Deploying Endpoint Application Rules and ESA Correlation Rules

Note: The information in this topic applies to NetWitness Version 11.3 and later.

The existing IIOCs from NetWitness Endpoint 4.4.0.x are now available as OOTB Endpoint Application rules tagged as Indicators of Compromise, Behaviors of Compromise, Enablers of Compromise, and Analysis.File. Application rules for Endpoint are automatically available on installation of NetWitness 11.3 and later.

For Endpoint risk score, every Application rule must have an ESA rule that generates alerts used for the risk score calculation. A set of OOTB ESA rules are available as Endpoint Rule Bundle. You must specify the Endpoint data sources (Concentrators) and deploy the ESA Rules from the Endpoint Rule Bundle. For more information, see "Deploy Endpoint Risk Scoring Rules on ESA" section in the ESA Configuration Guide.

If the Application rule key value matches with ESA rule then an alert is triggered which is used to compute the risk score and an incident is raised when risk score exceeds the defined threshold limit.

Note: If you are upgrading from an existing Endpoint Log Hybrid to 11.3 or later, you must deploy the Application rules from RSA Live. During deployment, you must specify Endpoint Log Hybrid Log Decoder service. In case of multiple Endpoint servers, select all the Endpoint Log Hybrid Log Decoder services. For more information, see the Live Services Management Guide.

You can view the application rules that are deployed in netwitness_adminicon_25x22.png (Admin) >Services > Endpoint Log Hybrid - Log Decoder > Config > App Rules and application rules that were triggered in Investigate > Navigate> Endpoint Log Hybrid - Concentrator > App rules.

The Endpoint ESA rules generate alerts with the severity; Critical, High, and Medium. You can view the alerts on:

  • Risk Details tab - You can view Critical, High and Medium alerts for a host or file on Hosts > Risk Details or Files > Risk Details.
  • Respond view : You can view only critical and high severity alerts on NetWitness Respond > Alerts.

Custom Endpoint Rule for Risk Scoring

If you have custom IIOCs in NetWitness Endpoint 4.4.0.x, you need to create these custom Endpoint rules. Once you have created your custom Application rule, you must create the custom ESA Rule for risk score calculation and update the RiskConfig file in MongoDB.

To create a custom Endpoint rule, perform the following tasks:

  1. Add a custom Application Rule: For more information on creating a custom Application Rule, see Create an Application Rule topic in the Live Services Management Guide.
  2. Add a custom ESA Rule: For more information on creating a custom ESA Rule, see Create an ESA Rule topic in the Live Services Management Guide.
  3. Add the rule to RiskConfig

ESA Rule Parameters

The following table describes the fields that define an ESA rule.

Fields Description
id

The name of the ESA Rule. For example, In Encrypted Directory.

key

The metakey on which an alert would be generated.

For example, alert is generated on analysis.file metakey for In Encrypted Directory rule.

value

Specify the value. The value must exactly match with the App rule name. For example, in encrypted directory.

title

The name of the alert. For example, In Encrypted Directory.

type

Specify the type of rule. For custom endpoint rule, the type must be ENDPOINT.

enabled

The status of the rule. Specify true, if the rule should be considered for risk scoring.

description

The description of the rule.

severity

The severity of the rule; critical, high or medium.

Add the rule to RiskConfig

After you create the custom Application rule and the ESA rule, you must update the RiskConfig in mongoDB.

To update the riskconfig file, perform the following:

  1. SSH to Admin Server.
  2. Create a JavaScript file (For example, in-encrypteddirectory- rule.js) with the custom ESA rule definition in the below format.

    db.risk_rule.insertMany(

    [ {

    "name" : "In Encrypted Directory",

    "enabled" : true,

    "handler" : "Default",

    "entities" : {

    },

    "metas" : {

    "File" : [

    {

    "meta" : "checksum_src",

    "name" : "filename_src",

    "weight" : NumberInt(100)

    }

    ],

    "Host" : [

    {

    "meta" : "agent_id",

    "name" : "alias_host",

    "weight" : NumberInt(100)

    }

    ]

    },

    "_class" : "com.rsa.asoc.respond.pipeline.risk.rules.AlertScoringRule"

    } ]

    )

    The following table describes the fields that define a rule.

    Field Description
    name The name of the ESA rule.
    enabled The flag to enable or disable risk scoring. Specify true to enable risk scoring.
    handler The value of this should be Default.
    entities The value of this should be empty.
    metas > Files > meta The metakey for a file for which score should be calculated.
    metas > Files > name The name of the metakey of the file identity.
    metas > Files > weight By default the weight value is 100.
    metas > Host > meta The metakey for a host for which score should be calculated.

    metas > Host > name >

    The name of the metakey of the host identity.

    metas > Host > weight By default the weight value is 100.

    _class

    This is used for internal purpose, do not change.

  3. Insert the new rule into the riskconfig file on mongoDB using following command:

    mongo respond-server --authenticationDatabase admin -u deploy_admin -p <deploy_admin-user-password> in-encrypted-directory-rule.js

  4. Confirm if ESA rule is updated successfully in the riskconfig, using following command

    mongo respond-server --authenticationDatabase admin -u deploy_admin -p <deploy_admin-user-password> --eval "db.risk_rule.find({ "name": /.*In Encrypted Directory.*/i })"

  5. Restart the Respond server for the changes to take effect.

    service rsa-nw-respond-server restart

After you create a custom Endpoint rule and update the risk configuration file, whenever an event is generated for the new rule (For example, In Encrypted Directory) an alert will be generated and the risk score is calculated for the host and file.