This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Platform Online Documentation
Browse the official NetWitness Platform Online documentation for helpful tutorials, step-by-step instructions, and other valuable resources.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Versions
Collections
All Downloads

Table of Contents

Product Resources

Create an Application Rule

This topic describes the steps to create an application rule. When you create a custom application rule, NetWitness allows you to tag MITRE ATT&CK Tactics and Techniques and for each rule.

IMPORTANT: Both MITRE ATT&CK® and ATT&CK® are registered trademarks of the MITRE Corporation. © 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

To create a new Application Rule

    1. Go to Configure (1).png (CONFIGURE) > Policies.
    2. In the policies panel, click Content.
    3. In the left panel, click Content Library.

The available rules are displayed.

  1. In the application rule panel, click + Create Rule to add an application rule.
  2. In the CreateNew Rule panel, do the following:
    • Enter a unique rule name. If the name of that application rule is the same as an existing rule, an error message is displayed.

    • Enter the rule value. This is the value written to the alert meta. While creating a new rule, the rule value is defaulted with the rule name. However, you can modify the same.

    • Enter the condition for the rule. You can apply two types of conditions for the rule.

      • Normal mode:

        • It gives suggestions for supported metas (ip, host and so on) and operators (“=”, “Not Equal To”, “Contains”, “Exists” and so on).

        • The entered condition will be enclosed in a ‘Pill’. When you enter multiple conditions, the conditions are automatically joined by an ‘AND’ operator. On clicking the ‘AND’ operator, you can toggle between ‘AND’ and ‘OR’ operators.

      • Advanced: You can customize the conditions as a free form text.

    • Select the medium to be applied for the rule.

    • Enter the description for the rule.

    • Select the session data to be applied for the rule.
    • Select the session options to be applied for the rule. The options are listed below:

      • Flag Session with rule name in meta key: Select the meta value for the alert from the drop-down menu. This is mandatory.

      • Forward: This option enables the performance of syslog forwarding when the log matches the rule.

      • Transient: This option prevents the created alert metadata from being written to the disk.

      • Notify: This option enables you to choose the Severity levels for the application rule and utilize the option to trigger alert generation.

        • Low

        • Medium

        • High

        • Critical

      Note: Severity is selected by default as Low.

      • MITRE ATT&CK TACTICS: Lets you select MITRE ATT&CK TACTICS from the list.

        Note: Ensure that you apply at least one MITRE ATT&CK TACTIC for the rule.

        12.4_ccm_mitre_configure_app_rule_new.png

      • MITRE ATT&CK TECHNIQUES: Lets you select MITRE ATT&CK TECHNIQUES from the list.

      • DESCRIPTION: Provide a description for the rule.

    • Click Save to save the new application rule.

    • Click Reset to reset the fields.

    • Click Cancel to cancel the operation.

                                                 Previous Page                                                      Next Page

Labels (2)
0 Likes
Was this article helpful? Yes No
No ratings

On this page

© 2022 RSA Security LLC or its affiliates. All rights reserved.