Respond Config: Incident Rules View

Document created by RSA Information Design and Development on Mar 2, 2018Last modified by RSA Information Design and Development on May 15, 2019
Version 6Show Document
  • View in full screen mode
 

The Incident Rules view enables you to manage the automated incident creation process. NetWitness Respond creates incidents in two ways:

  • Incident Rules: NetWitness Platform provides preconfigured rules that you can adjust for your environment. You can also create your own rules.
  • Risk Scoring: (Endpoint Risk Scoring Settings are available in NetWitness Platform version 11.3 and later and only apply to NetWitness Endpoint.) NetWitness Respond uses these settings to automatically create risk scoring incidents for suspicious files and hosts that cross the defined risk score thresholds. If you get too many or too few risk scoring incidents, you can adjust these thresholds.

Note: The information in this topic applies to RSA NetWitness® Platform 11.1 and later.

What do you want to do?

                            
RoleI want to ...Show me how
Analyst, Content Expert, SOC ManagerCreate or edit an incident rule.Step 3. Enable and Create Incident Rules for Alerts
Analyst, Content Expert, SOC ManagerConfigure the threshold that creates risk scoring alerts and incidents to adjust the amount of alerts and incidents created.
Turn off the creation of risk scoring alerts and incidents.

Endpoint Risk Scoring Settings only apply to NetWitness Endpoint.

Configure Risk Scoring Settings for Automated Incident Creation
Incident Responders, Analysts, Content Experts, SOC ManagerView the results of my incident rule (View Detected Threats).See "Responding to Incidents" in the NetWitness Respond User Guide.

Related Topics

Quick Look

  1. To access the Incident Rules view, go to CONFIGURE > Incident Rules.
    Incident Rules List
    The Incident Rules view has two sections, one for each type of automated incident creation:
    • Endpoint Risk Scoring Settings
    • Incident Rules
  2. To view the Endpoint Risk Scoring Settings section, click the arrow in front of Endpoint Risk Scoring Settings.
    Incident Rules view showing Risk Scoring section highlighted

Endpoint Risk Scoring Settings

Note: Endpoint Risk Scoring Settings are available in NetWitness Platform version 11.3 and later and only apply to NetWitness Endpoint. NetWitness Respond uses these settings to automatically create risk scoring incidents for suspicious files and hosts that cross the defined risk score thresholds.

The Endpoint Risk Scoring Settings enable you to configure the thresholds used to automatically create risk scoring alerts and incidents. When calculated risk scores for suspicious files and hosts exceed the specified thresholds, it triggers the creation of risk scoring alerts and incidents. RSA recommends that you keep the thresholds at the default values, but you may need to adjust these settings if you get too many or too few alerts and incidents.

For more information on configuring NetWitness Endpoint, see the NetWitnesss Endpoint Configuration Guide.

Risk Scoring Settings section

The following table describes the fields in the Endpoint Risk Scoring Settings.

                                   
Field / Button

Description

Create Alerts and Incidents for Files

Select Enabled to automatically create risk scoring alerts and incidents for suspicious files. When calculated file risk scores go above the file risk score threshold, it triggers the creation of risk scoring alerts and incidents.

Select Disabled to stop automatically creating risk scoring alerts and incidents.

This option is enabled by default.

File Risk Score Threshold

The File Risk Score Threshold is the risk score level used to trigger alert and incident creation. The file risk score threshold range is from 0-100. NetWitness Respond calculates risk score using a combination of the number of distinct alerts and the severity of alerts associated with the file or host. A higher risk score indicates more of these types of alerts.

For example, if the file risk score threshold is 80, any calculated file risk score over 80 creates a risk scoring alert and incident or adds a risk scoring alert to an existing incident depending on the file incident time window.

File Incident Time WindowThe File Incident Time Window is the period of time to wait before creating another incident. The file incident time window range is from 1-24 (hours or days). For example, an openme.rar file containing suspicious code with enough associated endpoint alerts to get a risk score of 81, which is over the file risk score threshold of 80, automatically creates a risk scoring alert and incident or adds a related risk scoring alert to the same incident within a 1 day time window.
Create Alerts and Incidents for Hosts

Select Enabled to automatically create risk scoring alerts and incidents for suspicious hosts. When calculated host risk scores go above the host risk score threshold, it triggers the creation of risk scoring alerts and incidents.

Select Disabled to stop automatically creating risk scoring alerts and incidents.

This option is enabled by default.

Host Risk Score ThresholdThe Host Risk Score Threshold is the risk score level used to trigger alert and incident creation. The host risk score threshold range is from 0-100. NetWitness Respond calculates risk score using a combination of the number of distinct alerts and the severity of alerts associated with the file or host. A higher risk score indicates more of these types of alerts.
For example, if the host risk score threshold is 80, any calculated host risk score over 80 creates a risk scoring alert and incident or adds a risk scoring alert to an existing incident depending on the host incident time window.
Host Incident Time WindowThe Host Incident Time Window is the period of time to wait before creating another incident. The host incident time window range is from 1-24 (hours or days). For example, a suspicious host with enough associated endpoint alerts to get a risk score of 81, which is over the host risk score threshold of 80, automatically creates a risk scoring alert and incident or adds a related risk scoring alert to the same incident within a 1 day time window.

Incident Rules

The Incident Rules section enables you to create and manage incident rules for automating the incident creation process. NetWitness Platform provides preconfigured rules. You can add to and adjust these rules for your own environment.

The Incident Rules section consists of a list and series of buttons. The following table describes the columns in the Incident Rules list.

                                               
ColumnDescription

Move Up and Down icon

Enables you to change the priority order of the rules. Use the drag pad (Drag pad icon) in front of a rule to move it up and down in the list.

Select

Enables you to select a rule in order to take an action, such as Clone or Delete.

Order

Shows the order in which the rule is placed. The rule order determines which rule takes effect if the criteria for multiple rules match the same alert. If multiple rules match an alert, only the rule with the highest priority creates an incident.

NetWitness Respond evaluates incoming alerts against the incident rules in the order that you define. If alerts match the first rule listed, then that rule creates an incident. If alerts match the second rule listed and those alerts did not match the first rule, then the second rule creates an incident. If alerts match the third rule listed and those alerts did not match the first or second rule listed, then the third rule creates an incident, and so on.

EnabledShows whether the rule is enabled or not.
The specifies that the rule is enabled. The Not Enabled icon specifies that the rule is not enabled.
NameDisplays the name of the rule with a hyperlink. If you click the link, it opens the Rule Details view, where you can edit the rule.
DescriptionDisplays the description of the rule.
Last MatchedDisplays the time when an alert was successfully matched with the rule. This value is reset once a week.
Matched AlertsDisplays the number of matched alerts. This value is reset once a week.
To change the setting, see Set Counter for Matched Alerts and Incidents.
IncidentsDisplays the number of incidents created by the rule. This value is reset once a week. To change the setting, see the Set Counter for Matched Alerts and Incidents.

Incident Rules Actions

The following table shows the operations that can be performed on the Incident Rules list.

                           
Action

Description

Create Rule buttonAllows you to add a new rule.
Delete buttonAllows you to delete a rule.
Clone buttonAllows you to duplicate a rule.
Name hyperlinkAllows you to edit a rule.

 

Previous Topic:Configure View
You are here
Table of Contents > NetWitness Respond Configuration Reference > Incident Rules View

Attachments

    Outcomes