This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Alert in NetWitness when ECAT IIOC score goes over a certain number

JeremyKerwin
Valued Contributor
Valued Contributor

‎2017-06-26 08:27 PM

Hi Everyone,

I'm not sure if it's possible, but what I'd like to do is generate an IIOC alert when a machines score goes over a certain number (in our case it's 100).

 

I know how to create an alert in NetWitness based on generated meta, what I'd like to know is how to create an IIOC in ECAT to generate that meta if a machine goes over 100.

I could be mistaken and this isn't possible.

Anyone have any ideas and pointers to documentation that may help.

Labels:
0 Likes
2 REPLIES 2

MichaelGotham
Beginner
Beginner

‎2017-06-27 05:29 AM

Can you explain the driver for alerting when a machine score goes over 100?  I don't think you are going to see much value in that, unless you have a one-off use case for this.  It is pretty normal for machines to have a score well over 100 with nothing suspicious at all going on.  If you wanted to hit a good breakpoint I would say go to 129, since that will only give you machines with L1 IIOC's.  But still you'll find a majority of the machines with that score still have nothing malicious/suspicious.

 

I would recommend picking high fidelity IIOC's that line up with what you are trying to detect and alerting on those.  For example, Unsigned, hidden, appdata\local is a pretty good one to find trojans.  The powershell ones are all pretty good too.

 

There was an issue with alerting on IIOC's other than machine category IIOC's in versions prior than 4.3.0.4, so you'll want to upgrade if you haven't already.

 

Now I'll get off my soapbox and answer your question.  

 

SELECT DISTINCT

FK_Machines AS [FK_Machines],

NULL AS [FK_MachineModulePaths]

FROM

    (SELECT

       MI.FK_Machines,

                  CASE WHEN MI.IOCLevel0 > 0 THEN 1024

        ELSE 

            ((CASE WHEN MI.IOCLevel1 > 7 THEN 7 ELSE MI.IOCLevel1 END) * 128 +

            (CASE WHEN MI.IOCLevel2 > 15 THEN 15 ELSE MI.IOCLevel2 END) * 8 +

            (CASE WHEN MI.IOCLevel3 > 7 THEN 7 ELSE MI.IOCLevel3 END))

        END AS IIOCScore

        FROM

            dbo.MachineIOC AS MI WITH(NOLOCK)

            INNER JOIN dbo.Machines AS MA WITH(NOLOCK) ON MA.PK_Machines = MI.FK_Machines

            ) mytable

WHERE IIOCScore >= 128 --Set Desired IIoC Machine Score here

0 Likes

JeremyKerwin
Valued Contributor
Valued Contributor
In response to MichaelGotham

‎2017-06-28 06:58 PM

100 was just an arbitrary number that we had chosen as a starting point to alert if something had deviated from the norm. If 129 is more appropriate than we'll heed your advice on that one.

We are looking at other IIOCS like unsigned in temp locations, PowerShell etc. This was just the first one to tackle we thought of as a use case to get alerting properly configured within ECAT/NetWitness.

Thanks.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.