Respond Config: Step 3. Enable and Create Incident Rules for Alerts

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by RSA Information Design and Development on Mar 27, 2018
Version 12Show Document
  • View in full screen mode
 

NetWitness Respond incident rules contain various criteria to automate the process of creating incidents from alerts. Alerts that meet the rule criteria are grouped together to form an incident. Analysts use these incidents to locate indicators of compromise. Instead of creating an incident for a particular set of alerts and adding the alerts to that incident manually, you can save time by using incident rules to create incidents from alerts for you.

NetWitness Suite provides predefined incident rules that you can use and you can also create your own rules based on your business requirements.

To create incidents automatically, you need to enable at least one incident rule.

When you have two or more incident rules enabled, the order of the rules becomes very important. The highest priority rules are at the top of the Incident Rules List. The highest priority rule has the number 1 in the Order field. The next highest priority rule is number 2 in the Order field, and so on. Alerts can only be part of one incident. If an alert matches more than one rule in the Incident Rule list, it is only evaluated using the highest priority rule that it matches.

NetWitness Suite has 12 predefined incident rules that you can use. To set up your incident rules, you can do any of the following:

  • Enable predefined incident rules
  • Add new rules
  • Clone rules
  • Edit \existing rules

The User Behavior default incident rule is available in NetWtitness Suite 11.1 and later. It captures network user behavior and uses deployed RSA Live ESA Rules to create incidents from alerts. You can select and deploy the RSA Live ESA Rules that you want to monitor. For more information, see Deploy the RSA Live ESA Rules.

Some predefined (default) incident rules changed slightly in 11.1. To verify your existing default incident rules with the 11.1 default incident rules, see Set Up and Verify Default Incident Rules.

Enable an Incident Rule

To create incidents automatically, you need to enable at least one incident rule. Predefined (default) incident rules or rules that you create must be enabled before they start creating incidents.

  1. Go to CONFIGURE > Incident Rules.
    The Incident Rules List view is displayed. The example below shows the 12 default incident rules.
    Incident Rules List view with Name field selected
  2. Click the link in the Name column for the rule that you want to enable.
    The Incident Rule Details view is displayed for the selected rule.
    Incident Details view showing the Enabled checkbox
  3. Adjust the parameters and conditions of your rule as required. For details about various parameters that can be set as criteria for an incident rule, see Incident Rule Details View.
  4. In the Basic Settings section, select Enabled.
  5. Click Save to enable the rule.
    Notice that the Enabled column changes from a red square Disabled icon(Disabled) to green triangle Enabled icon(Enabled).
    Incident Rules List view showing enabled rule
  6. Verify the order of your incident rules.

Create an Incident Rule

  1. Go to CONFIGURE > Incident Rules.

    The Incident Rules List view is displayed.
    Incident Rules List view

  2. To add a new rule, click Create Rule.

    The Incident Rule Details view is displayed.
    Incident Rule Details View

  3. Enter the parameters and conditions of your rule. All rules need to have at least one condition. For details about various parameters that can be set as criteria for an incident rule, see Incident Rule Details View.

    The following figure shows a rule example.
    Incident Rule Example

  4. If you are ready to enable your rule, in the Basic Settings section, select Enabled.
  5. Click Save.

    The rule appears in the Incidents Rules list. If you selected Enabled, the rule will be enabled and it starts creating incidents depending on the incoming alerts that are matched as per the criteria selected.

  6. Verify the order of your incident rules.

Verify the Order of your Incident Rules

To change the order of the rules, use the drag pads (Drag Pad icon) in front of the rules to move them up and down in the list.
The rule order determines which rule takes effect if the criteria for multiple rules match the same alert. If two rules match an alert, only the rule with the highest priority is evaluated.

Clone an Incident Rule

It is often easier to duplicate an existing rule that is similar to a rule that you want to create and adjust it accordingly.

  1. Go to CONFIGURE > Incident Rules.
    The Incident Rules List view is displayed.
  2. Select the rule that you would like to copy and click Clone.
  3. Adjust the parameters and conditions of your rule as required. All rules need to have at least one condition.
  4. If you are ready to enable your rule, in the Basic Settings section, select Enabled.
  5. Click Save to update the rule.
  6. Verify the order of your incident rules.

Edit an Incident Rule

  1. Go to CONFIGURE > Incident Rules and click the link in the Name column for the rule that you want to update.
    The Incident Rule Details view is displayed.
  2. Adjust the parameters and conditions of your rule as required. All rules need to have at least one condition.
  3. If you are ready to enable your rule, in the Basic Settings section, select Enabled.
  4. Click Save to update the rule.
  5. Verify the order of your incident rules.

See Also:

You are here
Table of Contents > Configuring NetWitness Respond > Step 3. Enable and Create Incident Rules for Alerts

Attachments

    Outcomes