Step 3. Enable and Create Incident Rules for Alerts
NetWitness Respond incident rules contain criteria to automate the process of creating incidents from alerts. Alerts that meet the rule criteria are grouped together to form an incident. Analysts use these incidents to locate indicators of compromise. Instead of creating an incident for a particular set of alerts and adding the alerts to that incident manually, you can save time by using incident rules to create incidents from alerts for you.
NetWitness provides predefined incident rules that you can use and you can also create your own rules based on your business requirements.
To create incidents automatically, you need to enable at least one incident rule.
When you have two or more incident rules enabled, the order of the rules becomes very important. The highest priority rules are at the top of the Incident Rules list. The highest priority rule has the number 1 in the Order field. The next highest priority rule is number 2 in the Order field, and so on. Alerts can only be part of one incident. If an alert matches more than one rule in the Incident Rule list, it is only evaluated using the highest priority rule that it matches.
In 11.6.1, the Incident rule execution pattern is modified such that the alert aggregation queries refer to the lastRun parameter of the incident rule. So, now multiple incident rules (positioned as per the priority in the order field) in the Incident rules list match the same alert name.
For example,
- INC-rule 1 is at the 4th position in the order field that is associated with the conditions alert.name equal to test and source equal to ESA.
-
INC-rule 2 is at the 24th position in the order field that is associated with the condition source equal to ESA.
Before 11.6.1 upgrade, the INC-rule 1 matched the alert name test. On upgrade, the INC-rule 2 at the 24th position in the order field matches the alert name test as the source is ESA.
To address this scenario, configure each incident rule to have unique conditions. Make sure the conditions in the lower priority incident rules are not duplicate of the conditions in the highest priority rules.
NetWitness has 13 predefined incident rules that you can use. To set up your incident rules, you can do any of the following:
- Enable predefined incident rules
- Add new rules
- Clone rules
- Edit existing rules
- Export and import rules
The Detect AI default incident rule is available in NetWitness 11.6 and later. It captures the network user behavior and uses the deployed RSA Live ESA Rules to create incidents from alerts.
The User Entity Behavior Analytics incident rule is available in 11.3 and later. It captures user entity behavior grouped by Classifier ID to create incidents from alerts. The User Behavior default incident rule is available in NetWitness 11.1 and later. It captures network user behavior and uses deployed RSA Live ESA Rules to create incidents from alerts.
You can select and deploy the RSA Live ESA Rules that you want to monitor. For more information, see Deploy the RSA Live ESA Rules.
To configure the default incident rules or verify your existing default incident rules with the 11.5 default incident rules, see Set Up and Verify Default Incident Rules.
This topic contains the following procedures:
- Enable Incident Rules
- Create an Incident Rule
- Verify the Order of Your Incident Rules
- Clone an Incident Rule
- Edit an Incident Rule
- Export Incident Rules
- Import Incident Rules
Enable Incident RulesEnable Incident Rules
To create incidents automatically, you need to enable at least one incident rule. Predefined (default) incident rules or rules that you create must be enabled before they start creating incidents.
To enable one or more incident rules:
Note: Enabling one or more incident rules from the Incident Rules view is only available in NetWitness version 11.4 and later.
This is the easiest way to enable rules. Use this method after you have made the necessary adjustments to the rules and you just want to quickly enable them.
- Go to (Configure) > Incident Rules.
The Incident Rules view is displayed. - Select one or more incident rules and click Enable.
- Click OK to verify that you want to enable the selected rules.
In the Incident Rules view, the Enabled column changes from a red square (Disabled) to a green triangle (Enabled). - Verify the order of your incident rules.
Note: To disable incident rules, follow the above procedure but select the Disable button instead of the Enable button.
To enable an incident rule from within the incident rule details:
You can enable rules from within the incident rule details when you save your rule adjustments.
- Go to (Configure) > Incident Rules.
The Incident Rules view is displayed. - Click the link in the Name column for the rule that you want to enable.
The Incident Rule Details view is displayed for the selected rule. - Adjust the parameters and conditions of your rule as required. For details about various parameters that can be set as criteria for an incident rule, see Incident Rule Details View. To adjust the default rules, see Set Up and Verify Default Incident Rules.
- In the Basic Settings section, select the Enabled checkbox.
- Click Save to enable the rule.
Notice that the Enabled column changes from a red square (Disabled) to a green triangle (Enabled). - Verify the order of your incident rules.
Note: To disable an incident rule in the Incident Rule Details view, follow the above procedure but clear the Enabled checkbox instead of selecting it.
Create an Incident RuleCreate an Incident Rule
-
Go to (Configure) > Incident Rules.
The Incident Rules view is displayed.
-
To add a new rule, click Create Rule.
The Incident Rule Details view is displayed.
-
Enter the parameters and conditions of your rule. All rules need to have at least one condition. For details about parameters that can be set as criteria for an incident rule, see Incident Rule Details View.
Note: Escaping of the special characters is required only when you select the operators contains, begins with, ends with, and matches regex while defining the incident rule condition with special characters. It is not required when you select the operators is equal to, is not equal to, in, and not in while defining the incident rule condition with special characters.
The following is the list of special characters to be escaped.
~, `, @, #, $, %, ^, &, *, (), _, -, +, =, {}, [], |, \, :, ;, ", ', <>, ?, ,, ., / - If you are ready to enable your rule, in the Basic Settings section, select Enabled.
-
Click Save.
The rule appears in the Incidents Rules list. If you selected Enabled, the rule is enabled and it starts creating incidents depending on the incoming alerts that match the selected criteria.
- Verify the order of your incident rules.
Verify the Order of Your Incident RulesVerify the Order of Your Incident Rules
NetWitness Respond evaluates incoming alerts against the incident rules in the order that you define. If alerts match the first rule listed, then that rule creates an incident. If alerts match the second rule listed and those alerts did not match the first rule, then the second rule creates an incident. If alerts match the third rule listed and those alerts did not match the first or second rule listed, then the third rule creates an incident, and so on.
To change the order of the rules, use the drag pads () in front of the rules to move them up and down in the list.
The rule order determines which rule takes effect if the criteria for multiple rules match the same alert. If multiple rules match an alert, only the rule with the highest priority creates an incident.
Clone an Incident RuleClone an Incident Rule
It is often easier to duplicate an existing rule that is similar to a rule that you want to create and adjust it accordingly.
- Go to (Configure) > Incident Rules.
The Incident Rules view is displayed. - Select the rule that you would like to copy and click Clone.
- Adjust the parameters and conditions of your rule as required. All rules need to have at least one condition.
- If you are ready to enable your rule, in the Basic Settings section, select Enabled.
- Click Save to create the rule.
- Verify the order of your incident rules.
Edit an Incident RuleEdit an Incident Rule
- Go to (Configure) > Incident Rules and click the link in the Name column for the rule that you want to update.
The Incident Rule Details view is displayed. - Adjust the parameters and conditions of your rule as required. All rules need to have at least one condition.
Note: Escaping of the special characters is required only when you select the operators contains, begins with, ends with, and matches regex while defining the incident rule condition with special characters. It is not required when you select the operators is equal to, is not equal to, in, and not in while defining the incident rule condition with special characters.
The following is the list of special characters to be escaped.
~, `, @, #, $, %, ^, &, *, (), _, -, +, =, {}, [], |, \, :, ;, ", ', <>, ?, ,, ., /
- If you are ready to enable your rule, in the Basic Settings section, select Enabled.
- Click Save to update the rule.
- Verify the order of your incident rules.
See Also:
- For details about parameters that can be set as criteria for an incident rule, see Incident Rule Details View.
- For details on the parameter and field descriptions in the Incident Rules list, see Incident Rules View.
Export Incident RulesExport Incident Rules
Note: Exporting and importing incident rules from the Incident Rules view is only available in NetWitness version 11.4 and later.
Exporting incident rules enables you to share incident rules with other NetWitness Servers on the same release version. The exported incident rules file is a ZIP file that contains two JSON files: one file contains the incident rules and the other file contains the incident rule schema. You cannot export Advanced incident rules; the export function only allows incident rules created using Rule Builder.
- Go to (Configure) > Incident Rules.
The Incident Rules view is displayed. - Select the rules that you would like to export and click Export.
The exported incident rules file is a ZIP file in the format <random ID>-incident_rules_export.json.zip, which contains two mandatory JSON files:- aggregation_rule_schema.json contains the incident rule schema.
- <random ID>-incident_rules_export.json contains the incident rules.
Note: You cannot export Advanced rules.
You can import this ZIP file on another NetWitness Server on the same release version.
If for some reason the export is not successful, and you receive only a .JSON file, for example, failure.json, refresh your browser and try again. This could happen if someone made an adjustment to the incident rules at the same time. You can also receive an error if you attempt to export an Advanced incident rule, which is not allowed.
Import Incident RulesImport Incident Rules
Note: Exporting and importing incident rules from the Incident Rules view is only available in NetWitness version 11.4 and later.
You can import an incident rules ZIP file from NetWitness Servers on the same release version. The incident rules ZIP file must be in the original exported format <random ID>-incident_rules_export.json.zip and contain two mandatory JSON files:
- aggregation_rule_schema.json contains the incident rule schema.
- <random ID>-incident_rules_export.json contains the incident rules.
The import fails if the ZIP file contains additional files or folders. To edit the incident rules ZIP file, see Edit the Incident Rules Export ZIP File.
To import incident rules:
- Go to (Configure) > Incident Rules.
The Incident Rules view is displayed. - Click Import and select the incident rules ZIP file to import.
If the import is successful, a successful import notification is displayed, and the imported incident rules are disabled and shown at the bottom of the incident rules list. The Rule Created column shows the date and time of the import.
See Also:
- For details about parameters that can be set as criteria for an incident rule, see Incident Rule Details View.
- For details on the parameter and field descriptions in the Incident Rules list, see Incident Rules View.