Skip to content
  • There are no suggestions because the search field is empty.

Manage Custom Feeds

Manage Custom Feeds

The custom feed capability is implemented using the Custom Feed Wizard in NetWitness, allowing you to quickly populate Decoders with custom and identity feeds.

Custom Feed Creation

You can use the Live > Custom Feeds > Setup Feed > Configure a Custom Feed wizard to create and deploy Decoder feeds based on deterministic logic that offers the meta keys specific to the selected Decoders and Log Decoders. Although the wizard guides you through the process to create both on-demand and recurring feeds, you should understand the form and content of a feed file when you create a feed.

Feed file names in RSA NetWitness are in the form .feed. To create a feed, NetWitness requires a feed data file in .csv or .xml (for STIX) format and a feed definition file in .xml format, which describes the structure of a feed data file. The Configure a Custom Feed wizard can create the feed definition file based on a feed data file, or based on a feed data file and the corresponding feed definition file.

The files that you use to create an on-demand feed must be stored on your local file system. The files used to create a recurring feed must be stored at an accessible URL, whence NetWitness can fetch the most current version of the file for each recurrence. After a NetWitness feed is created, you can download the feed to your local file system, edit the feed files, and edit the NetWitness feed to use the updated feed files.

Sample Feed Definition FileSample Feed Definition File

This is an example of a feed definition file named dynamic_dns.xml, which NetWitness creates based on your entries in the Feed wizards. It defines the structure of the feed data file named dynamic_dns.csv.

Note: The feed file path should be .csv regardless of the Feed Type (Default or STIX).

Copy

Sample Feed Definition File

<?xml version="1.0" encoding="utf-8"?>
<FDF xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="feed-definitions.xsd">
<FlatFileFeed name="Dynamic DNS Domain Feed"
path="dynamic_dns.csv"
separator=","
comment="#"
version="1">

<MetaCallback
name="alias.host"
valuetype="Text"
apptype="0"
truncdomain="true"/>

<LanguageKeys>
<LanguageKey name="threat.source" valuetype="Text" />
<LanguageKey name="threat.category" valuetype="Text" />
<LanguageKey name="threat.desc" valuetype="Text" />
</LanguageKeys>

<Fields>
<Field index="1" type="index" key="alias.host" />
<Field index="4" type="value" key="threat.desc" />
<Field index="2" type="value" key="threat.source" />
<Field index="3" type="value" key="threat.category" />
</Fields>

</FlatFileFeed>
</FDF>

Feed Definition Equivalents for Custom Feed Wizard Parameters

The NetWitness Feeds wizard provide options to define the structure of the data feed file. These correspond directly to attributes in the feed definition (.xml) file.

Next steps