AnsweredAssumed Answered

Managing 3rd party feeds

Question asked by Tomi Reiman on Aug 7, 2014
Latest reply on Aug 12, 2014 by Sean Koniarz

I have few questions regarding Live feeds:

 

1. Is there a best practice for finding out which feed generated which meta and based on what observation? If one log entry results in meta generated from multiple feeds it is hard to find what came from where. I'm hoping for built-in functionality for SA to for example populate the feed.name meta based on the feed (feed name / file name) - at the moment that particular meta does not seem to be used that widely, which is a shame.

 

2. Linked to the first questions is how to filter out certain values that are looked for in 3rd party feeds. I tried adding a .filter file named similarly to the feed which I was quite sure of to be generating the false positives I wanted to leave out. I tried this both in the /etc/netwitness/ng/ and ../feeds paths but to no avail. Services were not restarted, but I issued the /decoder/parsers a reload instruction. I understand I could create an application rule to create a meta value describing that particular domain, IP or whatever to be "whitelisted", but I want to cut down on the meta that is currently populated to threat.category etc. based on false positives.

 

Am I doing something wrong or did I just presume wrong about the feed name that is generating the false positives. And if so, we're back at question number 1: How can I find out for sure what is creating what based on what? I had hard time finding anything regarding feed filters in the SA documentation.

Outcomes