host"
            valuetype="Text"
            apptype="0"
            truncdomain="true"/>


        
<LanguageKeys>
            <LanguageKey name="threat.source" valuetype="Text" />
            <LanguageKey name="threat.category" valuetype="Text" />
            <LanguageKey name="threat.desc" valuetype="Text" />
        </LanguageKeys>


        
<Fields>
            <Field index="1" type="index" key="alias.host" />
            <Field index="4" type="value" key="threat.desc" />
            <Field index="2" type="value" key="threat.source" />

            
<Field index="3" type="value" key="threat.category" />
        </Fields>

    
</FlatFileFeed>

</FDF>

Feed Definition Equivalents for Custom Feed Wizard Parameters

The NetWitness Suite Custom Feed wizard provides options to define the structure of the data feed file. These correspond directly to attributes in the feed definition (.xml) file.

                                                                   
NetWitness Suite ParameterFeed Definition File Equivalent
(Define Feed Tab) Feed TypeSelect:
Default
- to define a feed based on a .csv formatted feed data file.
STIX
- to define a feed based on STIX formatted.xml file.
(Define Feed Tab) Feed Task TypeSelect:
Adhoc
- to create an on-demand feed.
Recurring - to update the .csv or .xml file persistently and store it in a location accessible by NetWitness Suite , so NetWitness Suite downloads a file at regular intervals and pushes it to the downstream devices.
(Define Feed tab) NameThe custom feed name in the feed data file. It corresponds to the flatfeedfile name attribute in the feed definition file. For example, Dynamic DNS Test Feed.

Note: You can use special characters to define the name of the custom feed.

(Define Feed tab) File/ BrowseThis is the name of the feed data file. It corresponds to the flatfeedfile path attribute in the feed definition file. For example, dynamic_dns.csv.
(Advanced Options tab) XML Feed FileThe name of the feed definition file. For example, dynamic_dns.xml.
(Advanced Options tab) SeparatorThe separator character used to separate attributes in the feed data file. It corresponds to the latfeedfile separator in the feed definition file. For example, a comma.
(Advanced Options tab) CommentThe character used to identify a comment in the feed data file. It corresponds to the flatfeedfile comment attribute in the feed definition file. For example, #.
(Define Columns tab, Define Index) Type The type of lookup value in the index position of the feed data file.
IP means that each row in the feed data file contains an IP address in the lookup value position. The IP value is in dotted-decimal format (for example, 10.5.187.42).
IP Range means that each row in the feed data file contains a range of IP addresses in the lookup value position. The IP range is in CIDR format (for example, 192.168.2.0/24).
Non IP means that the each row in the feed data file contains a metadata value other than IP address in the lookup value position. The Service Type and Truncate Domain, and Callback Keys fields become active for a Non IP index.
(Define Columns tab, Define Index) CIDRSpecifies that the IP value in the lookup position is in CIDR format. The CIDR attribute sets the IP address format in the field to Classless Inter-Domain Routing (CIDR) notation.
(Define Columns tab, Define Index)
Service Type
For a Non IP index, the integer service type to filter meta lookups. It corresponds to the MetaCallback apptype attribute in the feed definition file. A value of 0 indicates no filtering by service type.
(Define Columns tab, Define Index) 
Truncate Domain
For a Non IP index, for meta values that contain domain names (for example, hostnames), the system can strip off the host specific element in the data. Truncate Domain corresponds to the MetaCallback truncdomain attribute. If the value is www.example.com, it is truncated to example.com. A value of False selects no truncation, and True selects truncation.
(Define Columns tab, Define Index) 
Callback Keys
For a Non IP index, the available meta keys to match on instead of ip.src/ip.dst (the defaults for IP index type) are selectable from the drop-down list. The Callback Key corresponds to the MetaCallback name attribute, and the index column of the csv file must contain data that can match the chosen meta key. For example, if the username meta key is chosen, the index column of the csv file needs to be populated with users to be matched.
(Define Columns tab, Define Index) 
Index Column
Identifies the column in the feed data file that provides the lookup value for the row. Each position in each row of the feed data file is identified by a Field index attribute in the feed definition file. A field with an index of 1 is the first entry in a row, the second field has an index of 2, the third field has an index of 3, and so on.
(DEFINE VALUES) Key The name of the LanguageKey, as defined in the feed definition file, for which meta is created from this row of the feed data file. It corresponds to the Field key attribute in the feed definition file. A key applies only to a field whose type is set to value. In the feed definition file, there is a list of LanguageKeys from index.xml, or a summary name if Source Name and Destination Name are used. For example, reputation is a summary name for reputation.src and reputation.dst. This value is referenced by the Field key attribute.

Sample Files for a MetaCallback Feed Using CIDR Index Range for IPv4 and IPv6

These sample files demonstrate how to use CIDR index ranges for IPv4 and IPv6 in custom MetaCallback feeds. As with other custom feeds, you must create feed data file in .csv format, and a feed definition file in .xml format.

Note: Using MetaCallback feeds with CIDR index ranges is supported only through the Advanced Configuration wizard or the REST interface.

The following example shows the contents of both a .csv file and an .xml file for a MetaCallback feed using CIDR index ranges for IPv4 or IPv6.

.csv file:

192.168.0.0/24, Sydney
192.168.1.0/24, Melbourne

.xml file:

<?xml version="1.0" encoding="UTF-8"?>

<FDF xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="feed-definitions.xsd">

<FlatFileFeed name="ip_test" path="ip_test.csv" separator="," comment="#">

<MetaCallback name="DstIP" valuetype="IPv4" apptype="0" truncdomain="false">

<Meta name="ip.dst"/>

</MetaCallback>

<LanguageKeys>

<LanguageKey name="alert" valuetype="Text" />

</LanguageKeys>

<Fields>

<Field index="1" type="index" range="cidr"/>

<Field index="2" type="value" key="alert" />

</Fields>

</FlatFileFeed>

</FDF>

Note: To configure a CIDR index range for feeds with single or multiple MetaCallbacks of value type IPv4 or IPv6, the field of type index MUST contain a range attribute with range="cidr". Also, configuring "cidr" index ranges for feeds with MetaCallbacks of multiple different value types is not supported.

You are here
Table of Contents > Configure Feeds and Parsers > Custom Feed Definition File Structure

Attachments

    Outcomes