Alerting: Configure Automated Threat Detection

Document created by RSA Information Design and Development on Apr 22, 2016
Version 1Show Document
  • View in full screen mode
 
  

This topic tells administrators and analysts how to configure and work with Automated Threat Detection. 

This procedure provides the steps needed to configure Automated Threat Detection on your ESA. However, before you enable Automated Threat Detection, it is important to note that there are many potential installation configurations which may be installed on the ESA, including: Automated Threat Detection, ESA Rules, and the Context Hub. Each of these may take up resources, so it is important to have considered sizing before enabling this feature on your ESA.

Prerequisites

You must have configured a Decoder for HTTP packet data. 

You must have configured an HTTP Lua or Flex parser.

For best performance, enable the Context Hub service. This allows you to create a whitelist.

Procedure: Configuring Automated Threat Detection

This procedure provides the steps needed to configure Automated Threat Detection. 

The basic steps required are:

  1. Configure WhoIs settings. The Whois Service allows you to get accurate data about domains that you connect to. In order to ensure effective scoring, it is important that you configure the Whois service settings.
  2. Create a whitelist (optional) using the Context Hub service. Creating a whitelist allows you to ensure that commonly accessed websites are excluded from any Automated Threat Detection scoring.
  3. Enable Automated Threat Detection for your specified ESA. You need to enable Automated Threat Detection for each ESA where you want the service to run. 
  4. Allow 24 Hours for warm-up, and enable the C2 Incident Manager rule.  When using Automated Threat Detection, it takes approximately 24 hours for the scoring algorithm to warm-up. After 24 hours, enable the C2 rule on Incident Manager. 

Step 1: Configure the WhoIs Service Settings for your ESA

You configure settings to allow your ESA to connect to the Whois service. This allows your ESA service to obtain detailed information about the domain that triggers the Automated Threat Detection score. 

  1. From Administration > Services,  select your ESA service and then ic-actns.png > View > Explore. 
  2. In the Explorer, click Service > Whois > whoisClient.
  3. Configure the following settings (note that only the first two parameters require modification. RSA recommends you use the default settings for other parameters):
                                                             
ParameterDescription
whoisUserId

Required:  Enter the authentication credential for the RSA Whois Server. This is the same as your RSA Live User ID. If you have not configured an RSA Live account, you will need to do so. 

The default value is "whois".

whoisPassword

Required: Enter the authentication credential for the RSA Whois Server. This is the same as your RSA Live password. If you have not configured an RSA Live account, you will need to do so. 

The default value is null.

whoisUrl

Optional: Enter the URL to obtain Whois data from the RSA Whois Service. Note that the trailing slash ('/') is required. Otherwise, requests will fail.

 The default value is: "https://cms.netwitness.com/whois/query/"

whoisAuthUrl

Optional: Enter the URL to obtain authentication tokens from the RSA Whois Service.

The default value is: "https://cms.netwitness.com/authlive/authenticate/WHOIS

whoisAuthTokenLifespanSeconds 

Optional: Enter the time, in seconds, after which an authentication token should be renewed.

The default value is 3300. 


whoisHttpsProxy

Optional: If HTTP requests require a proxy, set this to the same value as is used for the RSA Live service.  Only use this parameter when insecureConnection is set to true

The default value is false.

(Requires an ESA restart to take effect.)

insecureConnection

Optional:  Set this parameter to true to allow the HTTP request to the RSA Whois Service ignore SSL certs.  

Note: If the RSA Whois Service is accessed via a proxy, this parameter should be set to true.  

The default value is false.

(Requires an ESA restart to take effect.)

allowedRequests

Optional: Enter how many queries you want to allow before you start throttling the Whois service. This parameter works with allowedRequestsIntervalSeconds, where you set the interval for queries. For example, if you set allowedRequests to 100 and allowedRequestsIntervalSeconds to 60, you are allowed 100 requests in any 60 second interval.

The default value is 100.

(Requires an ESA restart to take effect.)

allowedRequestsIntervalSeconds

Optional: If you set the allowedRequests parameter, you need to also configure this setting to determine the interval. This value should be tuned for your  environment.

 The default setting is 60 seconds.

(Requires an ESA restart to take effect.)

queueMaxSize

Optional: Specify the maximum size of the queue of the domains whose information will be requested of the RSA WhoisService.

The default is 100,000.

cacheMaxSize

Optional: Specify the maximum number of cached Whois entries. Once this limit is reached, the least recently used entry will be removed to accommodate a new entry.

The default is 50,000.

(Requires an ESA restart to take effect.)

refreshIntervalSeconds

Optional: Specify the number of seconds for the refresh interval.  If requested Whois information is found in the cache, and the cache entry has been there for more than the specified number of seconds, the entry is removed from the cache and the domain returned to the queue to be looked up. (The cache entry is returned for the request that identified it as stale.)

The default setting is  2,592,000 seconds (30 days).

waitForHTTPRequest

Optional: Requires that the ESA wait for the Whois service to respond before it can complete running the EPL. This ensures that the Whois data is always included in the results, but it can negatively impact performance as the ESA pauses up to 30 seconds to wait for the Whois service response.

If you do not configure this setting, and the response time is slow, the ESA completes running the analysis for a given event without the Whois data, and calculates the score without the data.

The default setting is true

Step 2: Create a Domains Whitelist (Optional)

Note: This step is optional: if you use the Incident Manager to manage these incidents, you can also create a whitelist by closing an incident as false-positive.  

This procedure is used when working with Automated Threat Detection to ensure that certain domains do not trigger a threat score.  Sometimes, a domain you access regularly may trigger an Automated Threat Detection score. For example, a weather service might have similar beaconing behavior as a Command and Control communication, thus triggering an unwarranted negative score.  When this happens, it's called a false positive. To prevent triggering a false positive with a specific domain you can add the domain to a whitelist. Most domains do not need to be whitelisted because the solution only alerts on very suspect behaviors. The domains you may want to whitelist are valid automated services which few hosts connect to.

 

Note: You can have only one Context Hub service instance enabled in your Security Analytics deployment. If your Context Hub service is running on a different ESA, you need to configure it to connect to the ESA that runs the Context Hub service. For instructions, see " Configure an ESA to Connect to the Context Hub on Another ESA" in the Event Stream Analysis Configuration Guide.

  1. From the Context Hub Service, you can create a list and manually add domains, or you can upload a .CSV file containing a list of domains. 
    1. From Administration > Services, select the Context Hub.
    2. Select the Context Hub, then ic-actns.png > View > Config
    3. Select the List tab to open the Lists for editing. 
    4. In the left pane, click to add a list. Enter a name for the list and then manually add domains by clicking  in the right pane.

Caution: The whitelist must be named Whitelisted Domains. Otherwise, the Context Hub will not be able to process the list as a whitelist. 

  1. Or, to import a .CSV file, click , and in the Import File dialog box, navigate to the .CSV file. Note that the file must be named Whitelisted Domains. Choose from the following delimiters: Comma, LF (Line Feed), and CR (Carriage Return) depending on how you have separated the values in your file. Then click Upload
  2. From the Context Hub Service, you can also modify an existing whitelist to add or remove a domain.  
  3. In the right pane, List displays your existing domain whitelist.
  4. Click Whitelisted Domains. The values for the whitelist display in the right pane. 

  1. To add a domain, click and enter the domain name.
  2. To remove a domain, select the domain and click .
  3. To import a .CSV file, click , and in the Import File dialog box, navigate to the .CSV file. Choose from the following delimiters: Comma, LF (Line Feed), and CR (Carriage Return) depending on how you have separated the values in your file. Then click Upload

Note: It is important to configure a whitelist before enabling Automated Threat Detection to ensure domains are whitelisted before threat scoring has begun. 

Step 3: Enable Automated Threat Detection

  1. From Administration > Services,  select your ESA service and then ic-actns.png > View > Config. 
  2. Click on the Advanced tab, and select Enable Automated Threat Detection and click Apply.

Automated Threat Detection is now enabled on your selected ESA. 

Step 4: Enable the C2 Detection Rule on the Incident Manager

Enable the C2 Detection rule on the Incident Manager

  1. From Incidents > Configure, select Aggregation Rules.
  2. Select the Suspected Command & Control Communication by Domain Rule, and double-click to open it. 

  1. Click Enabled, and click Save

 The Rule displays a green Enabled button once it is enabled.

Result

Once you have enabled Automated Threat Detection, your ESA will begin to perform analytics on the HTTP traffic. You can view detailed information for each incident in the Incident Management queue. 

Next Steps

After you have enabled the rule, monitor the Incident Manager to see if the rule is triggered. If the rule is triggered, follow the steps in the following section to investigate the domain associated with the triggered rule. 

Work with Automated Threat Detection Results

You are here: Use Automated Threat Detection > Configure Automated Threat Detection

Attachments

    Outcomes