Skip to content
  • There are no suggestions because the search field is empty.

Issue with collecting emails from STIX on NetWitness 12.x and above

Issue

When following article: https://community.netwitness.com/t5/netwitness-platform-online/create-a-stix-custom-feed/ta-p/669252, a STIX file containing Email addresses have an issue where the email address is not collected.
 

This can be detected by following the below steps:

  1. SSH to the Log Decoder on which the custom STIX feed is deployed
  2. Run the below commands:
    >NwConsole
    >feed dump /etc/netwitness/ng/feeds/ .feed /root/output.txt
  3. The output should reflect the collected fields from the STIX file. In ideal scenarios, we should be seeing the emails)

     

Resolution

Fetching Email Category Using the EmailMessageObj Tag

In order to fetch the email category, you need to use the EmailMessageObj tag. The email structure can include components such as the header, sender (From), subject, and the attachment file. Here are some examples on how the STIX xml file should look like:

Wrong Format:

</cybox:Keywords>
<cybox:Object id="threatstream:EmailAddress-3267347a-b521-4996-b174-6ea8b866bf0e">
<cybox:Object id="threatstream:EmailAddress-3267347a-b521-4996-b174-6ea8b866bf0e">
<cybox:Properties xsi:type="EmailMessageObj:EmailMessageObjectType">
<cybox:Properties xsi:type="AddressObj:AddressObjectType" category="e-mail">
<EmailMessageObj:Header>
<AddressObj:Address_Value>PUT EMAIL ADDRESS HERE</AddressObj:Address_Value>
<EmailMessageObj:From category="e-mail">
</cybox:Properties>


_______________________________________________________________

Correct Format: (Note the additional EmailMessageObj portions)

</cybox:Keywords>
<cybox:Object id="threatstream:EmailAddress-3267347a-b521-4996-b174-6ea8b866bf0e">
<cybox:Object id="threatstream:EmailAddress-3267347a-b521-4996-b174-6ea8b866bf0e">
<cybox:Properties xsi:type="EmailMessageObj:EmailMessageObjectType">
<cybox:Properties xsi:type="AddressObj:AddressObjectType" category="e-mail">
<EmailMessageObj:Header>
<AddressObj:Address_Value>PUT EMAIL ADDRESS HERE</AddressObj:Address_Value>
<EmailMessageObj:From category="e-mail">
</cybox:Properties>
<AddressObj:Address_Value>PUT EMAIL ADDRESS HERE</AddressObj:Address_Value>
</EmailMessageObj:From>
</EmailMessageObj:Header>
</cybox:Properties>


To collect the data from Email addresses:

  1. Email address value must be put in Indicator >  EmailMessageObj:Header > EmailMessageObj:From > AddressObject
  2. Only one mail address is allowed in the same indicator’s EmailMessageObj . To collect multiple email addresses, we must be put in separate indicator’s EmailMessageObj
  3. Value in EmailMessageObj:To will be ignored

For further details on using the subject and attachment fields, you can refer to the external documentation:
Issue with collecting emails from STIX on NetWitness 12.x and aboveMalicious E-mail Indicator With Attachment | STIX Project Documentation

Note: This link leads to an external document that is not under NetWitness control. Please be aware that the content and location of this document may change, and exercise caution when accessing third-party sites if you have security concerns.




Product Details

NetWitness Product Set: NetWitness Logs & Network
NetWitness Product/Service Type: Contexthub, Log Decoder
NetWitness Version/Condition: 12.x
Platform: CentOS, AlmaLinux


Approval Reviewer Queue

Technical approval queue