From NetWitness Platform 12.3 or later, Administrators can create an alert rule from the Investigate > Events page for any suspicious activity. You can create rules with a flexible query that covers a wide set of events and system information from your network, including suspected breach activities and misconfigured servers. Once the rule is applied to a matched policy with services (Decoders), it generates alerts whenever a match occurs and helps analysts with further investigation.

Workflow

As you identify specific activities (user’s accounts, IP addresses, and domains, etc) that indicate a threat, you can create an application rule for the specified meta value that can alert you when the behavior is detected. Once the alert rule is created, the rule will be applied to matching policies with services (Decoders) managed by CCM. The rule begins to monitor the incoming data stream for any new matches in real-time. If any condition is matched for the specified meta value, an alert is generated on the Respond page, and you can drill down into each alert to view specific policy violations and take necessary action.

IMPORTANT: The Create Future Alert option will be enabled for users only if the Decoder services are managed by Policy-based Centralized Content Management and the user has the investigate-server.alert.manage permission enabled.

Prerequisites

  • A query must be added before creating an alert rule.

  • By default, only administrators are allowed to create alert rules. To enable access for analysts, they must contact their administrators.

Note: An administrator must enable investigate-server.alert.manage permission and source-server.centralpolicy.manage permission on the source server and rules.manage permission on the core devices to allow analysts to create the application rules.
For more information, see the "Role Permissions" topic in the System Security and User Management Guide.

Note:
- You cannot create an alert rule with a free-format query or text query.
- You cannot create an alert rule using invalid queries.
- To ensure your rules raise alerts efficiently and do not overload your Alerts list on the Respond page or cause system performance issues, NetWitness recommends you not to create a generic application rule. For example, ip.src exists

To create an Alert rule

  1. Log in to the NetWitness Platform.

  2. Go to Investigate > Events.

  3. Create a query that consists of one or more filters that contain a meta key, operator, and optional value. For example, (device.class = 'router') AND (event.cat.name = 'network.denied connections')

    Note: If the rule’s query condition is not defined in the search bar, the Create Future Alert option will be disabled.

  4. Click 3Dots.png > Create Future Alert.

    The Create Future Alert dialog is displayed.

    12.4_Future_alert_mitre_0124.png

  5. Specify a descriptive Name to identify the alert or leave the default name that is automatically populated using the format Query Based App Rule.

    It is helpful in finding a rule created by analysts among many rules.

    Note: The same name is applied to the application rule, and the rule name must be unique.

  6. Select a specific policy for the application rule from the drop-down list.

    IMPORTANT: If the policy has no associated groups, services, or services not managed by CCM, then no policy will be available. In such cases, you must contact your administrators.

    Note:
    - The rule that generates this alert is added to a list of existing rules available in the Content Policies library.
    - The application rule will be applied to the services that match the policy criteria and will be shown on the UI. This information helps you to identify for how many services the application rule is applied.

  7. Select the severity for the alert to be generated from the drop-down menu. The options are listed below:

    • Low

    • Medium

    • High

    • Critical

      Note: Severity is selected by default as Low.

  8. Select the tactics from the MITRE ATT&CK Tactics drop-down list. After selecting the tactics, you will be presented with the option to choose the appropriate techniques.

  9. Select the techniques from the MITRE ATT&CK Techniques drop-down list.

  10. Click Create.

    The message is displayed that the rule is created successfully.

  11. From the Success message, you can click the hyperlink “click here” to navigate to the policies page where the rule is applied.

Note: If you want to modify the same rule properties. Contact your administrators.