ATD: Troubleshooting Automated Threat Detection

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by RSA Information Design and Development on Apr 10, 2019
Version 7Show Document
  • View in full screen mode
 

NetWitness Platform Automated Threat Detection is an analytics engine that examines your HTTP data. It also makes use of other components, such as the Whois and Context Hub services, which can add complexity to your installation. This topic provides suggestions to help you find issues if your Automated Threat Detection deployment does not provide the results that you expect.

Possible Issues

                                      
ProblemPossible CausesSolutions

I'm seeing too many alerts (false positives).

Several

One possible cause is that the Whois Lookup service is failing or is not configured. The Whois lookup is helpful in determining whether a URL is valid, and if the connection fails or is not properly configured, it can result in false positives. See "Configure Whois Lookup Service" in the ESA Configuration Guide.

  

You may need to whitelist URLs. Sometimes the legitimate behavior for a URL triggers an alert. One way to prevent this from occurring is to add the URL to the whitelist. See "Add an Entity to a Whitelist" in the NetWitness Respond User Guide.

I'm not seeing any alerts.

The ESA host requires a "warm-up" period when you deploy an ESA Analytics Module Mapping for Automated Threat Detection. 

When you deploy an ESA analytics module mapping for Automated Threat Detection, there is a "warm-up" period, during which no alerts are viewable. Each module type has a default warm-up period and you need to wait until the warm-up period is complete. For more information, see "Mapping ESA Data Sources to Analytics Modules" in the ESA Configuration Guide.

I'm seeing performance issues (more resource usage or a drop in throughput).

Several

If you are having performance issues on an ESA host that is running both Automated Threat Detection (ESA Analytics) and ESA rules, follow the troubleshooting steps for rules. For these troubleshooting steps, see "Troubleshoot ESA" in the Alerting with ESA Correlation Rules User Guide.

In NetWitness Platform 11.3, the Respond Event List in 11.3 does not show the Command and Control (C2) enrichment information for HTTP packet alerts in Suspected C&C Incidents.

In version 11.3, you can view the C2 enrichment information in the Alert Details view.

View C2 enrichment information for the Suspected C&C incidents in the corresponding alerts in the Alert Details view.

  1. Go to RESPOND > Incidents, look for a Suspected C&C incident, and note the incident ID.
  2. Go to RESPOND > Alerts and in the Filters panel, select the following to locate an alert in the Alerts list with the incident ID noted above:
    1. In Alert Names section, select http-packet.
    2. In the Part of Incident section, select Yes.

    If you are still not able to locate an alert in the Alerts list with the incident ID noted above, try filtering your alerts list more using the time range of the incident.

  3. In the Alerts list, click the http-packet link in the NAME field of the alert associated with the incident ID.
    The Event Details view shows the C2 enrichment information.

 

Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.

You are here
Table of Contents > Troubleshooting Automated Threat Detection

Attachments

    Outcomes