Respond Config: Step 3. Enable and Create Incident Rules for Alerts

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by RSA Information Design and Development on Jan 30, 2020
Version 17Show Document
  • View in full screen mode
 

NetWitness Respond incident rules contain criteria to automate the process of creating incidents from alerts. Alerts that meet the rule criteria are grouped together to form an incident. Analysts use these incidents to locate indicators of compromise. Instead of creating an incident for a particular set of alerts and adding the alerts to that incident manually, you can save time by using incident rules to create incidents from alerts for you.

NetWitness Platform provides predefined incident rules that you can use and you can also create your own rules based on your business requirements.

To create incidents automatically, you need to enable at least one incident rule.

When you have two or more incident rules enabled, the order of the rules becomes very important. The highest priority rules are at the top of the Incident Rules list. The highest priority rule has the number 1 in the Order field. The next highest priority rule is number 2 in the Order field, and so on. Alerts can only be part of one incident. If an alert matches more than one rule in the Incident Rule list, it is only evaluated using the highest priority rule that it matches.

NetWitness Platform has 13 predefined incident rules that you can use. To set up your incident rules, you can do any of the following:

  • Enable predefined incident rules
  • Add new rules
  • Clone rules
  • Edit existing rules
  • Export and import rules

The User Entity Behavior Analytics incident rule is available in 11.3 and later. It captures user entity behavior grouped by Classifier ID to create incidents from alerts. The User Behavior default incident rule is available in NetWitness Platform 11.1 and later. It captures network user behavior and uses deployed RSA Live ESA Rules to create incidents from alerts.

You can select and deploy the RSA Live ESA Rules that you want to monitor. For more information, see Deploy the RSA Live ESA Rules.

Some predefined (default) incident rules changed slightly in 11.1 and later. To verify your existing default incident rules with the 11.4 default incident rules, see Set Up and Verify Default Incident Rules.

This topic contains the following procedures:

Enable Incident Rules

To create incidents automatically, you need to enable at least one incident rule. Predefined (default) incident rules or rules that you create must be enabled before they start creating incidents.

To enable one or more incident rules:

Note: Enabling one or more incident rules from the Incident Rules view is only available in NetWitness Platform version 11.4 and later.

This is the easiest way to enable rules. Use this method after you have made the necessary adjustments to the rules and you just want to quickly enable them.

  1. Go to Configure > Incident Rules.
    The Incident Rules view is displayed.
  2. Select one or more incident rules and click Enable.
    Incident Rules view with two rules selected after clicking Enable
  3. Click OK to verify that you want to enable the selected rules.
    Enable dialog

    In the Incident Rules view, the Enabled column changes from a red square Disabled icon(Disabled) to a green triangle Enabled icon(Enabled).
    Incident Rules view showing the enabled rules
  4. Verify the order of your incident rules.

Note: To disable incident rules, follow the above procedure but select the Disable button instead of the Enable button.

To enable an incident rule from within the incident rule details:

You can enable rules from within the incident rule details when you save your rule adjustments.

  1. Go to Configure > Incident Rules.
    The Incident Rules view is displayed.
    Incident Rules view with Name field selected
  2. Click the link in the Name column for the rule that you want to enable.
    The Incident Rule Details view is displayed for the selected rule.
    Incident Details view showing the Enabled checkbox
  3. Adjust the parameters and conditions of your rule as required. For details about various parameters that can be set as criteria for an incident rule, see Incident Rule Details View.
  4. In the Basic Settings section, select the Enabled checkbox.
  5. Click Save to enable the rule.
    Notice that the Enabled column changes from a red square Disabled icon(Disabled) to a green triangle Enabled icon(Enabled).

    Incident Rules view showing enabled rule
  6. Verify the order of your incident rules.

Note: To disable an incident rule in the Incident Rule Details view, follow the above procedure but clear the Enabled checkbox instead of selecting it.

Create an Incident Rule

  1. Go to Configure > Incident Rules.

    The Incident Rules view is displayed.
    Incident Rules view

  2. To add a new rule, click Create Rule.

    The Incident Rule Details view is displayed.
    Incident Rule Details View

  3. Enter the parameters and conditions of your rule. All rules need to have at least one condition. For details about parameters that can be set as criteria for an incident rule, see Incident Rule Details View.

    The following figure shows a rule example.
    Incident Rule Example - User Entity Behavior Analytics

  4. If you are ready to enable your rule, in the Basic Settings section, select Enabled.
  5. Click Save.

    The rule appears in the Incidents Rules list. If you selected Enabled, the rule is enabled and it starts creating incidents depending on the incoming alerts that match the selected criteria.

  6. Verify the order of your incident rules.

Verify the Order of Your Incident Rules

NetWitness Respond evaluates incoming alerts against the incident rules in the order that you define. If alerts match the first rule listed, then that rule creates an incident. If alerts match the second rule listed and those alerts did not match the first rule, then the second rule creates an incident. If alerts match the third rule listed and those alerts did not match the first or second rule listed, then the third rule creates an incident, and so on.

To change the order of the rules, use the drag pads (Drag Pad icon) in front of the rules to move them up and down in the list.
The rule order determines which rule takes effect if the criteria for multiple rules match the same alert. If multiple rules match an alert, only the rule with the highest priority creates an incident.

Clone an Incident Rule

It is often easier to duplicate an existing rule that is similar to a rule that you want to create and adjust it accordingly.

  1. Go to Configure > Incident Rules.
    The Incident Rules view is displayed.
  2. Select the rule that you would like to copy and click Clone.
  3. Adjust the parameters and conditions of your rule as required. All rules need to have at least one condition.
  4. If you are ready to enable your rule, in the Basic Settings section, select Enabled.
  5. Click Save to create the rule.
  6. Verify the order of your incident rules.

Edit an Incident Rule

  1. Go to Configure > Incident Rules and click the link in the Name column for the rule that you want to update.
    The Incident Rule Details view is displayed.
  2. Adjust the parameters and conditions of your rule as required. All rules need to have at least one condition.
  3. If you are ready to enable your rule, in the Basic Settings section, select Enabled.
  4. Click Save to update the rule.
  5. Verify the order of your incident rules.

See Also:

Export Incident Rules

Note: Exporting and importing incident rules from the Incident Rules view is only available in NetWitness Platform version 11.4 and later.

Exporting incident rules enables you to share incident rules with other NetWitness Servers on the same release version. The exported incident rules file is a ZIP file that contains two JSON files: one file contains the incident rules and the other file contains the incident rule schema. You cannot export Advanced incident rules; the export function only allows incident rules created using Rule Builder.

  1. Go to Configure > Incident Rules.
    The Incident Rules view is displayed.
  2. Select the rules that you would like to export and click Export.
    Incident Rules view showing successful export

    The exported incident rules file is a ZIP file in the format <random ID>-incident_rules_export.json.zip, which contains two mandatory JSON files:
    • aggregation_rule_schema.json contains the incident rule schema.
    • <random ID>-incident_rules_export.json contains the incident rules.

    Note: You cannot export Advanced rules.

    You can import this ZIP file on another NetWitness Server on the same release version.

    If for some reason the export is not successful, and you receive only a .JSON file, for example, failure.json, refresh your browser and try again. This could happen if someone made an adjustment to the incident rules at the same time. You can also receive an error if you attempt to export an Advanced incident rule, which is not allowed.

    Incident Rules view showing export failure

Import Incident Rules

Note: Exporting and importing incident rules from the Incident Rules view is only available in NetWitness Platform version 11.4 and later.

You can import an incident rules ZIP file from NetWitness Servers on the same release version. The incident rules ZIP file must be in the original exported format <random ID>-incident_rules_export.json.zip and contain two mandatory JSON files:

  • aggregation_rule_schema.json contains the incident rule schema.
  • <random ID>-incident_rules_export.json contains the incident rules.

The import fails if the ZIP file contains additional files or folders. To edit the incident rules ZIP file, see Edit the Incident Rules Export ZIP File.

To import incident rules:

  1. Go to Configure > Incident Rules.
    The Incident Rules view is displayed.
  2. Click Import and select the incident rules ZIP file to import.
    If the import is successful, a successful import notification is displayed, and the imported incident rules are disabled and shown at the bottom of the incident rules list. The Rule Created column shows the date and time of the import.

    Incident Rules view showing successful import

See Also:

You are here
Table of Contents > Configuring NetWitness Respond > Step 3. Enable and Create Incident Rules for Alerts

Attachments

    Outcomes