Incident Rules ViewIncident Rules View
The Incident Rules view enables you to manage the automated incident creation process. NetWitness Respond creates incidents in two ways:
- Incident Rules: NetWitness provides preconfigured rules that you can adjust for your environment. You can also create your own rules.
- Risk Scoring: (Endpoint Risk Scoring Settings are available in NetWitness version 11.3 and later and only apply to NetWitness Endpoint.) NetWitness Respond uses these settings to automatically create risk scoring incidents for suspicious files and hosts that cross the defined risk score thresholds. If you get too many or too few risk scoring incidents, you can adjust these thresholds.
Note: The information in this topic applies to NetWitness 11.1 and later.
What do you want to do?What do you want to do?
| Role | I want to ... | Show me how |
|---|---|---|
| Analyst, Content Expert, SOC Manager | Create, edit, enable, export, or import an incident rule. | Step 3. Enable and Create Incident Rules for Alerts |
| Analyst, Content Expert, SOC Manager | Configure the threshold that creates risk scoring alerts and incidents to adjust the amount of alerts and incidents created. Turn off the creation of risk scoring alerts and incidents. Endpoint Risk Scoring Settings only apply to NetWitness Endpoint. |
Configure Risk Scoring Settings for Automated Incident Creation |
| Incident Responders, Analysts, Content Experts, SOC Manager | View the results of my incident rule (View Detected Threats). | See "Responding to Incidents" in the NetWitness Respond User Guide. |
Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.
Related TopicsRelated Topics
Quick LookQuick Look
- To access the Incident Rules view, go to
(Configure) > Incident Rules.
The Incident Rules view has two sections, one for each type of automated incident creation: - Endpoint Risk Scoring Settings
- Incident Rules
- To view the Endpoint Risk Scoring Settings section, click the arrow in front of Endpoint Risk Scoring Settings.
Endpoint Risk Scoring SettingsEndpoint Risk Scoring Settings
Note: Endpoint Risk Scoring Settings are available in NetWitness version 11.3 and later and only apply to NetWitness Endpoint. NetWitness Respond uses these settings to automatically create risk scoring incidents for suspicious files and hosts that cross the defined risk score thresholds.
The Endpoint Risk Scoring Settings enable you to configure the thresholds used to automatically create risk scoring alerts and incidents. When calculated risk scores for suspicious files and hosts exceed the specified thresholds, it triggers the creation of risk scoring alerts and incidents. NetWitness recommends that you keep the thresholds at the default values, but you may need to adjust these settings if you get too many or too few alerts and incidents.
For more information on configuring NetWitness Endpoint, see the NetWitnesss Endpoint Configuration Guide. Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.
The following table describes the fields in the Endpoint Risk Scoring Settings.
| Field / Button |
Description |
|---|---|
|
Create Alerts and Incidents for Files |
Select Enabled to automatically create risk scoring alerts and incidents for suspicious files. When calculated file risk scores go above the file risk score threshold, it triggers the creation of risk scoring alerts and incidents. Select Disabled to stop automatically creating risk scoring alerts and incidents. This option is enabled by default. |
|
File Risk Score Threshold |
The File Risk Score Threshold is the risk score level used to trigger alert and incident creation. The file risk score threshold range is from 0-100. NetWitness Respond calculates risk score using a combination of the number of distinct alerts and the severity of alerts associated with the file or host. A higher risk score indicates more of these types of alerts. For example, if the file risk score threshold is 80, any calculated file risk score over 80 creates a risk scoring alert and incident or adds a risk scoring alert to an existing incident depending on the file incident time window. |
| File Incident Time Window | The File Incident Time Window is the period of time to wait before creating another incident. The file incident time window range is from 1-24 (hours or days). For example, an openme.rar file containing suspicious code with enough associated endpoint alerts to get a risk score of 81, which is over the file risk score threshold of 80, automatically creates a risk scoring alert and incident or adds a related risk scoring alert to the same incident within a 1 day time window. |
| Create Alerts and Incidents for Hosts |
Select Enabled to automatically create risk scoring alerts and incidents for suspicious hosts. When calculated host risk scores go above the host risk score threshold, it triggers the creation of risk scoring alerts and incidents. Select Disabled to stop automatically creating risk scoring alerts and incidents. This option is enabled by default. |
| Host Risk Score Threshold | The Host Risk Score Threshold is the risk score level used to trigger alert and incident creation. The host risk score threshold range is from 0-100. NetWitness Respond calculates risk score using a combination of the number of distinct alerts and the severity of alerts associated with the file or host. A higher risk score indicates more of these types of alerts. For example, if the host risk score threshold is 80, any calculated host risk score over 80 creates a risk scoring alert and incident or adds a risk scoring alert to an existing incident depending on the host incident time window. |
| Host Incident Time Window | The Host Incident Time Window is the period of time to wait before creating another incident. The host incident time window range is from 1-24 (hours or days). For example, a suspicious host with enough associated endpoint alerts to get a risk score of 81, which is over the host risk score threshold of 80, automatically creates a risk scoring alert and incident or adds a related risk scoring alert to the same incident within a 1 day time window. |
Incident RulesIncident Rules
The Incident Rules section enables you to create and manage incident rules for automating the incident creation process. NetWitness provides preconfigured rules. You can add to and adjust these rules for your own environment.
The Incident Rules section consists of a list and series of buttons. The following table describes the columns in the Incident Rules list.
| Column | Description |
|---|---|
|
|
Enables you to change the priority order of the rules. Use the drag pad ( |
|
|
Enables you to select one or more rules in order to take an action, such as Enable or Export. You can select all rules by selecting the checkbox in the column header. You can only select one rule for the Clone or Delete actions. |
|
Order |
Shows the order in which the rule is placed. The rule order determines which rule takes effect if the criteria for multiple rules match the same alert. If multiple rules match an alert, only the rule with the highest priority creates an incident. NetWitness Respond evaluates incoming alerts against the incident rules in the order that you define. If alerts match the first rule listed, then that rule creates an incident. If alerts match the second rule listed and those alerts did not match the first rule, then the second rule creates an incident. If alerts match the third rule listed and those alerts did not match the first or second rule listed, then the third rule creates an incident, and so on. |
| Enabled | Shows whether the rule is enabled or not. The  specifies that the rule is enabled. The  specifies that the rule is not enabled. |
| Name | Displays the name of the rule with a hyperlink. If you click the link, it opens the Rule Details view, where you can edit the rule. |
| Description | Displays the description of the rule. |
| Last Matched | Displays the time when an alert was successfully matched with the rule. This value is reset once a week. |
| Matched Alerts | Displays the number of matched alerts. This value is reset once a week. To change the setting, see Set a Counter for Matched Alerts and Incidents. |
| Incidents | Displays the number of incidents created by the rule. This value is reset once a week. To change the setting, see the Set a Counter for Matched Alerts and Incidents. |
| Rule Created | Shows the date and time that the incident rule was created or imported. |
| Rule Last Updated | Shows the date and time that the incident rule was last updated. |
Incident Rules ActionsIncident Rules Actions
The following table shows the operations that can be performed on the Incident Rules list.
| Action |
Description |
|---|---|
| Create Rule button | Allows you to add a new incident rule. |
| Export button | (This option is available in NetWitness 11.4 and later.) Allows you to export one or more incident rules. This enables you to share incident rules with other NetWitness Servers on the same release version. The exported incident rules file is a ZIP file that contains two JSON files: one file contains the incident rules and the other file contains the incident rule schema. You cannot export Advanced incident rules; the export function only allows incident rules created using Rule Builder. |
| Import button | (This option is available in NetWitness 11.4 and later.) Allows you to import an incident rules ZIP file. This enables you to share incident rules with other NetWitness Servers on the same release version. |
| Enable button | (This option is available in NetWitness 11.4 and later.) Allows you to enable one or more rules from the incident rules list. You can also enable a rule in the Incident Rule Details view by selecting the Enabled checkbox in the Basic Settings section and then saving the rule. |
| Disable button | (This option is available in NetWitness 11.4 and later.) Allows you to disable one or more rules from the incident rules list. You can also disable a rule in the Incident Rule Details view by clearing the Enabled checkbox in the Basic Settings section and then saving the rule. |
| Clone button | Allows you to duplicate one incident rule at a time. |
| Delete button | Allows you to delete one incident rule at a time. |
| Name hyperlink | Allows you to edit an incident rule. |
