Configure Risk Scoring Settings for Automated Incident Creation

Note: The information in this topic applies to NetWitness Version 11.3 and later.

Endpoint Risk Scoring Settings only apply to NetWitness Endpoint.

In addition to automatically creating incidents with predefined rules and rules that you define, NetWitness Respond automatically creates risk scoring incidents for suspicious files and hosts when defined risk score thresholds are crossed. In the background, it monitors the following types of alerts and calculates risk scores for each file and host:

  • Critical and High priority alerts from NetWitness Respond
  • Medium priority Endpoint alerts from ESA

NetWitness Respond calculates risk score using a combination of the number of distinct alerts and the severity of alerts associated with the file or host. A higher risk score indicates more of these types of alerts. When the calculated risk score exceeds the specified threshold, NetWitness Respond does one of the following during the specified time window, such as 1 day:

  • Creates a risk scoring alert and uses it to create a risk scoring incident
  • Adds risk scoring alerts along with associated events to the same incident

For more information on configuring NetWitness Endpoint, see the NetWitnesss Endpoint Configuration Guide. Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.

To configure the Endpoint Risk Scoring Settings:

You should leave the Endpoint Risk Scoring Settings at the default values. However, if you are getting too many risk scoring alerts and incidents created, increase the risk score threshold to a higher value. Also, if you are getting too many incidents created for the same hosts or files, increase the time window to add more alerts to the same risk scoring incidents. If you are not seeing many risk scoring incidents, you can either decrease the risk scoring thresholds for hosts and files or decrease the incident time windows.

  1. Go to netwitness_configureicon_24x21.png (Configure) > Incident Rules.
    The Incident Rules view is displayed.
    netwitness_12.1_defaultincrules_1122.png
  2. Click the arrow in front of ENDPOINT RISK SCORING SETTINGS to expand the Endpoint Risk Scoring Settings section.
    netwitness_riskscoringsettings.png
  3. In the Endpoint Risk Scoring Settings section, adjust the settings as follows:
    1. Create Alerts and Incidents for Files:
      • Select Enabled to automatically create risk scoring alerts and incidents for suspicious files. When calculated file risk scores go above the file risk score threshold, it triggers the creation of risk scoring alerts and incidents.
      • Select Disabled to stop automatically creating risk scoring alerts and incidents. If you disable it, incidents are not created for suspicious files where risk scores are high.
    2. File Risk Score Threshold: The File Risk Score Threshold is the risk score level used to trigger alert and incident creation. The File Risk Score Threshold range is from 0-100. For example, if the File Risk Score Threshold is 80 and the calculated risk score of a suspicious Openme.rar file is 81, which is over the Risk Score Threshold of 80, NetWitness Respond creates a risk scoring alert and incident or adds a risk scoring alert to an existing incident depending on the file incident time window.
      • If you are seeing too many alerts and incidents, increase the risk score threshold.
      • If you are not seeing many alerts and incidents, decrease the risk score threshold.
    3. File Incident Time Window: The File Incident Time Window is the period of time to wait before creating another incident. The file incident time window range is from 1-24 (hours or days). For example, the suspicious Openme.rar file has a calculated risk score of 81 and a file time window of 1 day. A risk scoring alert and incident is created for the Openme.rar file. During the time window, any similar risk scoring alerts with the same name created for the Openme.rar file get added to the same incident. At the end of the time window (day 1), if the calculated risk score of the file is still over the file risk score threshold and a change occurs with the risk score, another risk scoring alert and incident gets created and any new risk scoring alerts associated with the file get added to the new incident until the next time window (day 3).
      • If you are seeing too many alerts and incidents, increase the incident time window.
      • If you are not seeing many alerts and incidents, decrease the incident time window.
    4. Create Alerts and Incidents for Hosts:
      • Select Enabled to automatically create risk scoring alerts and incidents for suspicious hosts. When calculated host risk scores go above the host risk score threshold, it triggers the creation of risk scoring alerts and incidents.
      • Select Disabled to stop automatically creating risk scoring alerts and incidents when calculated host risk scores go above the host risk score threshold. If you disable it, incidents are not created for suspicious hosts where risk scores are high.
    5. Host Risk Score Threshold: The Host Risk Score Threshold is the risk score level used to trigger alert and incident creation. The host risk score threshold range is from 0-100. For example, if the Host Risk Score Threshold is 80 and the calculated risk score of a suspicious host IP address is 81, which is over the Risk Score Threshold of 80, NetWitness Respond creates a risk scoring alert and incident or adds a risk scoring alert to an existing incident depending on the file incident time window.
      • If you are seeing too many alerts and incidents, increase the risk score threshold.
      • If you are not seeing many alerts and incidents, decrease the risk score threshold.
    6. Host Incident Time Window: The Host Incident Time Window is the period of time to wait before creating another incident. The host incident time window range is from 1-24 (hours or days). For example, the suspicious host has a calculated risk score of 81 and a Host Time Window of 1 day. During the time window, any similar risk scoring alerts with the same name created for the suspicious host get added to the same incident. At the end of the time window (day 1), if the calculated risk score of the host is still over the host risk score threshold and a change occurs with the risk score, another risk scoring alert and incident gets created. Any new risk scoring alerts associated with that suspicious host add to that incident until the next time window.
      • If you are seeing too many risk scoring alerts and incidents, increase the incident time window.
      • If you are not seeing many risk scoring alerts and incidents, decrease the incident time window.
  4. Click Save.