Decoder: Services Config View - Feeds Tab

Document created by RSA Information Design and Development Employee on Sep 13, 2017Last modified by RSA Information Design and Development Employee on Apr 23, 2020
Version 21Show Document
  • Comment0
  • View in full screen mode
 

Feeds and parsers are Lua programs loaded and compiled when either processing capture files in NetWitness Investigate or capturing data with Decoders. Most commonly, they are used for static meta extraction and service identification.

Note: Pre-11.0 versions of NetWitness used FLEXPARSE programs in addition to Lua programs; Flexparsers are deprecated in NetWitness Platform 11.0. Unless otherwise stated, any reference to Decoders applies to Log Decoders as well.

NetWitness Platform uses feeds to create metadata based on externally defined meta values. A feed is a list of data that is compared to sessions as they are captured or processed. For each match, additional metadata is created. This data can identify and classify malicious IPs or incorporate additional information such as department and location based on internal network assignments. Some examples of feeds include threat feeds to identify BOTNets, DHCP mappings, or even active directory information such as physical location or logical department.

Feeds can be added, removed, and updated while a Decoder is running without affecting capture. The Feeds tab (Admin > Services > select a Decoder or Log Decoder service and click The actions drop-down menu > View > Config > Feeds tab) provides a user interface for managing feeds on Decoders.

What do you want to do?

                       
User RoleI want to...Documentation
Administratorconfigure feedsConfigure Parsers and Feeds
Administratorenable and disable parsersEnable and Disable Parsers and Log Parsers

Related Topics

Quick Look

This is an example of the Feeds tab.

This is the Feeds tab for a Log Decoder.

             
1Feeds Tab Toolbar - Provides options to work with feeds in the grid
2Feed List - Lists all feeds that are currently deployed on the Decoder

Feeds Tab Toolbar

                   
FeatureDescription
The Feed Upload icon Displays the Upload Feeds dialog.
The delete icon Deletes the selected feeds.

Feeds List

The Feeds list provides a listing of all currently deployed feeds for the Decoder.

                     
ColumnDescription
Name The name of the feed or the feed file.
Live Indicates if the feed originated from Live. Possible values are Yes, No, or N/A.
  • Yes = Installed through Live
  • No = Installed through NetWitness Platform
  • N/A = The feed has no attributes file created by NetWitness Platform to track the installation date. The feed may have been installed manually, not through NetWitness Platform or Live Services. Manually installed feeds still function properly.
Date Installed The date the feed was pushed to the service.

You are here
Table of Contents > Decoder and Log Decoder References > Services Config View - Feeds Tab

Attachments

    Outcomes

      Visibility: RSA NetWitness Platform Online Documentation169 Views
      Last modified on Apr 23, 2020 3:14 PM
      Ratings: