This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Where are the Rule definitions located?

RobertNipper
Beginner
Beginner

‎2016-12-06 03:58 PM

i am trying to find the rule logic for the rules that are populated under the Alert.id Meta Key on the the Investigation  Pane. I found some of them under the Application Rule tab on the decoder but not all of the ones I am looking for. Is there a way I can get to that information through the UI or do i need to ssh into one of the appliances? or is there a reference online where I can search for the rule logic?

0 Likes
3 REPLIES 3

JohnSnider
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2016-12-06 04:56 PM

alert.id is an internal metakey used by application rules, feeds and parsers.  a single metavalue in alert.id is then processed by3 feeds (alertids_info.feed, alertids_suspicious.feed, & alertids_warning)  These feeds, populate multiple metakey values from  any match, to keys like risk.info, risk.suspicious, risk.warning, threat.source, threat.category, etc.

 

So to answer your question, there are not just a set of rules that write to this key, parsers, and other feeds also write to this key.  (note you can look at the "Parsers Configuration" section of a Packet Decoder and expand the parsers to see which ones write to the alert.id key. 

0 Likes

RobertNipper
Beginner
Beginner
In response to JohnSnider

‎2016-12-07 08:56 AM

So for example i am looking at the alert id nw32765, trying to figure out what logic was used to fire this alert. There are several of these under the Application Rules tab under the decoder but not this particular one. Also what if i wanted to change the name of the meta value to be more descriptive?

0 Likes

JohnSnider
Trusted Contributor Trusted Contributor
Trusted Contributor
In response to RobertNipper

‎2016-12-07 01:28 PM

As I said, that alert.id is not meant for use in customer rules, they are for expanding one value to multiple keys from the alerted feeds.  They have already been converted to a "human readable form" by the feeds. please IGNORE alert.id, in face hide the key. 

If you rally want to know what nw32765 is, drill on it. Then look at the number of sessions for that key, and look at information in the following keys, for a value that has the EXACT same number of sessions:

risk.info

risk.suspicious

risk.warning

threat.source

threat.category

 

If you have loaded the "hunting pack" from RSA Live, the above keys are deprecated and are replaced by new keys:

Session Analysis (analysis.session)

Service Analysis (analysis.service)

File Analysis (analysis.file)

Investigation Category (inv.category)

Investigation Context (inv.context)

 

FYI - nw32765 is in risk.info "http1.1 without referer header"

 

"risk.info" it is not an "alert" its just information used to aide in finding specific types of traffic.

 

FWIW: RSA is working on moving away from the "nwxxxx" values and will be replacing them with more descriptive names in a future release.

© 2022 RSA Security LLC or its affiliates. All rights reserved.