For RSA NetWitness Platform 11.1 and later, ESA Rules can use Context Hub (CH) Lists as whitelists and blacklists in their construction and processing. To see details about these rules, see RSA ESA Rules.

This topic discusses the following:

• Use CH Lists in ESA Rules
• OOTB Context Hub Lists
• How to Update a Context Hub List
• How to Create a Context Hub List
• How to Add a Context Hub List as an Enrichment source
• Create an ESA Rule that Uses a Context Hub list
• Example of an ESA Rule that Uses a CH list
• EPL Syntax for whitelists and Blacklists
• Known Limitations

Use CH Lists in ESA RulesUse CH Lists in ESA Rules

As of RSA NetWitness 11.1, Context Hub lists can be used in the processing of ESA Rules.

1. Configure an existing CH list, or create and configure your own CH list. Basically, you need to add a list of values to either an existing CH list or create your own and then add values.
2. Configure the CH List within ESA by adding it as an Enrichment source.
3. Load the CH list into an ESA Rule when you build statements and define the rule.

An advantage of using CH lists in ESA rules, is that from the Respond and Investigate screens in NetWitness, you can right-click on an item and update the list on-the-fly. For the selected item, you can add it to or remove it from any of your CH lists.

For details, see the following documentation in the RSA NetWitness Logs & Network 11.x Documentation space on RSA Link:

• Investigate: "Manage Context Hub Lists and List Values" topic in Investigate topic in the NetWitness Investigate User Guide
• Respond: "Context Lookup Panel" or "Investigate the Incident" topics in the NetWitness Respond User Guide

OOTB Context Hub Lists OOTB Context Hub Lists

The following Context Hub lists are available out of the box in RSA NetWitness 11.1. They are delivered empty: users need to configure the lists by adding entries.

Without this configuration step, the rules may not deliver results. You can add entries to the lists manually, or through import of CSV files. For details, see Configure Lists as a Data source in the Context Hub Guide.

The following lists are delivered with RSA NetWitness 11.1:

• User_Whitelist: A list of users that should be excluded from monitoring within rules configured to use it.
• User_Blacklist: A list of users that should be included for monitoring within rules configured to use it.
• Admin_Accounts: A list of privileged user accounts that should be included for monitoring within rules configured to use it.
• Service_Accounts: A list of service accounts that should be included for monitoring within rules configured to use it.
• Guest_Accounts : A list of guest user accounts that should be included for monitoring within rules configured to use it.
• Domain_Controllers: A list of domain controllers that should be included for monitoring within rules configured to use it.
• Host_Whitelist: A list of host names that should be excluded from monitoring within rules configured to use it.
• Host_Blacklist: A list of host names that should be included for monitoring within rules configured to use it.
• IP_Whitelist: A list of IP addresses that should be excluded from monitoring within rules configured to use it. CIDR notation and regular expressions may not be used.
• IP_Blacklist: A list of IP addresses that should be included for monitoring within rules configured to use it. CIDR notation and regular expressions may not be used.

The following table lists the rules that use each of the CH Lists.

CH List Name	ESA Rules that Use the List
User_Whitelist	Logins Across Multiple Servers Multiple Account Lockouts from Same or Different Users User Login Baseline Multiple Failed Logins Followed by Successful Login Failed logins Followed By Successful Login and a Password Change Windows Suspicious Admin Activity: Audit log Cleared Windows Suspicious Admin Activity: Firewall Service Stopped Windows Suspicious Admin Activity: Network Share Created Windows Suspicious Admin Activity: Shared Object Accessed User Account Created and Deleted Within an Hour User Added to Admin Group Same User Login OR Same User su sudo Multiple Failed Logins from Multiple Diff Sources to Same Dest Multiple Successful Logins from Multiple Diff Src to Diff Dest User added to administrative group then SIGHUP detected Multiple Successful Logins from Multiple Diff Src to Same Dest Multiple Failed Logins from Multiple Users to Same Destination Multiple Failed Logins from Same User Originating from Different Countries Failed logins Outside Business Hours Insider Threat Mass Audit Clearing
User_Blacklist	Direct Login By A Watchlist Account
Admin_Accounts	Privilege User Account Password Change Privilege Escalation Detected Suspicious Privileged User Access Activity Multiple Failed Privilege Escalations by the Same User Multiple Login Failures by Administrators to Domain Controller
Guest_Accounts	Multiple Login Failures by Guest to Domain Controller
Host_Whitelist	Multiple Failed Logins from Multiple Diff Sources to Same Dest Multiple Successful Logins from Multiple Diff Src to Diff Dest Multiple Successful Logins from Multiple Diff Src to Same Dest Multiple Failed Logins from Multiple Users to Same Destination Lateral Movement Suspected Windows
Host_Blacklist	krbtgt Account Modified on Domain controller Multiple Login Failures by Administrators to Domain Controller Multiple Login Failures by Guest to Domain Controller
IP_Whitelist	Multiple Failed Logins from Multiple Diff Sources to Same Dest Multiple Successful Logins from Multiple Diff Src to Diff Dest Multiple Successful Logins from Multiple Diff Src to Same Dest Multiple Failed Logins from Multiple Users to Same Destination
IP_Blacklist	krbtgt Account Modified on Domain controller Multiple Login Failures by Administrators to Domain Controller Multiple Login Failures by Guest to Domain Controller

How to Update a Context Hub ListHow to Update a Context Hub List

1. Go to ADMIN > Services.

   The services view is displayed.

2. Select the Context Hub service and click > View > Config.

   The Services Config View of Context Hub is displayed.

3. Select the Lists tab.

   

4. In the Lists tab, select the list that you wish to update.

   

5. In the List Values section, there are controls for adding and removing items, as well as for importing a list.

   • To add an entry: click then enter a new value.
   • To remove an entry: select it then click .
   • To import a list, click , then navigate to a CSV file that contains the entries for your list.

6. Do either of the following:

   • Click Save to save your changes, or
   • Click anywhere outside the List Values section to discard your changes. You receive a confirmation message asking you to make sure you want to discard your changes: click Yes to discard your changes or No to go back to the screen with your unsaved changes.

For more information, see the topic "Configure Lists as a Data source" in the Context Hub Configuration Guide in RSA NetWitness Platform space on RSA Link.

How to Create a Context Hub ListHow to Create a Context Hub List

Creating a list is very similar to updating an existing list.

1. Go to ADMIN > Services.
2. Select the Context Hub service and click > View > Config.
3. Select the Lists tab.

4. In the Lists tab, click , then enter a name for your list.

   

   Note: Make sure the name does not contain spaces. If the name of a list contains spaces, it cannot be used in an ESA Rule.

5. Add values to the list, or import an existing list:

   • To add an entry: click then enter a new value.
   • To import a list, click , then navigate to a CSV file that contains the entries for your list.
6. Click Save to save your new list.

How to Add a Context Hub List as an Enrichment sourceHow to Add a Context Hub List as an Enrichment source

If you add a new CH list, before you can use it in an ESA Rule, you need to add it as an enrichment source.

1. Go to CONFIGURE > ESA Rules.

2. Select the Settings tab, then Enrichment sources.

   

3. Click > Context Hub.

   The Context Hub List dialog box is displayed.

4. Select a list, add a description, and select a column.

   

5. Click Save to finish.

For more information, see the topic "Configure Context Hub List as an Enrichment source " in the Alerting with ESA Correlation Rules User Guide in RSA NetWitness Platform space on RSA Link.

Create an ESA Rule that Uses a Context Hub listCreate an ESA Rule that Uses a Context Hub list

1. Go to CONFIGURE > ESA Rules.

2. In the Rules tab, click > Rule Builder.

   A New Rule tab opens.

3. In the New Rule tab, enter a name and description.
4. In the Conditions section, click to open the Build a Statement dialog box.

5. You can add a whitelist, blacklist, or meta condition. This procedure details adding a list, so choose either:

   • Add whitelist Condition, or
   • Add Blacklist Condition

   In this example, we add a whitelist condition.

   1. Click > Add whitelist Condition.

      

   2. In the Key column, from the drop-down menu, select a whitelist to use, for example User_Whitelist.

      

   3. Select a column name from the list, then select an operator and enter the meta value for the corresponding value field.

      

   4. Click Save to save the statement and close the dialog box.
6. Continue defining the rule until it is complete. For details, see "Add a Rule Builder Rule" in the Alerting Using ESA Guide.

Example of an ESA Rule that Uses a CH listExample of an ESA Rule that Uses a CH list

The Failed Logins Followed By Successful Login Password Change ESA rule uses the User_Whitelist context hub list.

You can view the syntax in RSA NetWitness:

1. Go to CONFIGURE > ESA Rules.

2. In the Rules tab, select the Failed Logins Followed By Successful Login Password Change rule and click .

   A tab for editing the rule is displayed.

3. Scroll down to the bottom of the page and click Show Syntax.

   The Rule Syntax dialog box is displayed.

4. Look over the syntax to get a sense of the EPL for this rule. When finished, click Close to close the Rule Syntax dialog box.

   

EPL Syntax for whitelists and BlacklistsEPL Syntax for whitelists and Blacklists

A whitelist ("known good") is a list of event meta value to exempt from alerts.

Whitelist Example Syntax (in bold):

@RSAAlert(oneInSeconds=0, identifiers={"user_dst"})
@UsesEnrichment(name="User_Whitelist")
SELECT * FROM

Event (

medium = 32
AND ec_activity = 'Logon'
AND ec_outcome = 'Success'
AND logon_type IN ('2','10','11','12')
AND device_class = 'Windows Hosts'
AND reference_id IN ('4624', '528', '540')
AND user_dst IS NOT NULL
AND NOT EXISTS (SELECT * FROM User_Whitelist WHERE (LIST = Event.user_dst.toLowerCase()))
AND NOT EXISTS (SELECT * FROM User_Whitelist WHERE (LIST = Event.user_dst))

);

A Blacklist ("known bad") is a list of event meta value used to trigger alerts.

Blacklist Example Syntax (in bold):

@RSAAlert(oneInSeconds=0, identifiers={"user_dst"})
@UsesEnrichment(name="User_Blacklist")
SELECT * FROM

Event (

medium = 32
AND ec_activity = 'Logon'
AND ec_outcome = 'Success'
AND logon_type IN ('2','10','11','12')
AND device_class = 'Windows Hosts'
AND reference_id IN ('4624', '528', '540')
AND user_dst IS NOT NULL
AND
(

EXISTS (SELECT * FROM User_Blacklist WHERE (LIST = Event.user_dst.toLowerCase()))
OR
EXISTS (SELECT * FROM User_Blacklist WHERE (LIST = Event.user_dst))

)

);

If you create your own rules using CH lists, make sure to the UsesEnrichment() statement, as shown in the above example:

@UsesEntrichment(name="User_Whitelist")

In this example, we are loading the User_Whitelist into the system for this rule.

Note: It is fine to have the same list loaded (that is, named in multiple UsesEnrichment statements) in multiple deployed ESA Rules. The system only loads each CH list once.

Use the toLowerCase() function to convert the received meta to all lower case.

Event.user_dst.tolowerCase()

In the above example, the user_dst meta values are converted to all lowercase. If you have created your CH lists so that all entries are also in all lowercase, your comparison is case-insensitive.

Known LimitationsKnown Limitations

Can the Context Hub lists comparison be case-insensitive?Can the Context Hub lists comparison be case-insensitive?

In order to get case-insensitive matching between CH lists and event meta, customers must add users within the CH lists as all lower case. Context hub lists do not have the ability to make the entries lower case before performing the match. Additionally, be sure to use the toLowerCase() function in your rules, so that the meta values are converted to all lowercase for the comparison.

What are the limitations between Basic Rule Builder and Live / Advanced Rules?What are the limitations between Basic Rule Builder and Live / Advanced Rules?

Only able to use a single whitelist or blacklist within the basic rule builder.

What happens when you deploy an 11.1 CH List ESA rule to version prior to 11.1?What happens when you deploy an 11.1 CH List ESA rule to version prior to 11.1?

The rule will be unable to deploy, it will be disabled, and an error will be written to the log file, mentioning that the list cannot be found.