I know that in a Log Decoder Service, the log processing sequence is like:
Parsers --> Rules --> Feeds
but, I need to create an App Rule to generate meta based on other meta generated by a custom feed.
The use case is as follows:
I got a user.src and search that username in a custom feed. The feed enrich that meta with a new one: user.src.name. I want to generate an alert meta when in a log I got user.src but not user.src.name.
- app rule
- Community Thread
- correlation rule
- Custom Feed
- Forum Thread
- Log Decoder
- RSA NetWitness
- RSA NetWitness Platform
I believe feeds are applied before App Rules. Feeds should be applied right after the parsing stage, so you're able to refer to meta generated by them in App Rules. Note that App Rules are run in top-down fashion, like a firewall rule chain, so app rules can even refer to other app rules as long as they're placed below them in-order.
Could be just as simple as
user.src exists && user.src.name !exists
You might want to add some additional context in there such as
medium=32 <-- logs only
device.type = xxxx <-- focus on one or n device types this should focus on
The common order of operations was Parsers, Feeds, then App rules. However, its really about tokens.
I've had parsers look for tokens that would only be created by app rules.
Anyways...just wanted to clarify.
Chris is correct on the order of operations, but as a note, ANY new meta generated (by app rule or parser or feed) will cause a re-processing of the feeds. So it you generate a meta-value in an application rule or another feed, that could affect any other feeds (feeds using that meta-key as an index value) then those feeds will re-process and generate any meta values if the feed gets a hit, which could then cause other feed(s) to process, etc.
Feeds are triggered by matching against meta in a particular key or keys it is configured to look at.
App rules are made by combining 1 or more pieces of meta and calling it some other new piece of meta. They usually operate at the end of the session. If you took a close look at the meta in a session, note the order in which it is presented. That is the order in which the meta was generated as well. In many cases, app rules are toward the bottom.