This topic discusses the changes in RSA Content based on the NetWitness Endpoint being integrated with the RSA NetWitness Platform in version 11.3.
For RSA NetWitness Platform 11.3, a new content pack is being delivered, the Endpoint Content bundle. Additionally, new Endpoint content is being delivered out-of-the-box with 11.3:
Endpoint Content bundle:
- Approximately 400 application rules
- File Category Lua parser
- Investigation feed
- Endpoint Reports
OOTB Content delivered with NetWitness 11.3:
- ESA Endpoint Risk Scoring Rule bundle
- Risk Score Configuration
- Incident Rule
- Reputation Service
Note: You can download an Endpoint Meta spreadsheet from the following RSA Link blog post: https://community.rsa.com/community/internal/netwitness/blog/2018/09/20/understanding-netwitness-endpoint-data-part-3
Live Content Pack
In Live, select the drop-down menu for Medium, and select endpoint to search for Endpoint specific content. You can also deploy the Endpoint bundle to get all of the Endpoint content at once.
Live Services Feedback
RSA recommends that you enable the File Reputation option, which performs the following tasks:
- Analyzes file hash information (by Reversing Labs)
- Returns meta for the file (malicious, suspicious, known, known good, unknown)
- Malicious and suspicious files influence the risk score
Go to ADMIN > System > Live Services, and scroll down the page to see the Additional Live Services options.
Make sure the Endpoint Server is forwarding alerts to a capturing Log Decoder. For details, see the "Configuring Metadata Forwarding" topic in the NetWitness Endpoint Configuration Guide.
Once matched, the rule will alert to one of four hunting keys: boc, ioc, eoc, or analysis.file.
The Investigation feed enriches the events with risk level and MITRE ATT&CK classification on match to an application rule. UEBA queries the meta for use in the models. Go to the INVESTIGATE > Navigate view to see the meta.
File Category Lua Parser
The file category Lua parser enriches the events with file category classification:
Combination of standard directory path location + filename
- Reconnaissance tool
- Windows process
- Scripting engine
- Office application
- UEBA queries the meta for use in the models
Once you add the Endpoint Concentrator as a Data Source, and deploy the Endpoint Risk Scoring Rule Bundle, ESA begins forwarding alerts as follows:
- Medium, High and Critical alerts forwarded to the Risk Score Service (configurable)
- High and Critical to Respond
To change severity (Low, Medium, High, Critical), you need to use nw-shell. For details, see the NetWitness Shell User Guide.
Risk scores are used across the RSA NetWitness Platform.
NetWitness creates risk scoring incidents for suspicious files and hosts when defined risk score thresholds are crossed. In the background, it calculates risk scores for each file and host:
- Critical and High priority alerts from NetWitness Respond
- Medium priority Endpoint alerts from ESA
NetWitness Respond calculates risk score using a combination of the number of distinct alerts and the severity of alerts associated with the file or host.
Risk Score: Files and Hosts
You can view global file risk scores across hosts.
You can also view risk scores on your hosts.
If you reset the risk score, you will delete all related alerts, and set the score to zero.
Risk Score: Reputation Service
Files can be blacklisted, graylisted, or whitelisted.
- Blacklisted or reputation service reported files will increase the risk score
Application rules match with high severity
- Blacklisted File
- Writes Blacklisted File
- Runs Blacklisted File
- Malicious File
- Writes Malicious File
- Runs Malicious File
Application rules match with medium severity:
- Suspicious File
- Writes Suspicious File
- Runs Suspicious File
- Marking a file as graylisted will not affect the risk score
Application rules match with default of low severity and so are not, by default, included in the calculation:
- Graylisted File
- Writes Graylisted File
- Runs Graylisted File
- Marking a file as whitelisted will remove the related alerts and adjust the score.
- Some files cannot be whitelisted, such as important OS processes, scripting engines and tools commonly used during attacks.
For more details on changing file status, see the "Change File Status" topic in the NetWitness Endpoint User Guide.
Alerts are related to risk scores:
- Each alert can have an entity mapping to a host or filename for risk score calculation
- Only alerts of Critical, High or Medium severity are used for risk-score mapping
- Only Critical and High alerts are visible within the Respond workflow
Reports have been updated and expanded for 11.3:
- Endpoint Scan Data Host Report
- Endpoint Scan Data File and Process Outliers
- Endpoint Scan Data Autorun and Scheduled Task
- Endpoint Network Activity
- Endpoint Machine Summary
The 11.1 and 11.2 reports have been relabeled to include the version (11.1 or 11.2) at the beginning of the report name. Similarly, the 11.3 Rules have the 11.3 label at the beginning of their name.
The MITRE ATT&CK Framework is useful for classifying attacker tactics and techniques. It describes action from Initial Access through Exfiltration and Command and Control. It can be used to describe the types of attacker techniques can be detected.
MITRE's ATT&CK Navigator is a web application to visualize all three ATT&CK matrices:
- ATT&CK for Enterprise, hosted here: https://mitre.github.io/attack-navigator/enterprise.
- ATT&CK Mobile Profile, hosted here: https://mitre.github.io/attack-navigator/mobile/.
ATT&CK Navigator stores information in JSON files, where each JSON file is a layer containing multiple techniques which can be opened in the Navigator web interface. The JSON contains content in STIX 2.0 format which can be fetched from a TAXII 2.0 server of your own choice. For example, we can fetch ATT&CK content from MITRE's TAXII 2.0 server through APIs.
Application rules have been tagged according to this framework, and they can be viewed within INVESTIGATE > Navigate meta keys:
- Investigation Category = Tactic
- Investigation Context = Technique
- Used within the UEBA models
Custom Endpoint Content
The process for adding custom Endpoint content is as follows:
- Add the app rule on the Log Decoder
- Create a custom feed to add risk level and MITRE ATT&CK tags
- Add the rule to ESA Endpoint Risk Scoring Rule Bundle
- Extend the Risk Score configuration
For a detailed walk through of how to create a custom Endpoint ESA alert which can be consumed for Risk score calculation of Hosts and Files, please see the following blog post on RSA Link: Custom Endpoint Content for Risk Scoring in version 11.3.