.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
How to identify which feed is generating particular meta data in RSA Security Analytics
Issue
Tasks
Follow the instructions in this article if you want to check the feeds in the Log decoder generating a particular meta key.
Resolution
All of the commands below need to be applied on the Log Decoder via an SSH session:If you do have "SSL trustmode" enabled on the Log Decoder service then please issue below commands:
NwConsole -c login localhost:56004 admin
If you don't have "SSL trustmode" enabled on the Log Decoder service then please issue below commands:
NwConsole -c login localhost:50004 admin
Variables:
Replace
Replace
Example for "threat.desc" meta:
[root@LDecoder ~]# NwConsole -c login localhost:50002 admin Password123! -c /decoder/parsers/feeds ls depth=2 | egrep "(feed.meta)" | grep "threat.desc" | awk -F\/ '{print $5}'
MaliciousUAString.feed
dynamic_dns.feed
nwconst_apt_attachments.feed
nwconst_apt_domain.feed
nwconst_apt_ip.feed
nwconst_c2_domains.feed
nwconst_c2_ips.feed
nwconst_exploit_domains.feed
nwconst_exploit_ips.feed
nwconst_insider_domain.feed
nwconst_insider_ip.feed
nwconst_reputation_ips.feed
nwconst_socks_proxies_ip_recent.feed
nwconst_socks_user_ip_recent.feed
nwconst_vpn_entry_domain_recent.feed
nwconst_vpn_entry_ip_recent.feed
nwconst_vpn_exit_domain_recent.feed
nwconst_vpn_exit_ip_recent.feed
nwhijacked.feed
nwidefthreatindicators_domain.feed
nwmalwaredomainlist.feed
nwmalwaredomains.feed
nwmalwareiplist.feed
nwrsa_third_party_ioc_domain.feed
nwrsa_third_party_ioc_ip.feed
nwrsafraudactiondomain.feed
nwrsafraudactionip.feed
nwspamhaus_drop_list_ip.feed
nwspamhaus_edrop_list_ip.feed
nwspyeyedomains.feed
nwspyeyetracker.feed
nwsriattacker.feed
nwtor_exit_nodes_ip_recent.feed
nwtor_nodes_ip_recent.feed
nwzeusdomains.feed
nwzeustracker.feed
MaliciousUAString.feed
dynamic_dns.feed
nwconst_apt_attachments.feed
nwconst_apt_domain.feed
nwconst_apt_ip.feed
nwconst_c2_domains.feed
nwconst_c2_ips.feed
nwconst_exploit_domains.feed
nwconst_exploit_ips.feed
nwconst_insider_domain.feed
nwconst_insider_ip.feed
nwconst_reputation_ips.feed
nwconst_socks_proxies_ip_recent.feed
nwconst_socks_user_ip_recent.feed
nwconst_vpn_entry_domain_recent.feed
nwconst_vpn_entry_ip_recent.feed
nwconst_vpn_exit_domain_recent.feed
nwconst_vpn_exit_ip_recent.feed
nwhijacked.feed
nwidefthreatindicators_domain.feed
nwmalwaredomainlist.feed
nwmalwaredomains.feed
nwmalwareiplist.feed
nwrsa_third_party_ioc_domain.feed
nwrsa_third_party_ioc_ip.feed
nwrsafraudactiondomain.feed
nwrsafraudactionip.feed
nwspamhaus_drop_list_ip.feed
nwspamhaus_edrop_list_ip.feed
nwspyeyedomains.feed
nwspyeyetracker.feed
nwsriattacker.feed
nwtor_exit_nodes_ip_recent.feed
nwtor_nodes_ip_recent.feed
nwzeusdomains.feed
nwzeustracker.feed
Product Details
RSA Product Set: Security Analytics, NetWitness Logs & PacketsRSA Product/Service Type: Log Decoder
RSA Version/Condition: 10.4.x,10.5.x,10.6.x
Approval Reviewer Queue
RSA NetWitness Suite Approval Queue