Deploy Endpoint Risk Scoring Rules on ESA

Endpoint Risk Scoring Rules only apply to NetWitness Endpoint.

The ESA Correlation service processes and deploys endpoint risk scoring rules. These rules generate alerts that are used in risk scoring calculations to identify suspicious files and hosts. To turn on Risk Scoring for NetWitness Endpoint, you must deploy endpoint risk scoring rules on ESA. An Endpoint Risk Scoring Rules Bundle comes with NetWitness along with the sample ESA rules. The Endpoint Risk Scoring Bundle contains approximately 400 rules. You add this rule bundle to an ESA Rule Deployment in the same way that you would add any ESA rule. However, you must specify endpoint data sources (Concentrators) during ESA Rule Deployment.

For complete information on configuring NetWitness Endpoint, see the NetWitness Endpoint Configuration Guide. For more information about ESA rule deployments, see "Deploy Rules to Run on ESA" in the Alerting with ESA Correlation Rules User Guide.

Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.

Important Considerations when Deploying the Endpoint Risk Scoring Rules Bundle

  • If you add the Endpoint Risk Scoring Bundle to an ESA rule deployment, the deployment should have data sources with endpoint data.
  • An ESA rule deployment can have only one ESA Correlation service. You can, however, use the same ESA Correlation service in multiple deployments.
  • If you have two ESA Correlation services with the same endpoint data sources, deploy the Endpoint Risk Scoring Rules Bundle on only one of them.

Deploy the Endpoint Risk Scoring Rules Bundle on ESA

Caution: Before you deploy the Endpoint risk scoring rules, update your meta keys. See Update Your ESA Rules for the Required Multi-Value and Single-Value Meta Keys.

When you deploy the Endpoint Risk Scoring Rules Bundle in an ESA rule deployment, the ESA Correlation service gathers endpoint data in your network and runs endpoint risk scoring rules against the data. The goal is to capture events that match rule criteria, then generate alerts for the captured events.

The following procedure shows how to create an ESA rule deployment with the Endpoint Risk Scoring Rules Bundle and deploy it. If you already have an ESA rule deployment with endpoint data sources, you can add the Endpoint Risk Scoring Rules Bundle to the existing deployment.

The following figure shows the Endpoint Risk Scoring Bundle available in netwitness_configureicon_24x21.png (Configure) > Policies > Content Library > Event Stream Analysis Rule page.

netwitness_endpoint_risk_scoring_rule_1684x678.png

To create and deploy an ESA rule deployment with the Endpoint Risk Scoring Bundle

  1. Go to netwitness_configureicon_24x21.png (Configure) > Policies.
  2. Add the endpoint data sources, for more information, see Add an ESA Datasource.
  3. Create a deployment with Endpoint Risk Scoring Bundle. For more information, see Create a Deployment.
    You can now view information and statistics on the netwitness_configureicon_24x21.png (Configure) > ESA Rules > Services tab. See View the Status of the Endpoint Risk Scoring Rules Deployment.

Change the Endpoint Risk Scoring Rule Bundle in a Deployment

You cannot edit or duplicate the Endpoint Risk Scoring Rules Bundle. After the bundle is deployed, you can enable and disable individual rules within the bundle. See Disable or Enable Individual Endpoint Risk Scoring Rules.

When you make changes to the ESA Rule Deployment containing the Endpoint Risk Scoring Rules Bundle, such as changing the endpoint data sources or changing compression levels, you must redeploy it for the changes to take effect. To redeploy, click the Deploy Now button for that deployment.

Caution: Deleting an ESA Rule Deployment with an Endpoint Risk Scoring Rule Bundle stops the Risk Scoring alerts that are used in risk scoring calculations to identify suspicious files and hosts.

For more information about changing ESA rule deployments, see "Additional ESA Rule Deployment Procedures" in the Alerting with ESA Correlation Rules User Guide.

View the Status of the Endpoint Risk Scoring Rules Deployment

  1. Go to the ESA Rules Services tab ( netwitness_configureicon_24x21.png (Configure) > ESA Rules > Services).
  2. In the options panel on the left, select your ESA Correlation service.
    Your deployment name shows on a tab to the right, for example, Endpoint Risk Scoring Rules. If you see multiple tabs on the right, select the tab for your endpoint risk scoring rules deployment.
    netwitness_121_endptrulesstats1red_1122_672x439.png
  3. In the Engine Stats, Rules Stats and Alert Status sections, look at the statistics related to the deployment, such as Rules Enabled, Rules Disabled, and Events Matched, which show the total numbers for the deployment.
  4. In the Deployed Rules Stats section, look at the following details for each Endpoint Risk Scoring Rule:
    • Enable: Indicates the enabled status. A green circle icon netwitness_enable_button.png indicates that the rule is enabled. A white circle icon netwitness_ic_disabled_icon.png indicates that the rule is disabled.
    • Name: Shows the name of the rule.
    • Rule Type: Endpoint indicates a rule from the Endpoint Risk Scoring Bundle and Esper indicates Esper-specific rules, such as Rule Builder and Advanced EPL rules.
    • Last Detected: Shows the last time an alert was triggered for the rule.
    • Events Matched: Shows the total number of events that matched the rule.

Disable or Enable Individual Endpoint Risk Scoring Rules

  1. Go to the ESA Rules Services tab ( netwitness_configureicon_24x21.png (Configure) > ESA Rules > Services).
  2. In the options panel on the left, select your ESA Correlation service.
    Your deployment name shows on a tab to the right, for example, Endpoint Risk Scoring Rules. If you see multiple tabs on the right, select the tab for your endpoint risk scoring rules deployment.
  3. In the Deployed Rules Stats section, do one of the following:
    • To enable rules, select the rules that you want to enable in the rules list and click the Enable button above the list.
      netwitness_enablerule_768x131.png
      The selected rules are enabled and a message shows that the rules enabled successfully.
    • To disable rules, select the rules that you want to disable in the rules list and click the Disable button above the list.
      netwitness_disablerule_768x130.png
      The selected rules are disabled and a message shows that the rules disabled successfully.