Skip to content
  • There are no suggestions because the search field is empty.

NetWitness Hunting Guide - Page 9

NetWitness Hunting Guide - Continued

Appendix: Hunting Content Pack Meta Keys

These are the entries in the index-concentrator.xml file that make up the IR content pack meta keys in version 10.6.2 and higher. If you are running a version prior to this, manually add the following entries to index-concentrator-custom.xml.

Note: Additionally, you must follow steps described in The Traffic Flow Lua Parser topic on RSA Link in order for the netname meta key to work properly on logdecoder.

To add entries to the Custom Index File:

  1. Depending on your version:

    • For Security Analytics 10.x: In the Security Analytics menu, select Administration > Services.
    • For NetWitness 11.x: In the NetWitness UI, go to ADMIN > Services.
  2. Select a Concentrator and select View > Config.
  3. Open the Files tab.

  4. Select index-concentrator-custom.xml and add the following lines:

  5. Log out of NetWitness, then log in again. You must do this before you can view the custom keys you added in Investigation.

BACK