Deploying Endpoint Application Rules and ESA Correlation Rules

Note: The information in this topic applies to NetWitness Version 11.3 and later.

The existing IIOCs from NetWitness Endpoint 4.4.0.x are now available as OOTB Endpoint Application rules tagged as Indicators of Compromise, Behaviors of Compromise, Enablers of Compromise, and Analysis.File. Application rules for Endpoint are automatically available on installation of NetWitness 11.3 and later.

For Endpoint risk score, every Application rule must have an ESA rule that generates alerts used for the risk score calculation. A set of OOTB ESA rules are available as Endpoint Rule Bundle. You must specify the Endpoint data sources (Concentrators) and deploy the ESA Rules from the Endpoint Rule Bundle. For more information, see "Deploy Endpoint Risk Scoring Rules on ESA" section in the ESA Configuration Guide.

If the Application rule key value matches with ESA rule then an alert is triggered which is used to compute the risk score and an incident is raised when risk score exceeds the defined threshold limit.

Note: If you are upgrading from an existing Endpoint Log Hybrid to 11.3 or later, you must deploy the Application rules from RSA Live. During deployment, you must specify Endpoint Log Hybrid Log Decoder service. In case of multiple Endpoint servers, select all the Endpoint Log Hybrid Log Decoder services. For more information, see the Live Services Management Guide.

Manage Application Rules

After upgrading to 12.2 from 12.0 or older versions, you can manage Application rules in (Admin) > Services > Endpoint Log Hybrid - Log Decoder > Config > App Rules. Optionally, you can enable CCM to manage Application rules after upgrading to 12.2. For more information, see Centralized Content Management Guide.

If you fresh-install 12.2, you can manage Application rules only in (CONFIGURE) > Policies > Content > Groups. For more information, see https://community.netwitness.com/t5/netwitness-platform-online/about-groups/ta-p/685725.

You can view the application rules that are deployed in (Admin) >Services > Endpoint Log Hybrid - Log Decoder > Config > App Rules and application rules that were triggered in Investigate > Navigate> Endpoint Log Hybrid - Concentrator > App rules.

The Endpoint ESA rules generate alerts with the severity; Critical, High, and Medium. You can view the alerts on:

• Risk Details tab - You can view Critical, High and Medium alerts for a host or file on Hosts > Risk Details or Files > Risk Details.
• Respond view : You can view only critical and high severity alerts on NetWitness Respond > Alerts.

Manage ESA Deployments and Data Sources

ESA deployments will be automatically migrated to policies and groups after upgrading to 12.2 or fresh-installing 12.2. Each deployment will be converted into a policy and group and will be available to manage only after the upgrade of the Correlation servers to the 12.2.x.x version. In 12.1 and later versions, you can only manage the ESA deployments and Data Sources through Centralized Content Management. Go to (CONFIGURE) > Policies > Content > Event Stream Analysis page to manage the ESA deployments and Data Sources. Refer the following figure.

You can only manage the ESA Rules in the ESA Rules page. Refer the following figure.

Make sure that you plan the upgrade process so that Correlation servers are upgraded immediately after the Admin Server is done. The deployments will not be accessible until the corresponding Correlation servers are upgraded. However, the correlation servers will still continue to process the Alerts and Events. You must upgrade the ESA hosts immediately after upgrading the Admin Server.

For more information on Centralized Content Management and managing the deployments, see Centralized Content Management Guide.

Custom Endpoint Rule for Risk Scoring

If you have custom IIOCs in NetWitness Endpoint 4.4.0.x, you need to create these custom Endpoint rules. Once you have created your custom Application rule, you must create the custom ESA Rule for risk score calculation and update the RiskConfig file in MongoDB.

To create a custom Endpoint rule, perform the following tasks:

1. Add a custom Application Rule: For more information on creating a custom Application Rule, see Create an Application Rule topic in the Centralized Content Management Guide.
2. Add a custom ESA Rule: For more information on creating a custom ESA Rule, see Create an ESA Rule topic in the Centralized Content Management Guide.
3. Add the rule to RiskConfig

For more information, see Appendix A: Endpoint Risk Scoring Rules topic in the Centralized Content Management Guide.

ESA Rule Parameters

The following table describes the fields that define an ESA rule.

Fields	Description
id	The name of the ESA Rule. For example, In Encrypted Directory.
key	The metakey on which an alert would be generated. For example, alert is generated on analysis.file metakey for In Encrypted Directory rule.
value	Specify the value. The value must exactly match with the App rule name. For example, in encrypted directory.
title	The name of the alert. For example, In Encrypted Directory.
type	Specify the type of rule. For custom endpoint rule, the type must be ENDPOINT.
enabled	The status of the rule. Specify true, if the rule should be considered for risk scoring.
description	The description of the rule.
severity	The severity of the rule; critical, high or medium.

Add the rule to RiskConfig

After you create the custom Application rule and the ESA rule, you must update the RiskConfig in mongoDB.

To update the riskconfig file, perform the following:

1. SSH to Admin Server.

2. Create a JavaScript file (For example, in-encrypteddirectory- rule.js) with the custom ESA rule definition in the below format.

   db.risk_rule.insertMany(

   [ {

   "name" : "In Encrypted Directory",

   "enabled" : true,

   "handler" : "Default",

   "entities" : {

    

   },

   "metas" : {

   "File" : [

   {

   "meta" : "checksum_src",

   "name" : "filename_src",

   "weight" : NumberInt(100)

   }

   ],

   "Host" : [

   {

   "meta" : "agent_id",

   "name" : "alias_host",

   "weight" : NumberInt(100)

   }

   ]

   },

   "_class" : "com.rsa.asoc.respond.pipeline.risk.rules.AlertScoringRule"

   } ]

   )

   The following table describes the fields that define a rule.

   Field	Description
   name	The name of the ESA rule.
   enabled	The flag to enable or disable risk scoring. Specify true to enable risk scoring.
   handler	The value of this should be Default.
   entities	The value of this should be empty.
   metas > Files > meta	The metakey for a file for which score should be calculated.
   metas > Files > name	The name of the metakey of the file identity.
   metas > Files > weight	By default the weight value is 100.
   metas > Host > meta	The metakey for a host for which score should be calculated.
   metas > Host > name >	The name of the metakey of the host identity.
   metas > Host > weight	By default the weight value is 100.
   _class	This is used for internal purpose, do not change.

3. Insert the new rule into the riskconfig file on mongoDB using following command:

   mongo respond-server --authenticationDatabase admin -u deploy_admin -p <deploy_admin-user-password> in-encrypted-directory-rule.js

4. Confirm if ESA rule is updated successfully in the riskconfig, using following command

   mongo respond-server --authenticationDatabase admin -u deploy_admin -p <deploy_admin-user-password> --eval "db.risk_rule.find({ "name": /.*In Encrypted Directory.*/i })"

5. Restart the Respond server for the changes to take effect.

   service rsa-nw-respond-server restart

After you create a custom Endpoint rule and update the risk configuration file, whenever an event is generated for the new rule (For example, In Encrypted Directory) an alert will be generated and the risk score is calculated for the host and file.