Endpoint Config: Deploy Endpoint Application Rules and ESA Correlation Rules

Document created by RSA Information Design and Development on Apr 11, 2019Last modified by RSA Information Design and Development on Apr 11, 2019
Version 2Show Document
  • View in full screen mode
 

Note: The information in this topic applies to RSA NetWitness® Platform Version 11.3 and later.

The existing IIOCs from NetWitness Endpoint 4.4.0.x are now available as OOTB Endpoint Application rules tagged as Indicators of Compromise, Behaviors of Compromise, Enablers of Compromise, and Analysis.File. Application rules for Endpoint are automatically available on installation of NetWitness Platform 11.3.

For Endpoint risk score, every Application rule must have an ESA rule that generates alerts used for the risk score calculation. A set of OOTB ESA rules are available as Endpoint Rule Bundle. You must specify the Endpoint data sources (Concentrators) and deploy the ESA Rules from the Endpoint Rule Bundle. For more information, see "Deploy Endpoint Risk Scoring Rules on ESA" section in the ESA Configuration Guide.

If the Application rule key value matches with ESA rule then an alert is triggered which is used to compute the risk score and an incident is raised when risk score exceeds the defined threshold limit.

Note: If you are upgrading from an existing Endpoint Log Hybrid to 11.3 , you must deploy the Application rules from RSA Live. During deployment, you must specify Endpoint Log Hybrid Log Decoder service. In case of multiple Endpoint servers, select all the Endpoint Log Hybrid Log Decoder services. For more information, see the Live Services Management Guide.

You can view the application rules that are deployed in Admin > Endpoint Log Hybrid - Log Decoder > Config > App Rules and application rules that were triggered in Investigate > Navigate> Endpoint Log Hybrid - Concentrator > App rules.

The Endpoint ESA rules generate alerts with the severity; Critical, High, and Medium. You can view the alerts on:

  • Risk Details tab - You can view Critical, High and Medium alerts for a host or file on Investigate > Hosts> Risk Details or Investigate > Files> Risk Details.
  • Respond view : You can view only critical and high severity alerts on NetWitness Respond > Alerts.

Custom Endpoint Rule for Risk Scoring

If you have custom IIOCs in NetWitness Endpoint 4.4.0.x, you need to create these custom Endpoint rules. Once you have created your custom Application rule, you must create the custom ESA Rule for risk score calculation and update the RiskConfig file in MongoDB.

To create a custom Endpoint rule, perform the following:

  1. Add a custom Application rule
  2. Add a custom ESA rule
  3. Update the risk configuration file

1. Add a custom Application Rule

To add a custom application rule:

  1. Complete steps 1-11 in "Configure Application Rules" topic of Decoder and Log Decoder Configuration Guide.

    Note: You must be familiar with the metakeys tagged as (Indicators of Compromise, Behaviors of Compromise, Enablers of Compromise, and Analysis.File) on which an alert will be generated. In the example below, the alert is generated on Analysis.File metakey for In Encrypted Directory rule.

    Following is an example of an Application Rule created for In Encrypted Directory alert.


  2. After a custom application rule is added successfully, select the newly created rule (For example, In Encrypted Directory alert) and click Apply.

    In case of multiple Endpoint servers, you must create this custom Application rule on every Endpoint Hybrid Log Decoder service.

2. Add a custom ESA Rule

To add a custom ESA rule, perform the following.

  1. SSH to the Admin Server.

  2. Create a new JSON file (for example,in encrypted directory.json) with the custom ESA rule definition in the below format.

    {

    "id": "In Encrypted Directory","key": "analysis.file",

    "value": "in encrypted directory",

    "title": "In Encrypted Directory",

    "type": "ENDPOINT",

    "enabled": true,

    "description": "End Point rule for In Encrypted Directory",

    "severity": "MEDIUM"

    }

The following table describes the fields that define a rule.

                                           
FieldsDescription
idThe name of the ESA Rule. For example, In Encrypted Directory.
keyThe metakey on which an alert would be generated.

For example, alert is generated on analysis.file metakey for In Encrypted Directory rule.

valueSpecify the value. The value must exactly match with the App rule name. For example, in encrypted directory.
titleThe name of the alert. For example, In Encrypted Directory.
typeSpecify the type of rule. For custom endpoint rule, the type must be ENDPOINT.
enabledThe status of the rule. Specify true, if the rule should be considered for risk scoring.
descriptionThe description of the rule.
severityThe severity of the rule; critical, high or medium.
  1. To enter shell mode of nw-shell, execute the following command:
    nw-shell

  2. Connect to ESA correlation-server using the following command:
    connect --service correlation-server

  3. Login to the ESA correlation-server using the following command
    login

    Note: You must provide Administrator username and password.

  1. Navigate to the API xpath using the following command:
    cd correlation/keyvalue/settings/set

  2. Execute the API using the following command:
    invoke --file <absolute-path-to-rule-definition-file>

    Note: You must specify the absolute path to the rule definition file. For example, invoke --file /root/rule.json

3. Add the rule to RiskConfig

After you create the custom Application rule and the ESA rule, you must update the RiskConfig in mongoDB.

To update the riskconfig file, perform the following:

  1. SSH to Admin Server.
  2. Create a JavaScript file (For example, in-encrypteddirectory- rule.js) with the custom ESA rule definition in the below format.

    db.risk_rule.insertMany(

    [ {

    "name" : "In Encrypted Directory",

    "enabled" : true,

    "handler" : "Default",

    "entities" : {

     

    },

    "metas" : {

    "File" : [

    {

    "meta" : "checksum_src",

    "name" : "filename_src",

    "weight" : NumberInt(100)

    }

    ],

    "Host" : [

    {

    "meta" : "agent_id",

    "name" : "alias_host",

    "weight" : NumberInt(100)

    }

    ]

    },

    "_class" : "com.rsa.asoc.respond.pipeline.risk.rules.AlertScoringRule"

    } ]

    )

  3. The following table describes the fields that define a rule.

                                                           
    FieldDescription
    nameThe name of the ESA rule.
    enabled The flag to enable or disable risk scoring. Specify true to enable risk scoring.
    handlerThe value of this should be Default.
    entitiesThe value of this should be empty.
    metas > Files > metaThe metakey for a file for which score should be calculated.
    metas > Files > nameThe name of the metakey of the file identity.
    metas > Files > weight By default the weight value is 100.
    metas > Host > meta The metakey for a host for which score should be calculated.

    metas > Host > name >

    The name of the metakey of the host identity.

    metas > Host > weightBy default the weight value is 100.

    _class

    This is used for internal purpose, do not change.

  1. Insert the new rule into the riskconfig file on mongoDB using following command:

mongo respond-server --authenticationDatabase admin -u deploy_admin -p <deploy_admin-user-password> in-encrypted-directory-rule.js

  1. Confirm if ESA rule is updated successfully in the riskconfig, using following command

    mongo respond-server --authenticationDatabase admin -u deploy_admin -p <deploy_admin-user-password> --eval "db.risk_rule.find({ "name": /.*In Encrypted Directory.*/i })"

  2. Restart the Respond server for the changes to take effect.

service rsa-nw-respond-server restart

After you create a custom Endpoint rule and update the risk configuration file, whenever an event is generated for the new rule (For example, In Encrypted Directory) an alert will be generated and the risk score is calculated for the host and file.

You are here
Table of Contents > Deploy Endpoint Application Rules and ESA Correlation Rules

Attachments

    Outcomes