This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Platform Online Documentation
Browse the official NetWitness Platform Online documentation for helpful tutorials, step-by-step instructions, and other valuable resources.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Versions
Collections
All Downloads

Table of Contents

Product Resources

Whitelist Alerts

The Whitelist Alert feature allows you to whitelist the unwanted and recurring non-suspicious Endpoint alerts triggered in the Respond > Alerts view.

125_Respond_Alerts.PNG

With this feature, you can select entities such as File, User, and Host and define the Whitelist condition to avoid triggering unwanted alerts for the required entities. Administrators can permanently delete the existing alerts matched with the Whitelist condition by enabling the Config in the Services > Respond Server > Explore view.

Note: By default, the Config is disabled in the Services > Respond Server > Explore view (the alert-cleanup-enabled parameter is set to false). To enable the config, you must set the alert-cleanup-enabled parameter to true in Services > Respond Server > Explore view. Refer to the following figures.

125_alert_cleanup_enabled_false_0824.PNG

125_alert_cleanup_enabled_true_0824.PNG

Note:
- When you enable the config, the existing alerts matched with the Whitelist condition still continue to exist over a period of time before they are permanently deleted. Once deleted, the alerts cannot be reversed to the selected entities.
- You can select only one alert at a time for whitelisting.

Note: NetWitness 12.5 extended the Whitelist feature to Event Stream Analysis and NetWitness Core. Now, you can whitelist unwanted and recurring non-suspicious alerts for these services.

To whitelist an Endpoint alert

  1. Go to Respond > Alerts.

    The Alerts view is displayed.

  2. Select an alert and click More Actions > Whitelist Alert.125_Respond_Alerts_Endpoint.PNG

  3. Enter the name of the Whitelist and select the required entities.
    Note: The entities displayed depend on the entities present on the selected Endpoint Alert. You must select at least one of the entities to apply to the Whitelist.

    125_Respond_Alerts_Endpoint_Whitelist.PNG

  4. Specify the reason for whitelisting in the Comments section.

  5. Click Whitelist.

    The Confirm Whitelist confirmation dialog is displayed.

    125_Respond_Alerts_Endpoint_WhitelistConfirm.PNG

  6. Click Confirm Whitelist.

Meta Keys Supported

The following table shows the meta keys supported for Endpoint alert whitelisting:
Elements Meta Keys
Source

user.src
Target user.dst
Filename filename, filename.src, filename.dst
Hostname alias.host, host.dst, host.src, device.host
To Whitelist an Event Stream Analysis Alert (From NetWitness 12.5)

  1. Go to Respond > Alerts.

  2. Select the Event Stream Analysis Alert and click More Actions > Whitelist Alert.125_Respond_Alerts_ESA.PNG

  3. Enter the name of the Whitelist and select the required entities.
    Note: The entities displayed depend on the entities present on the selected Endpoint Alert. You must select at least one of the entities to apply to the Whitelist.
    Note: In Event Stream Analysis Alert, you have the option to select either “Match All Events” or “Match Any Events”. Selecting “Match All Events” will Whitelist the Alerts only if the selected entities are present across all the events of that alert. Selecting “Match Any Events” will Whitelist the Alerts if the selected entities are present in any of the events of that alert.
    that alert.

    125_Respond_Alerts_ESA_Whitelist.PNG

  4. Specify the reason for whitelisting in the Comments section.

  5. Click Whitelist.

    The Confirm Alert Whitelisting confirmation dialog is displayed.

    125_Respond_Alerts_ESA_WhitelistConfirm.PNG

  6. Click Confirm Whitelist.

Meta Keys Supported

The following table shows the meta keys supported for Endpoint alert whitelisting:
Elements Meta Keys
IP

alias.ip, ip.src, ip.dst, forward.ip, device.ip
Port tcp_srcport, udp_srcport, tcp_dstport, udp_dstport
Filename filename, filename.src, filename.dst
Action
 action
Hostname alias.host, host.dst, host.src, device.host
To Whitelist a NetWitness Core Alert (From NetWitness 12.5)

  1. Go to Respond > Alerts.

  2. Select the NetWitness Core Alert and click More Actions > Whitelist Alert.125_Respond_Alerts_NWCore.PNG

  3. Enter the name of the Whitelist and select the required entities.

    The entities displayed depend on the entities present on the selected NetWitness Core Alert. You must select atleast one of the entities to apply the Whitelist

    125_Respond_Alerts_NWCore_Whitelist.PNG

  4. Specify the reason for whitelisting in the Comments section.

  5. Click Whitelist.

    The Confirm Alert Whitelisting confirmation dialog is displayed.

    125_Respond_Alerts_ESA_WhitelistConfirm.PNG

  6. Click Confirm Whitelist.

Use Case: Unwanted Endpoint Alerts Triggering in the Respond service

John, an analyst, logs in to the NetWitness Platform XDR and clicks Respond > Alerts. While investigating the alerts in the Respond Alerts view, John notices that a few alerts displayed in the UI are not suspicious. Analyst selects a non-suspicious alert and clicks the Whitelist Alert tab under More Actions in the toolbar. Once the Alert Whitelisting confirmation window is displayed, John performs the following:

  • Enters the name of the Whitelist.

  • Selects the entities File, Host and User to stop triggering the new matching alerts for the particular file xxxx.exe and the host Windows.

    125_Respond_Alerts_Endpoint_Whitelist.PNG

  • Specifies the reason for whitelisting the alert in the Comments section and clicks Whitelist.

  • Once the Confirm Whitelist confirmation window is displayed, John clicks Confirm Whitelist.

After whitelisting the selected alert, John selects another non-suspicious alert in the Respond Alerts view for whitelisting. This time, John enables the config in the Services > Respond Server > Explore view to permanently delete the existing alerts matched with the Whitelist condition. Later, John selects the entities User, Host, and File in the Alert Whitelisting confirmation window to stop triggering the new matching alerts for the selected entities.

Note: Upon enabling the config and then whitelisting the alert for the selected entities User, Host, and File, John finds that the risk score of the entities File and Host is affected. This is due to the permanent deletion of the existing alerts matched with the Whitelist condition after enabling the config.

Note: You can make similar Alert Whitelisting to Event Stream Analysis and NetWitness Core alerts.

Whitelists List View

The Whitelists List view displays the list of all the Endpoint, ESA, NetWitness Core, and Insight Whitelists with the Whitelist Rule Name, Alert Name, Alert Type, Summary, Alerts Whitelisted, and the Created Date associated with the respective Whitelisted Alerts. The view consists of a Filters panel, Whitelists List, and the Whitelist Overview.

125_Respond_Alerts_Whitelist_WithoutFilter.PNG

Whitelists List

The Whitelists List displays all the Whitelists in the NetWitness Platform. You can filter this list to view only the Whitelists of interest.

The following table describes the columns in the Whitelists List.

Columns Description
Whitelist Name Displays the name of the Whitelist you provided during the whitelisting of the selected alert.

Alert Name

Displays the rule name associated with the whitelisted alert.
Alert Type Displays the alert type: ESA, Endpoint, and NetWitness Core.

Summary

Displays the details of the entities selected during the whitelisting of the selected alert. For Example: File name: cmd.exe, Host name: win34.
Alerts Whitelisted Displays the number of number of alerts suppressed after the creation of Whitelist.

Created Date

Displays the Whitelist creation date and time.

Filters Panel

You can filter the Whitelists based on the following parameters.

  • Time Range

  • Whitelist Rule Name

  • Alert Name

  • Alert Type

  • Summary

  • Created By

Click Reset to remove the filters applied.

 

125_Respond_Alerts_Whitelist_Filter.PNG

 

The following table lists all the fields displayed in the Whitelists List view Filters panel.

Fields Description
Time Range

Allows you to select the required time duration and view the Whitelists created in the time duration selected.

Note: Turn On the Custom Date Range Toggle to select a custom date range of your choice.
Whitelist Rule Name Allows you to enter the name of required Whitelist.
Alert Name Allows you to enter the name of the rule associated with the Whitelists created.
Alert Type Allows you to select the alert type: ESA, Endpoint, NetWitness Core, and Insights.
Summary

Allows you to enter the complete value or a part of the value associated with the required Whitelist. For example: cmd.exe or win34 or analyst1.
Created By

Allows you to filter the Whitelists on the basis of the user who created them.

Whitelist Overview

You can click on any whitelisted alert to view the overview on the right panel. All the selected entities will be displayed in the overview panel.

125_Respond_Alerts_Whitelist_Filter_RightOverview.PNG

Delete the Whitelists

You can delete the Whitelists to start receiving the new matched alerts for the selected entities in the Respond > Alerts view. Once you delete the selected Whitelist, the new matching alerts are triggered only for the selected entities.

To delete the Whitelists

  1. Go to Respond > Whitelists.

    The Whitelists view is displayed.

    125_Respond_Alerts_Whitelist_Delete.PNG

  1. Select the Whitelist and click Delete.

    The confirmation window is displayed.

  2. Click Delete Whitelist.

    The Whitelist is deleted.

Note:
- When you delete the Whitelists, only the new matching alerts are triggered. The whitelisted old alerts cannot be recovered for the selected entities.
- Analysts must have one of the following permissions to view the Whitelists tab in the Respond view:
  - respond-server.alert.delete
  - respond-server.alert.read
  - respond-server.alert.manage
  - respond-server.alertrule.manage
  - respond-server.alertrule.read
- Analysts must have the respond-server.alert.read permission to view the whitelists in Respond > Whitelists view and respond-server.alert.manage permission to delete the Whitelists.

Toolbar Actions

The table below lists the toolbar actions available in the Whitelists List view.

Option Description
Filter icon.PNG Select this option and access the Filters panel to filter the required Whitelists.
Delete Icon.PNG Select this option to delete the selected Whitelist.

 

Labels (1)
Labels:
0 Likes
Was this article helpful? Yes No
No ratings

On this page

© 2022 RSA Security LLC or its affiliates. All rights reserved.