This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Whitelist false positive in Endpoint ESA Rules

JeremyKerwin
Valued Contributor
Valued Contributor

‎2021-02-15 11:26 PM

We have a poorly coding internal application that keeps triggering the Endpoint ESA rule 'unsigned outbound from temp directory'

 

What would be the best way to whitelist this so it doesn't keep showing up in alerts in the respond module?

Labels:
0 Likes
2 REPLIES 2

JoshRandall
Valued Contributor Valued Contributor
Valued Contributor

‎2021-02-16 03:06 PM

Jeremy Kerwin

Your easiest and best option will be to adjust the companion App Rule that is the source of that ESA rule:

pastedImage_1.png

 

..and add the additional syntax to filter out your internal application.

 

You can figure out this additional syntax by looking at the endpoint events triggering that app rule by querying for it in NetWitness:

(device.type = 'nwendpoint') AND (boc = 'outbound from unsigned temporary directory')‍‍‍‍

 

...and picking out the meta keys and values that will identify that specific application (checksum.src is probably a good one).

 

You would then add that as a != filter in the app rule:

pastedImage_4.png

 

The more specific and precise you can be to positively identify that application, the better.


Mr. Mongo

YounisKhan
Occasional Contributor
Occasional Contributor

‎2021-05-27 02:26 AM

I have gone through same problem, what I did

File which is unsigned , marked it as whitelisted

then I updated the APP rule and add one mode condition as below

 

context.src != 'file.whitelisted' && ......

 

 

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.