Context Hub Lists in ESA Rules

Document created by RSA Information Design and Development on Feb 5, 2018Last modified by RSA Information Design and Development on Jun 18, 2018
Version 21Show Document
  • View in full screen mode
 

For RSA NetWitness Platform 11.1 and later, ESA Rules can use Context Hub (CH) Lists as whitelists and blacklists in their construction and processing. To see details about these rules, see RSA ESA Rules.

This topic discusses the following:

  • Use CH Lists in ESA Rules
  • Out-of-the-box (OOTB) Context Hub lists
  • How to update the OOTB lists
  • How to create a new list
  • How to add a CH Hub list as an enrichment source
  • Example: Create an ESA Rule Builder rule that uses a CH list
  • Example: Existing Live ESA rule that uses a CH list
  • EPL Syntax used in ESA Advanced Rules
  • Known Limitations

Use CH Lists in ESA Rules

As of RSA NetWitness 11.1, Context Hub lists can be used in the processing of ESA Rules.

  1. Configure an existing CH list, or create and configure your own CH list. Basically, you need to add a list of values to either an existing CH list or create your own and then add values.
  2. Configure the CH List within ESA by adding it as an Enrichment source.
  3. Load the CH list into an ESA Rule when you build statements and define the rule.

An advantage of using CH lists in ESA rules, is that from the Respond and Investigate screens in NetWitness, you can right-click on an item, update the list on-the-fly. For the selected item, you can add it to or remove it from any of your CH lists.

For details, see the following documentation in the RSA NetWitness Logs & Network 11.x Documentation space on RSA Link:

OOTB Context Hub Lists

The following Context Hub lists are available out of the box in RSA NetWitness 11.1. They are delivered empty: users need configured the lists by adding entries.

Without this configuration step, the rules may not deliver results. You can add entries to the lists manually, or through import of CSV files. For details, see "Configure Lists as a Data source" in the Context Hub Guide.

The following lists are delivered with RSA NetWitness 11.1:

  • User_Whitelist: A list of users that should be excluded from monitoring within rules configured to use it.
  • User_Blacklist: A list of users that should be included for monitoring within rules configured to use it.
  • Admin_Accounts: A list of privileged user accounts that should be included for monitoring within rules configured to use it.
  • Service_Accounts: A list of service accounts that should be included for monitoring within rules configured to use it.
  • Guest_Accounts : A list of guest user accounts that should be included for monitoring within rules configured to use it.
  • Domain_Controllers: A list of domain controllers that should be included for monitoring within rules configured to use it.
  • Host_Whitelist: A list of host names that should be excluded from monitoring within rules configured to use it.
  • Host_Blacklist: A list of host names that should be included for monitoring within rules configured to use it.
  • IP_Whitelist: A list of IP addresses that should be excluded from monitoring within rules configured to use it. CIDR notation and regular expressions may not be used.
  • IP_Blacklist: A list of IP addresses that should be included for monitoring within rules configured to use it. CIDR notation and regular expressions may not be used.

The following table lists the rules that use each of the CH Lists.

                                           
CH List NameESA Rules that Use the List

User_Whitelist

                                             

Logins Across Multiple Servers

Multiple Account Lockouts from Same or Different Users

User Login Baseline

Multiple Failed Logins Followed by Successful Login

Failed logins Followed By Successful Login and a Password Change

Windows Suspicious Admin Activity: Audit log Cleared

Windows Suspicious Admin Activity: Firewall Service Stopped

Windows Suspicious Admin Activity: Network Share Created

Windows Suspicious Admin Activity: Shared Object Accessed

User Account Created and Deleted Within an Hour

User Added to Admin Group Same User Login OR Same User su sudo

Multiple Failed Logins from Multiple Diff Sources to Same Dest

Multiple Successful Logins from Multiple Diff Src to Diff Dest

User added to administrative group then SIGHUP detected

Multiple Successful Logins from Multiple Diff Src to Same Dest

Multiple Failed Logins from Multiple Users to Same Destination

Multiple Failed Logins from Same User Originating from Different Countries

Failed logins Outside Business Hours

Insider Threat Mass Audit Clearing

 

User_Blacklist

Direct Login By A Watchlist Account

Admin_Accounts

Privilege User Account Password Change

Privilege Escalation Detected

Suspicious Privileged User Access Activity

Multiple Failed Privilege Escalations by the Same User

Multiple Login Failures by Administrators to Domain Controller

Guest_Accounts

Multiple Login Failures by Guest to Domain Controller

Host_Whitelist

Multiple Failed Logins from Multiple Diff Sources to Same Dest

Multiple Successful Logins from Multiple Diff Src to Diff Dest

Multiple Successful Logins from Multiple Diff Src to Same Dest

Multiple Failed Logins from Multiple Users to Same Destination

Lateral Movement Suspected Windows

Host_Blacklist

krbtgt Account Modified on Domain controller

Multiple Login Failures by Administrators to Domain Controller

Multiple Login Failures by Guest to Domain Controller

IP_Whitelist

Multiple Failed Logins from Multiple Diff Sources to Same Dest

Multiple Successful Logins from Multiple Diff Src to Diff Dest

Multiple Successful Logins from Multiple Diff Src to Same Dest

Multiple Failed Logins from Multiple Users to Same Destination

IP_Blacklist

krbtgt Account Modified on Domain controller

Multiple Login Failures by Administrators to Domain Controller

Multiple Login Failures by Guest to Domain Controller

How to Update a Context Hub List

  1. Go to ADMIN > Services.

    The services view is displayed.

  2. Select the Context Hub service and click  > View > Config.

    The Services Config View of Context Hub is displayed.

  3. Select the Lists tab.

  4. In the Lists tab, select the list that you wish to update.

  5. In the List Values section, there are controls for adding and removing items, as well as for importing a list.

    • To add an entry: click then enter a new value.
    • To remove an entry: select it then click .
    • To import a list, click , then navigate to a CSV file that contains the entries for your list.
  6. Do either of the following:

    • Click Save to save your changes, or
    • Click anywhere outside the List Values section to discard your changes. You receive a confirmation message asking you to make sure you want to discard your changes: click Yes to discard your changes or No to go back to the screen with your unsaved changes.

For more information, see the topic "Configure Lists as a Data source" in the Context Hub Configuration Guide in RSA NetWitness Platform space on RSA Link.

How to Create a Context Hub List

Creating a list is very similar to updating an existing list.

  1. Go to ADMIN > Services.
  2. Select the Context Hub service and click  > View > Config.
  3. Select the Lists tab.
  4. In the Lists tab, click , then enter a name for your list.

    Note: Make sure the name does not contain spaces. If the name of a list contains spaces, it cannot be used in an ESA Rule.

  5. Add values to the list, or import an existing list:

    • To add an entry: click then enter a new value.
    • To import a list, click , then navigate to a CSV file that contains the entries for your list.
  6. Click Save to save your new list.

How to Add a Context Hub List as an Enrichment source

If you add a new CH list, before you can use it in an ESA Rule, you need to add it as an enrichment source.

  1. Go to CONFIGURE > ESA Rules.
  2. Select the Settings tab, then Enrichment sources.

  3. Click > Context Hub.

    The Context Hub List dialog box is displayed.

  4. Select a list, add a description, and select a column.

  5. Click Save to finish.

For more information, see the topic "Configure Context Hub List as an Enrichment source " in the Alerting with ESA Correlation Rules User Guide in RSA NetWitness Platform space on RSA Link.

Create an ESA Rule that Uses a Context Hub list

  1. Go to CONFIGURE > ESA Rules.
  2. In the Rules tab, click > Rule Builder.

    A New Rule tab opens.

  3. In the New Rule tab, enter a name and description.
  4. In the Conditions section, click to open the Build a Statement dialog box.
  5. You can add a whitelist, blacklist, or meta condition. This procedure details adding a list, so choose either:

    • Add whitelist Condition, or
    • Add Blacklist Condition

    In this example, we add a whitelist condition.

    1. Click > Add whitelist Condition.

    2. In the Key column, from the drop-down menu, select a whitelist to use, for example User_Whitelist.

    3. Select a column name from the list, then select an operator and enter the meta value for the corresponding value field.

    4. Click Save to save the statement and close the dialog box.
  6. Continue defining the rule until it is complete. For details, see "Add a Rule Builder Rule" in the Alerting Using ESA Guide.

Example of an ESA Rule that Uses a CH list

The Failed Logins Followed By Successful Login Password Change ESA rule uses the User_Whitelist context hub list.

You can view the syntax in RSA NetWitness:

  1. Go to CONFIGURE > ESA Rules.
  2. In the Rules tab, select the Failed Logins Followed By Successful Login Password Change rule and click .

    A tab for editing the rule is displayed.

  3. Scroll down to the bottom of the page and click Show Syntax.

    The Rule Syntax dialog box is displayed.

  4. Look over the syntax to get a sense of the EPL for this rule. When finished, click Close to close the Rule Syntax dialog box.

EPL Syntax for whitelists and Blacklists

A whitelist ("known good") is a list of event meta value to exempt from alerts.

Whitelist Example Syntax (in bold):

@RSAAlert(oneInSeconds=0, identifiers={"user_dst"})
@UsesEnrichment(name="User_Whitelist")
SELECT * FROM

Event (

medium = 32
AND ec_activity = 'Logon'
AND ec_outcome = 'Success'
AND logon_type IN ('2','10','11','12')
AND device_class = 'Windows Hosts'
AND reference_id IN ('4624', '528', '540')
AND user_dst IS NOT NULL
AND NOT EXISTS (SELECT * FROM User_Whitelist WHERE (LIST = Event.user_dst.toLowerCase()))
AND NOT EXISTS (SELECT * FROM User_Whitelist WHERE (LIST = Event.user_dst))

);

A Blacklist ("known bad") is a list of event meta value used to trigger alerts.

Blacklist Example Syntax (in bold):

@RSAAlert(oneInSeconds=0, identifiers={"user_dst"})
@UsesEnrichment(name="User_Blacklist")
SELECT * FROM

Event (

medium = 32
AND ec_activity = 'Logon'
AND ec_outcome = 'Success'
AND logon_type IN ('2','10','11','12')
AND device_class = 'Windows Hosts'
AND reference_id IN ('4624', '528', '540')
AND user_dst IS NOT NULL
AND
(

EXISTS (SELECT * FROM User_Blacklist WHERE (LIST = Event.user_dst.toLowerCase()))
OR
EXISTS (SELECT * FROM User_Blacklist WHERE (LIST = Event.user_dst))

)

);

If you create your own rules using CH lists, make sure to the UsesEnrichment() statement, as shown in the above example:

@UsesEntrichment(name="User_Whitelist")

In this example, we are loading the User_Whitelist into the system for this rule.

Note: It is fine to have the same list loaded (that is, named in multiple UsesEnrichment statements) in multiple deployed ESA Rules. The system only loads each CH list once.

Use the toLowerCase() function to convert the received meta to all lower case.

Event.user_dst.tolowerCase()

In the above example, the user_dst meta values are converted to all lowercase. If you have created your CH lists so that all entries are also in all lowercase, your comparison is case-insensitive.

Known Limitations

Can you use multi-valued meta in the context hub list comparison?

No, context hub list comparisons will not return matches on a rule deployed for matching against multi-valued meta.

Can the Context Hub lists comparison be case-insensitive?

In order to get case-insensitive matching between CH lists and event meta, customers must add users within the CH lists as all lower case. Context hub lists do not have the ability to make the entries lower case before performing the match. Additionally, be sure to use the toLowerCase() function in your rules, so that the meta values are converted to all lowercase for the comparison.

What are the limitations between Basic Rule Builder and Live / Advanced Rules?

Only able to use a single whitelist or blacklist within the basic rule builder.

What happens when you deploy an 11.1 CH List ESA rule to version prior to 11.1?

The rule will be unable to deploy, it will be disabled, and an error will be written to the log file, mentioning that the list cannot be found.

Next Topic:Bundles
You are here
Table of Contents > Content Development > Procedures > ESA > Context Hub Lists in ESA Rules

Attachments

    Outcomes