The Whitelist Alert feature allows you to whitelist the unwanted and recurring non-suspicious Endpoint alerts triggered in the Respond > Alerts view. With this feature, you can select entities such as File, User, and Host and define the Whitelist condition to avoid triggering unwanted alerts for the required entities. Administrators can permanently delete the existing alerts matched with the Whitelist condition by enabling the Config in the Services > Respond Server > Explore view.
Note: By default, the Config is disabled in the Services > Respond Server > Explore view (the alert-cleanup-enabled parameter is set to false). To enable the config, you must set the alert-cleanup-enabled parameter to true in Services > Respond Server > Explore view. Refer to the following figures.
- When you enable the config, the existing alerts matched with the Whitelist condition still continue to exist over a period of time before they are permanently deleted. Once deleted, the alerts cannot be reversed to the selected entities.
- You can select only one alert at a time for whitelisting.
To whitelist an Endpoint alert
Go to Respond > Alerts.
The Alerts view is displayed.
Select an alert and click More Actions > Whitelist Alert.
Enter the name of the Whitelist and select the required entities.
Specify the reason for whitelisting in the Comments section.
The Confirm Whitelist confirmation dialog is displayed.
Click Confirm Whitelist.
Use Case: Unwanted Endpoint Alerts Triggering in the Respond service
John, an analyst, logs in to the NetWitness Platform XDR and clicks Respond > Alerts. While investigating the alerts in the Respond Alerts view, John notices that a few alerts displayed in the UI are not suspicious. Analyst selects a non-suspicious alert and clicks the Whitelist Alert tab under More Actions in the toolbar. Once the Alert Whitelisting confirmation window is displayed, John performs the following:
Enters the name of the Whitelist.
Selects the entities File and Host to stop triggering the new matching alerts for the particular file xxxx.smp and the host Windows.
Specifies the reason for whitelisting the alert in the Comments section and clicks Whitelist.
Once the Confirm Whitelist confirmation window is displayed, John clicks Confirm Whitelist.
After whitelisting the selected alert, John selects another non-suspicious alert in the Respond Alerts view for whitelisting. This time, John enables the config in the Services > Respond Server > Explore view to permanently delete the existing alerts matched with the Whitelist condition. Later, John selects the entities User, Host, and File in the Alert Whitelisting confirmation window to stop triggering the new matching alerts for the selected entities.
Note: Upon enabling the config and then whitelisting the alert for the selected entities User, Host, and File, John finds that the risk score of the entities File and Host is affected. This is due to the permanent deletion of the existing alerts matched with the Whitelist condition after enabling the config.
Delete the Whitelists
You can delete the Whitelists to start receiving the new matched alerts for the selected entities in the Respond > Alerts view. Once you delete the selected Whitelist, the new matching alerts are triggered only for the selected entities.
To delete the Whitelists
Go to Respond > Whitelists.
The Whitelists view is displayed.
Select the Whitelist and click Delete.
The confirmation window is displayed.
Click Delete Whitelist.
The Whitelist is deleted.
- When you delete the Whitelists, only the new matching alerts are triggered. The whitelisted old alerts cannot be recovered for the selected entities.
- Analysts must have one of the following permissions to view the Whitelists tab in the Respond view:
- Analysts must have the respond-server.alert.read permission to view the whitelists in Respond > Whitelists view and respond-server.alert.manage permission to delete the Whitelists.
The table below lists the toolbar actions available in the Whitelists List view.
|Select this option and access the Filters panel to filter the required Whitelists.|
|Select this option to delete the selected Whitelist.|
Whitelists List View
The Whitelists List view displays the list of all the Endpoint Whitelists with the Rule Name, Creation Date, and the Summary associated with the respective Whitelisted Endpoint Alerts. The view consists of a Filters panel and the Whitelists List.
The Whitelists List displays all the Endpoint Whitelists in the NetWitness Platform XDR. You can filter this list to view only the Whitelists of interest.
The following table describes the columns in the Whitelists List.
|Whitelist Name||Displays the name of the Whitelist you provided during the whitelisting of the selected alert.|
Displays the rule name associated with the whitelisted alert.
|Summary||Displays the details of the entities selected during the whitelisting of the selected alert. For Example: File name: cmd.exe, Host name: win34.|
Displays the comment added during the whitelisting of the selected alert.
|Created Date||Displays the Whitelist creation date and time.|
Displays the name of the user who created the Whitelist.
|Alerts Matched||Displays the number of new matching alerts that are not triggered for the selected entities in the Respond > Alerts view after whitelisting the selected alert.|
You can filter the Whitelists based on the following parameters.
User who created the Whitelists
Summary associated with the Whitelists
The following table lists all the fields displayed in the Whitelists List view Filters panel.
Allows you to select the required time duration and view the Whitelists created in the time duration selected.
Note: Turn On the Custom Date Range Toggle to select a custom date range of your choice.
|Whitelist Name||Allows you to enter the name of required Whitelist.|
|Rule Name||Allows you to enter the name of the rule associated with the Whitelists created.|
|Summary||Allows you to enter the complete value or a part of the value of the entities associated with the required Whitelist. For example: cmd.exe or win34 or analyst1.|
Allows you to filter the Whitelists on the basis of the user who created them.
Click Reset to remove the filters applied.