Set Up and Verify Default Incident RulesSet Up and Verify Default Incident Rules
The User Entity Behavior Analytics default incident rule is available in NetWitness 11.3 and later. It captures user entity behavior grouped by Classifier ID to create incidents from alerts.
The Detect AI default incident rule is available in NetWitness 11.6 and later. It captures the anomalies generated by Detect AI.
The User Behavior incident rule, which captures network user behavior, is available in NetWitness 11.1 and later. This rule uses deployed RSA Live ESA Rules to create incidents from alerts. You can select and deploy the RSA Live ESA Rules that you want to monitor.
The following default incident rules changed slightly for 11.1 and later and now have Source IP Address as the Group By value:
- High Risk Alerts: Reporting Engine
- High Risk Alerts: Malware Analysis
- High Risk Alerts: ESA
The following default incident rule changed slightly for 11.3 and later and now has the Host Name as the Group By value:
- High Risk Alerts: NetWitness Endpoint*
*If you have NetWitness Endpoint, the High Risk Alerts: NetWitness Endpoint default incident rule captures alerts generated by NetWitness Endpoint with a risk score of High or Critical. To aggregate NetWitness Endpoint alerts based on the File Hash instead of Host Name, create another NetWitness Endpoint Rule using the File Hash as the Group By value. See Create a NetWitness Endpoint Incident Rule using File Hash for step-by-step instructions.
To verify your existing default incident rules with the 11.5 default incident rules, look at the default incident rule tables following these procedures. If you are missing a default incident rule, you can create it manually. Review the default incident rules and adjust them to your environment as required.
Set Up the User Behavior Incident RuleSet Up the User Behavior Incident Rule
In order to use the default User Behavior incident rule, you need to deploy the RSA Live ESA Rules that you want to monitor from those listed in the User Behavior incident rule conditions. Complete the following procedures to start aggregating alerts for the User Behavior default incident rule:
- Deploy the RSA Live ESA Rules
- Adjust and enable the User Behavior default rule (or create it if you do not have it)
Deploy the RSA Live ESA RulesDeploy the RSA Live ESA Rules
- Go to
(Configure) > Live Content.
- In the Resource Types field, select Event Steam Analysis Rule and click Search.
- In the Matching Resources list, select the ESA Rules from the following User Behavior table that you are interested in monitoring and deploy them (click Deploy).
- Go to
- To add a new ESA rule deployment, in the drop-down list near Deployments, click Add.
- In the ESA Services section, add and then select your ESA service.
- In the Data Sources section, click
and add a data source to use for the ESA rule deployment.
- In the ESA Rules section, click
The selected ESA rules are listed with a status of Added.
- Select the ESA rules that you added from the previous step, and click Deploy Now.
The status of the selected ESA rules changes to Deployed. - Go to
In the Deployed Rule Stats for your ESA service, the rules that you added should have a status of enabled, which is indicated by a green circle in the Enable column.
Adjust and Enable the User Behavior Default Rule (or Create It If You Do Not Have It)Adjust and Enable the User Behavior Default Rule (or Create It If You Do Not Have It)
If you have the User Behavior default rule, you can adjust it for your environment and enable it. If you do not have the User Behavior default rule, you can create it manually.
(Optional) To create the User Behavior default rule:
- Go to
The Incident Rules view is displayed. (The following figure shows what the User Behavior rule looks like if it was there.) - Click Create Rule and in the Incident Rule Details view, create the User Behavior default incident rule using the values in the User Behavior table following this procedure. The conditions as well as the values not listed in the table should be set for your business requirements. For details about various parameters that can be set as criteria for an incident rule, see Incident Rule Details View.
The following figure shows a portion of the User Behavior default rule details. Notice that there are two groups in this rule. - If you are ready to enable your rule, in the Basic Settings section, select Enabled.
- Click Save.
The rule appears in the Incidents Rules list. If you selected Enabled, the rule is enabled and it starts creating incidents depending on the incoming alerts that are matched as per the rule criteria. - Verify the order of your incident rules. For more information, see Verify the Order of Your Incident Rules.
The following table shows the values for the User Behavior default incident rule.
| Field |
Condition Field |
Condition Operator |
Value |
|---|---|---|---|
| Name |
|
User Behavior | |
| Description | This incident rule captures network user behavior. | ||
| Query Mode: |
|
|
Rule Builder Note: For information about advanced query mode, see Incident Rule Details View |
| 1st Group: |
|
All of these | |
| Condition: | Source | is equal to | Event Stream Analysis |
| 2nd Group: |
|
|
Any of these |
| Conditions: | Alert Name | is equal to | Account Added to Administrators Group and Removed |
| Alert Name | is equal to | Account Removals From Protected Groups on Domain Controller | |
| Alert Name | is equal to | Detects Router Configuration Attempts | |
| Alert Name | is equal to | Direct Login By A Guest Account | |
| Alert Name | is equal to | Direct Login to an Administrative Account | |
| Alert Name | is equal to | Failed Logins Followed By Successful Login Password Change | |
| Alert Name | is equal to | Insider Threat Mass Audit Clearing | |
| Alert Name | is equal to | Internal Data Posting to 3rd Party Sites | |
| Alert Name | is equal to | kbrtgt Account Modified on Domain controller | |
| Alert Name | is equal to | Lateral Movement Suspected Windows | |
| Alert Name | is equal to | Logins across Multiple Servers | |
| Alert Name | is equal to | Logins by Same User to Multiple Servers | |
| Alert Name | is equal to | Malicious Account Creation Followed by Failed Authorization | |
| Alert Name | is equal to | Multiple Account Lockouts From Same or Different Users | |
| Alert Name | is equal to | Multiple Failed Logins Followed By a Successful Login | |
| Alert Name | is equal to | Multiple Failed Logins from Same User Originating from Different Countries | |
|
|
Alert Name | is equal to | Multiple Failed Privilege Escalations by Same User |
| Alert Name | is equal to | Multiple Intrusion Scan Events from Same User to Unique Destinations | |
|
|
Alert Name | is equal to | Multiple Login Failures by Administrators to Domain Controller |
| Alert Name | is equal to | Multiple Login Failures by Guest to Domain Controller | |
|
|
Alert Name | is equal to | Multiple Failed Logons from Same Source IP with Unique Usernames |
| Alert Name | is equal to | Multiple Successful Logins from Multiple Diff Src to Diff Dest | |
|
|
Alert Name | is equal to | Multiple Successful Logins from Multiple Diff Src to Same Dest |
| Alert Name | is equal to | Privilege Escalation Detected | |
|
|
Alert Name | is equal to | Privilege Escalation Detected in Unix |
| Alert Name | is equal to | Privilege User Account Password Change | |
|
|
Alert Name | is equal to | Failed Logins Outside Business Hours |
| Alert Name | is equal to | DNS Tunneling | |
| Alert Name | is equal to | User Login Baseline | |
| Group By |
|
|
Destination User Account |
| Time Window | 1 Hour | ||
| Title | ${ruleName} for ${groupByValue1} |
Set up or Verify a Default Incident RuleSet up or Verify a Default Incident Rule
- Go to
The Incident Rules view is displayed. - Click the link in the Name field of a default incident rule to view the Incident Rule Details view. Set up or verify the default incident rule using the values in the default incident rules tables in this topic. Values not listed in the tables should be set for your business requirements. For details about various parameters that can be set as criteria for an incident rule, see Incident Rule Details View.
- When you are ready to enable your rule, in the Basic Settings section, select Enabled.
- Click Save.
- Verify the order of your incident rules. For more information, see Verify the Order of Your Incident Rules.
Suspected Command & Control Communication By DomainSuspected Command & Control Communication By Domain
The following table shows the values for the Suspected Command & Control Communication By Domain default incident rule.
| Field |
Condition Field |
Condition Operator |
Value |
|---|---|---|---|
| Name |
|
Suspected Command & Control Communication By Domain | |
| Description | This incident rule captures suspected communication with a Command & Control server and groups results by domain. | ||
| Group: |
|
All of these | |
| Conditions: | Source | is equal to | Event Stream Analysis |
| Alert Rule Id | is equal to | Suspected C&C | |
| Group By |
|
|
Domain for Suspected C& C |
| Time Window | 7 Days | ||
| Title | Suspected C&C with ${groupByValue1} | ||
| Summary | NetWitness Platform detected communications with ${groupByValue1} that may be command and control malware.
1. Evaluate if the domain is legitimate (online radio, news feed, partner, automated testing, etc.). 2. Review the domain registration for suspect information (Registrant country, registrar, no registration data found, etc). 3. If the domain is suspect, go to the Investigation module to locate other activity to or from it. |
High Risk Alerts: Malware AnalysisHigh Risk Alerts: Malware Analysis
The following table shows the values for the High Risk Alerts: Malware Analysis default incident rule.
| Field |
Condition Field |
Condition Operator |
Value |
|---|---|---|---|
| Name |
|
High Risk Alerts: Malware Analysis | |
| Description | This incident rule captures alerts generated by the NetWitness Malware Analysis platform as having a Risk Score of "High" or "Critical". | ||
| Group: |
|
All of these | |
| Conditions: | Source | is equal to | Malware Analysis |
| Risk Score | is equal or greater than | 50 | |
| Group By |
|
|
Source IP Address |
| Time Window | 1 Hour | ||
| Title | ${ruleName} for ${groupByValue1} |
High Risk Alerts: NetWitness EndpointHigh Risk Alerts: NetWitness Endpoint
The following table shows the values for the High Risk Alerts: NetWitness Endpoint default incident rule.
| Field |
Condition Field |
Condition Operator |
Value |
|---|---|---|---|
| Name |
|
High Risk Alerts: NetWitness Endpoint | |
| Description | This incident rule captures alerts generated by the NetWitness Endpoint platform as having a Risk Score of "High" or "Critical". | ||
| Group: |
|
All of these | |
| Conditions: | Source | is equal to | NetWitness Endpoint |
| Risk Score | is equal or greater than | 50 | |
| Group By |
|
|
Host Name* |
| Time Window | 1 Hour | ||
| Title | ${ruleName} for ${groupByValue1} |
*To aggregate NetWitness Endpoint alerts based on the File Hash, create another NetWitness Endpoint Rule using the File Hash as the Group By value. See Create a NetWitness Endpoint Incident Rule using File Hash for step-by-step instructions.
High Risk Alerts: Reporting Engine High Risk Alerts: Reporting Engine
The following table shows the values for the High Risk Alerts: Reporting Engine default incident rule.
| Field |
Condition Field |
Condition Operator |
Value |
|---|---|---|---|
| Name |
|
High Risk Alerts: Reporting Engine | |
| Description | This incident rule captures alerts generated by the NetWitness Reporting Engine as having a Risk Score of "High" or "Critical". | ||
| Group: |
|
All of these | |
| Conditions: | Source | is equal to | Reporting Engine |
| Risk Score | is equal or greater than | 50 | |
| Group By |
|
|
Source IP Address |
| Time Window | 1 Hour | ||
| Title | ${ruleName} for ${groupByValue1} |
High Risk Alerts: ESA High Risk Alerts: ESA
The following table shows the values for the High Risk Alerts: ESA default incident rule.
| Field |
Condition Field |
Condition Operator |
Value |
|---|---|---|---|
| Name |
|
High Risk Alerts: ESA | |
| Description | This incident rule captures alerts generated by the NetWitness ESA platform as having a Risk Score of "High" or "Critical". | ||
| Group: |
|
All of these | |
| Conditions: | Source | is equal to | Event Stream Analysis |
| Risk Score | is equal or greater than | 50 | |
| Group By |
|
|
Source IP Address |
| Time Window | 1 Hour | ||
| Title | ${ruleName} for ${groupByValue1} |
IP Watch List: Activity DetectedIP Watch List: Activity Detected
The following table shows the values for the IP Watch List: Activity Detected default incident rule.
| Field |
Condition Field |
Condition Operator |
Value |
|---|---|---|---|
| Name |
|
IP Watch List: Activity Detected | |
| Description | This incident rule captures alerts generated by IP addresses that have been added as "Source IP Address" *and* "Destination IP Address" conditions of the rule. To add additional IP addresses to the watch list, simply add a new Source and Destination IP Address conditional pair. | ||
| Group: |
|
Any of these | |
| Conditions: | Source IP Address | is equal to | 1.1.1.1 |
| Destination IP Address |
is equal to |
1.1.1.1 | |
| Source IP Address | is equal to | 2.2.2.2 | |
| Destination IP Address |
is equal to |
2.2.2.2 | |
| Group By |
|
|
Source IP Address |
| Time Window |
|
|
4 Hours |
| Title | ${ruleName} |
User Watch List: Activity DetectedUser Watch List: Activity Detected
The following table shows the values for the User Watch List: Activity Detected default incident rule.
| Field |
Condition Field |
Condition Operator |
Value |
|---|---|---|---|
| Name |
|
User Watch List: Activity Detected | |
| Description | This incident rule captures alerts generated by network users whose user names have been added as a "Source UserName" condition. To add more than one Username to the watch list, simply add an additional Source Username condition. | ||
| Group: |
|
Any of these | |
| Conditions: | Source Username | is equal to | jsmith |
| Source Username | is equal to | jdoe | |
| Group By |
|
|
Source Username |
| Time Window |
|
|
4 Hours |
| Title | ${ruleName} |
Suspicious Activity Detected: Windows Worm PropagationSuspicious Activity Detected: Windows Worm Propagation
The following table shows the values for the Suspicious Activity Detected: Windows Worm Propagation default incident rule.
| Field |
Condition Field |
Condition Operator |
Value |
|---|---|---|---|
| Name |
|
Suspicious Activity Detected: Windows Worm Propagation | |
| Description | This incident rule captures alerts that are indicative of worm propagation activity on a Microsoft network | ||
| 1st Group: |
|
All of these | |
| Condition: | Source | is equal to | Event Stream Analysis |
| 2nd Group: |
|
Any of these | |
| Conditions: | Alert Name | is equal to | Windows Worm Activity Detected Logs |
|
|
Alert Name | is equal to | Windows Worm Activity Detected Packets |
| Group By |
|
|
Source IP Address |
| Time Window |
|
|
1 Hour |
| Title | ${ruleName} |
Suspicious Activity Detected: ReconnaissanceSuspicious Activity Detected: Reconnaissance
The following table shows the values for the Suspicious Activity Detected: Reconnaissance default incident rule.
| Field |
Condition Field |
Condition Operator |
Value |
|---|---|---|---|
| Name |
|
Suspicious Activity Detected: Reconnaissance | |
| Description | This incident rule captures alerts that identify common ICMP host identification techniques (i.e. "ping") accompanied by connection attempts to multiple service ports on a host | ||
| 1st Group: |
|
All of these | |
| Condition: | Source | is equal to | Event Stream Analysis |
| 2nd Group: |
|
Any of these | |
| Conditions: | Alert Name | is equal to | Port Scan Horizontal Packet |
|
|
Alert Name | is equal to |
Port Scan Vertical Packet |
| Alert Name | is equal to | Port Scan Horizontal Log | |
| Alert Name | is equal to | Port Scan Vertical Log | |
| Group By |
|
|
Source IP Address |
| Time Window |
|
|
4 Hours |
| Title | ${ruleName} |
Monitoring Failure: Device Not ReportingMonitoring Failure: Device Not Reporting
The following table shows the values for the Monitoring Failure: Device Not Reporting default incident rule.
| Field |
Condition Field |
Condition Operator |
Value |
|---|---|---|---|
| Name |
|
Monitoring Failure: Device Not Reporting | |
| Description | This incident rule captures any instance of an alert designed to detect the absence of log traffic from a previously reporting device | ||
| Group: |
|
All of these | |
| Conditions: | Source | is equal to | Event Stream Analysis |
| Alert Name | is equal to | No logs traffic from device in given time frame | |
| Group By |
|
|
Source IP Address |
| Time Window |
|
|
2 Hours |
| Title | ${ruleName} |
Web Threat DetectionWeb Threat Detection
The following table shows the values for the Web Threat Detection default incident rule.
| Field |
Condition Field |
Condition Operator |
Value |
|---|---|---|---|
| Name |
|
Web Threat Detection | |
| Description | This incident rule captures alerts generated by the NetWitness Web Threat Detection platform. | ||
| Group: |
|
All of these | |
| Condition: | Source | is equal to | Web Threat Detection |
| Group By |
|
|
Alert Rule Id |
| Time Window |
|
|
1 Hour |
| Title | ${ruleName} for ${groupByValue1} |
User Entity Behavior AnalyticsUser Entity Behavior Analytics
The following table shows the values for the User Entity Behavior Analytics default incident rule.
| Field |
Condition Field |
Condition Operator |
Value |
|---|---|---|---|
| Name |
|
User Entity Behavior Analytics | |
| Description | This incident rule captures user entity behavior. | ||
| Group: |
|
All of these | |
| Condition: | Source | is equal to | User Entity Behavior Analytics |
| Group By |
|
|
UEBA Classifier Id |
| Time Window |
|
|
1 Hour |
| Title | ${ruleName} for ${groupByValue1} |
Detect AI Detect AI
The following table shows the values for the Detect AI default incident rule.
| Field |
Condition Field |
Condition Operator |
Value |
|---|---|---|---|
| Name |
|
DetectAI | |
| Description | This incident rule captures anomalies generated by Detect AI | ||
| Group: |
|
All of these | |
| Condition: | Source | is equal to | DetectAI |
| Group By |
|
|
UEBA Classifier Id, UEBA Entity Name |
| Time Window |
|
|
1 Hour |
| Title | ${ruleName} for ${groupByValue2} |
Create a NetWitness Endpoint Incident Rule using File HashCreate a NetWitness Endpoint Incident Rule using File Hash
To aggregate NetWitness Endpoint alerts based on the File Hash, create another NetWitness Endpoint Rule using the File Hash as the Group By value. To do this, clone the default NetWitness Endpoint incident rule and change the Group By value.
- Go to
The Incident Rules view is displayed. - Select the High Risk Alerts: NetWitness Endpoint default incident rule and click Clone.
You will receive a message that you successfully cloned the selected rule. - Change the Name of the rule to an appropriate name, such as High Risk Alerts: NetWitness Endpoint File Hash.
- In the Group By field, remove the previous Group By value and add File MD5 Hash.
It is important that File MD5 Hash is the only Group By value listed. - If you are ready to enable your rule, in the Basic Settings section, select Enabled.
- Click Save to create the rule.
The Incident Rules view shows your new rule. - Verify the order of your incident rules. For more information, see Verify the Order of Your Incident Rules.
