Content Library Tab
The (CONFIGURE) > Policies view contains two tabs: Configuration and Content.
The CONTENT tab has Content Library, Policies, Groups and Services on the left panel.
Below is an example of the Content > Content Library tab:
The following table describes the Content Library tab.
1
|
By default, 50 contents are displayed per page. To go to the next page, click . To go to the last page, click .
|
2 |
Toolbar
|
3 |
Rule List Pane
-
Rule Name - Name of the rule.
-
Rule Value - The rule value.
-
Medium - Medium through which the rule is created.
-
Last Updated - Displays the time when the rule is updated.
-
Policies - Policies to which the rule is applied.
You can also sort on any column. If you mouse over a column header, a sort icon is displayed: . Click the icon to sort by the selected column.
|
Create New Rule dialog:
Below is an example of the Create New Rule dialog:
The table describes the information and options in the Create New Rule dialog:
Field |
Description |
Rule Name |
Name of the new rule. The name should be unique. |
Rule Value
|
The rule value. While creating a new rule, the rule value is defaulted with the rule name. However, you can modify the same.
|
Condition |
Condition for the new rule. You can apply two types of conditions for the rule.
Normal mode:
It gives suggestions for supported metas (ip, host and so on) and operators (“=”, “Not Equal To”, “Contains”, “Exists” and so on).
The entered condition will be enclosed in a ‘Pill’. When you enter multiple conditions, the conditions are automatically joined by an ‘AND’ operator. On clicking the ‘AND’ operator, you can toggle between ‘AND’ and ‘OR’ operators.
Advanced:
You can customize the conditions as a free form text.
|
Medium |
Medium through which the rule is created. For a network rule, the value of medium is selected as Packet as default and you cannot edit it. |
MITRE ATT&CK Tactics |
Tactics associated with the rule.
For example: Credential Access.
For more information on MITRE ATT&CK Tactics, see Use MITRE ATT&CK Framework topic in the NetWitness Respond User Guide for 12.4
|
MITRE ATT&CK Techniques
|
Techniques associated with the rule.
For example: OS Credential Dumping.
For more information on MITRE ATT&CK Techniques, see Use MITRE ATT&CK Framework topic in the NetWitness Respond User Guide for 12.4
|
Description |
The description of the new rule. |
Session Data |
Session data for the new rule. Indicates if the rule processing should stop, keep, filter or truncate when the session data is running. |
Session Options |
Session options for the new rule. Indicates if the session options should be alert, forward or transient. |
Flag session with rule name in meta key |
Conditions for which the alert should be turned on. |
Save |
Saves the settings and closes the Create New Rule dialog. |
Cancel |
Cancels the operations. |
Clone Rule dialog:
Below is an example of the Clone Rule dialog.
The table describes the information and options in the Clone Rule dialog:
Field |
Description |
Rule Name |
Name of the cloned rule. The name should be unique. |
Rule Value
|
The rule value written to the alert meta.
|
Condition |
Condition for the new rule. You can apply two types of conditions for the rule.
Normal mode:
It gives suggestions for supported metas (ip, host and so on) and operators (“=”, “Not Equal To”, “Contains”, “Exists” and so on).
The entered condition will be enclosed in a ‘Pill’. When you enter multiple conditions, the conditions are automatically joined by an ‘AND’ operator. On clicking the ‘AND’ operator, you can toggle between ‘AND’ and ‘OR’ operators.
Advanced:
You can customize the conditions as a free form text.
|
Medium
|
Medium through which the rule is created. For a network rule, the value of medium is selected as Packet as default and you cannot edit it.
|
MITRE ATT&CK Tactics |
Tactics associated with the rule.
For example: Credential Access.
For more information on MITRE ATT&CK Tactics, see Use MITRE ATT&CK Framework topic in the NetWitness Respond User Guide for 12.4
|
MITRE ATT&CK Techniques
|
Techniques associated with the rule.
For example: OS Credential Dumping.
For more information on MITRE ATT&CK Techniques, see Use MITRE ATT&CK Framework topic in the NetWitness Respond User Guide for 12.4
|
Description |
The description of the new rule. |
Session Data
|
Session data for the new rule. Indicates if the rule processing should stop, keep, filter or truncate when the session data is running.
|
Session Options |
Session options for the new rule. Indicates if the session options should be alert, forward or transient. |
Flag session with rule name in meta key
|
Conditions for which the alert should be turned on.
|
Clone |
Clones the rule and closes the Cone Rule dialog.
|
Cancel |
Cancels the operation. |
Edit Rule dialog:
Below is an example of the Edit Rule dialog:
The table describes the information and options in the Edit Rule dialog:
Field |
Description |
Rule Name |
Name of the new rule. The name should be unique. |
Rule Value
|
The rule value.
|
Condition |
Condition for the new rule. You can apply two types of conditions for the rule.
Normal mode:
It gives suggestions for supported metas (ip, host and so on) and operators (“=”, “Not Equal To”, “Contains”, “Exists” and so on).
The entered condition will be enclosed in a ‘Pill’. When you enter multiple conditions, the conditions are automatically joined by an ‘AND’ operator. On clicking the ‘AND’ operator, you can toggle between ‘AND’ and ‘OR’ operators.
Advanced:
You can customize the conditions as a free form text.
|
Medium |
Medium through which the rule is created. For a network rule, the value of medium is selected as Packet as default and you cannot edit it. |
MITRE ATT&CK Tactics |
Tactics associated with the rule.
For example: Credential Access.
For more information on MITRE ATT&CK Tactics, see Use MITRE ATT&CK Framework topic in the NetWitness Respond User Guide for 12.4
|
MITRE ATT&CK Techniques
|
Techniques associated with the rule.
For example: OS Credential Dumping.
For more information on MITRE ATT&CK Techniques, see Use MITRE ATT&CK Framework topic in the NetWitness Respond User Guide for 12.4
|
Description |
The description of the new rule. |
Session Data |
Session data for the new rule. Indicates if the rule processing should stop, keep, filter or truncate when the session data is running. |
Session Options |
Session options for the new rule. Indicates if the session options should be alert, forward or transient. |
Flag session with rule name in meta key |
Conditions for which the alert should be turned on. |
Save |
Saves the settings and closes the Edit Rule dialog. |
Reset
|
Reset the fields.
|
Cancel |
Cancels the operation. |
Search Pattern Rule tab
Following is an example of the Content > Content Library > More > Search Pattern Rule tab:
1 |
Toolbar
-
Create Rule - Allows you to create a search pattern rule.
-
Clone Rule - Allows you to clone a search pattern rule. For more information, see Manage Search Pattern Rules
-
Delete - Allows you to delete a search pattern rule. For more information, see Manage Search Pattern Rules
|
2 |
Rule List Pane
-
Name - Name of the search pattern rule.
-
Keywords - Displays the keywords associated for each search pattern rule.
-
Ports - Displays the ports associated for each search pattern rule.
-
Last Updated - Displays the time when the rule is updated.
-
Policies - Policies to which the rule is applied.
You can also sort on any column. If you mouse over a column header, a sort icon is displayed: . Click the icon to sort by the selected column.
|
Create New Rule dialog for Search Pattern Rule:
Below is an example of the Create New Rule dialog for Search Pattern Rule:
Search Pattern Name |
Name of the new rule. The name should be unique. |
Keywords |
Allows you to add one or more keywords. Keywords are matched based on an exact string only. Regular expressions (Regex) are not supported. Use semicolons (;) to separate multiple keywords. For example, CreditCard;VISA;US. |
Service Port |
Allows you to add one or more ports. Use semicolons (;) to separate multiple port numbers.For example, 20;21;23.
The port numbers must be between 1 and 65535.
|
Save |
Saves the settings and closes the Create New Rule dialog. |
Cancel |
Cancels the operations. |
Reset
|
Reset the fields.
|
Clone Rule dialog for Search Pattern Rule:
Below is an example of the Clone Rule dialog.
Search Pattern Name |
Name of the new rule. The name should be unique. |
Keywords |
Allows you to add one or more keywords. Keywords are matched based on an exact string only. Regular expressions (Regex) are not supported. Use semicolons (;) to separate multiple keywords. For example, CreditCard;VISA;US. |
Service Port |
Allows you to add one or more ports. Use semicolons (;) to separate multiple port numbers.For example, 20;21;23.
The port numbers must be between 1 and 65535.
|
Clone |
Clones the rule and closes the Cone Rule dialog. |
Cancel |
Cancels the operations. |
Edit Rule dialog for Search Pattern Rule:
Below is an example of the Edit Rule dialog.
Search Pattern Name |
Name of the new rule. The name should be unique. |
Keywords |
Allows you to add one or more keywords. Keywords are matched based on an exact string only. Regular expressions (Regex) are not supported.
Use semicolons (;) to separate multiple keywords. For example, CreditCard;VISA;US.
|
Service Port |
Allows you to add one or more ports. Use semicolons (;) to separate multiple port numbers.For example, 20;21;23.
The port numbers must be between 1 and 65535.
|
Save |
Saves the settings and closes the Edit Rule dialog. |
Cancel |
Cancels the operations. |
Reset
|
Reset the fields.
|
GeoIp tab
Following is an example of the Content > Content Library > More > GeoIp tab:
1 |
Toolbar
|
2 |
Rule List Pane
-
Name - Name of the GeoIp file.
-
Version - Displays the latest version of the GeoIp file.
-
Size - Displays the size of the GeoIp file.
-
Last Updated - Displays the time when the GeoIp file is updated.
You can also sort on any column. If you mouse over a column header, a sort icon is displayed: . Click the icon to sort by the selected column.
|
For more information on importing the GeoIp files to the Content Library page, see Import GeoIp Data.