Deploying Endpoint Application Rules and ESA Correlation Rules
Note: The information in this topic applies to NetWitness Version 11.3 and later.
The existing IIOCs from NetWitness Endpoint 4.4.0.x are now available as OOTB Endpoint Application rules tagged as Indicators of Compromise, Behaviors of Compromise, Enablers of Compromise, and Analysis.File. Application rules for Endpoint are automatically available on installation of NetWitness 11.3 and later.
For Endpoint risk score, every Application rule must have an ESA rule that generates alerts used for the risk score calculation. A set of OOTB ESA rules are available as Endpoint Rule Bundle. You must specify the Endpoint data sources (Concentrators) and deploy the ESA Rules from the Endpoint Rule Bundle. For more information, see "Deploy Endpoint Risk Scoring Rules on ESA" section in the ESA Configuration Guide.
If the Application rule key value matches with ESA rule then an alert is triggered which is used to compute the risk score and an incident is raised when risk score exceeds the defined threshold limit.
Note: If you are upgrading from an existing Endpoint Log Hybrid to 11.3 or later, you must deploy the Application rules from RSA Live. During deployment, you must specify Endpoint Log Hybrid Log Decoder service. In case of multiple Endpoint servers, select all the Endpoint Log Hybrid Log Decoder services. For more information, see the Live Services Management Guide.
You can view the application rules that are deployed in 
The Endpoint ESA rules generate alerts with the severity; Critical, High, and Medium. You can view the alerts on:
- Risk Details tab - You can view Critical, High and Medium alerts for a host or file on Hosts > Risk Details or Files > Risk Details.
- Respond view : You can view only critical and high severity alerts on NetWitness Respond > Alerts.
Custom Endpoint Rule for Risk Scoring
If you have custom IIOCs in NetWitness Endpoint 4.4.0.x, you need to create these custom Endpoint rules. Once you have created your custom Application rule, you must create the custom ESA Rule for risk score calculation and update the RiskConfig file in MongoDB.
To create a custom Endpoint rule, perform the following tasks:
- Add a custom Application Rule: For more information on creating a custom Application Rule, see Create an Application Rule topic in the Centralized Content Management Guide.
- Add a custom ESA Rule: For more information on creating a custom ESA Rule, see Create an ESA Rule topic in the Centralized Content Management Guide.
- Add the rule to RiskConfig
For more information, see Appendix A: Endpoint Risk Scoring Rules topic in the Centralized Content Management Guide.
ESA Rule Parameters
The following table describes the fields that define an ESA rule.
| Fields | Description |
|---|---|
| id |
The name of the ESA Rule. For example, In Encrypted Directory. |
| key |
The metakey on which an alert would be generated. For example, alert is generated on analysis.file metakey for In Encrypted Directory rule. |
| value |
Specify the value. The value must exactly match with the App rule name. For example, in encrypted directory. |
| title |
The name of the alert. For example, In Encrypted Directory. |
| type |
Specify the type of rule. For custom endpoint rule, the type must be ENDPOINT. |
| enabled |
The status of the rule. Specify true, if the rule should be considered for risk scoring. |
| description |
The description of the rule. |
| severity |
The severity of the rule; critical, high or medium. |
Add the rule to RiskConfig
After you create the custom Application rule and the ESA rule, you must update the RiskConfig in mongoDB.
To update the riskconfig file, perform the following:
- SSH to Admin Server.
-
Create a JavaScript file (For example, in-encrypteddirectory- rule.js) with the custom ESA rule definition in the below format.
db.risk_rule.insertMany(
[ {
"name" : "In Encrypted Directory",
"enabled" : true,
"handler" : "Default",
"entities" : {
},
"metas" : {
"File" : [
{
"meta" : "checksum_src",
"name" : "filename_src",
"weight" : NumberInt(100)
}
],
"Host" : [
{
"meta" : "agent_id",
"name" : "alias_host",
"weight" : NumberInt(100)
}
]
},
"_class" : "com.rsa.asoc.respond.pipeline.risk.rules.AlertScoringRule"
} ]
)
The following table describes the fields that define a rule.
Field Description name The name of the ESA rule. enabled The flag to enable or disable risk scoring. Specify true to enable risk scoring. handler The value of this should be Default. entities The value of this should be empty. metas > Files > meta The metakey for a file for which score should be calculated. metas > Files > name The name of the metakey of the file identity. metas > Files > weight By default the weight value is 100. metas > Host > meta The metakey for a host for which score should be calculated. metas > Host > name >
The name of the metakey of the host identity.
metas > Host > weight By default the weight value is 100. _class
This is used for internal purpose, do not change.
-
Insert the new rule into the riskconfig file on mongoDB using following command:
mongo respond-server --authenticationDatabase admin -u deploy_admin -p <deploy_admin-user-password> in-encrypted-directory-rule.js
-
Confirm if ESA rule is updated successfully in the riskconfig, using following command
mongo respond-server --authenticationDatabase admin -u deploy_admin -p <deploy_admin-user-password> --eval "db.risk_rule.find({ "name": /.*In Encrypted Directory.*/i })"
-
Restart the Respond server for the changes to take effect.
service rsa-nw-respond-server restart
After you create a custom Endpoint rule and update the risk configuration file, whenever an event is generated for the new rule (For example, In Encrypted Directory) an alert will be generated and the risk score is calculated for the host and file.
