This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Web URL Request Alerting

MyronEstibeiro
Beginner
Beginner

‎2017-01-17 01:38 AM

Hi, I have the squid logs being indexed by the log concentrator, and assigned to the 'url' meta correctly, via a custom parser. I now need to create an alert based on threat feed and notify on the event of a detection of a url requested, which is present in the threat list/feed. Can someone please guide me how to enable this?

0 Likes
3 REPLIES 3

KEVINDIENST
Beginner
Beginner

‎2017-01-17 06:35 PM

As is usual for all things, it depends. Having more information will be helpful. 

 

  1. Do you have an ESA system?
  2. How frequently are these threat feeds going to be updated?
  3. Is the threat feed available in .csv format for inclusion in a NetWitness feed?

 

At first glance I'd setup a feed with my blacklist/threat feed against the url metakey and then have it alert to a custom metakey you use (i.e. squid.alert) and then have your reporting engine or ESA system just look at any events where squid.alert exists. 

 

Obviously this could be much more complicated, you could add more comparisons at the log decoder level, at the ESA level, etc. 

 

Please provide more context, as much as possible would be great. 

 

Thanks,

0 Likes

MyronEstibeiro
Beginner
Beginner
In response to KEVINDIENST

‎2017-01-18 12:56 AM

Hi Kevin, thanks for the details. I do have an ESA setup  in the environment. I have the feed planned to be updated automatically (if feasible) or manually (once a week). I have the threat feed available in a .csv format. I have never setup use cases that utilize threat feeds, so this one is fairly new. Any further steps or docs would help me immensely, and I appreciate your help. Thanks!

0 Likes

KEVINDIENST
Beginner
Beginner
In response to MyronEstibeiro

‎2017-01-18 03:39 PM

I'd take a look at the feed documentation first. 

Decoder: Create a Custom Feed 

 

104CCFDefineColFilled_600x493.png

 

In this screenshot example you're CSV will populate data into column 2 threat.source based of the index in column 1. In the callback metakey it is "action". 

 

So whenever an action is found matching column 1 in the .csv feed, it'll populate those additional columns as threat.source, threat.category, etc. 

 

Once you've deployed that feed to your decoders, then I'd suggest attempting to define an ESA rule based off it. 

Add a Rule Builder Rule - RSA Security Analytics Documentation 

The parent document has a ton of info on ESA. 

Alerting Using ESA 

 

Example screenshot below. 

pastedImage_4.png

pastedImage_5.png

pastedImage_6.png

In the screenshot above I set the value of the meta in threat_category to "very bad malware". Something I'd expect in the feed in column 2 we setup earlier. 

 

Then whenever the data is processed from the decoder, the feed will add the metakey, then when ESA processes it, it'll alert. 

 

This method is useful for using the threat feed data in the platform for other use cases (investigations, reporting, etc) and reduces the load on ESA by pushing the logic down to the decoders.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.