Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Respond Config: Set Up and Verify Default Incident Rules

Document created by RSA Information Design and Development Employee on Mar 27, 2018Last modified by RSA Information Design and Development Employee on Sep 2, 2020
Version 8Show Document
  • View in full screen mode
 

The User Entity Behavior Analytics default incident rule is available in NetWitness Platform 11.3 and later. It captures user entity behavior grouped by Classifier ID to create incidents from alerts.

The User Behavior incident rule, which captures network user behavior, is available in NetWitness Platform 11.1 and later. This rule uses deployed RSA Live ESA Rules to create incidents from alerts. You can select and deploy the RSA Live ESA Rules that you want to monitor.

The following default incident rules changed slightly for 11.1 and later and now have Source IP Address as the Group By value:

  • High Risk Alerts: Reporting Engine
  • High Risk Alerts: Malware Analysis
  • High Risk Alerts: ESA

The following default incident rule changed slightly for 11.3 and later and now has the Host Name as the Group By value:

  • High Risk Alerts: NetWitness Endpoint*

*If you have NetWitness Endpoint, the High Risk Alerts: NetWitness Endpoint default incident rule captures alerts generated by NetWitness Endpoint with a risk score of High or Critical. To aggregate NetWitness Endpoint alerts based on the File Hash instead of Host Name, create another NetWitness Endpoint Rule using the File Hash as the Group By value. See Create a NetWitness Endpoint Incident Rule using File Hash for step-by-step instructions.

To verify your existing default incident rules with the 11.5 default incident rules, look at the default incident rule tables following these procedures. If you are missing a default incident rule, you can create it manually. Review the default incident rules and adjust them to your environment as required.

Set Up the User Behavior Incident Rule

In order to use the default User Behavior incident rule, you need to deploy the RSA Live ESA Rules that you want to monitor from those listed in the User Behavior incident rule conditions. Complete the following procedures to start aggregating alerts for the User Behavior default incident rule:

  • Deploy the RSA Live ESA Rules
  • Adjust and enable the User Behavior default rule (or create it if you do not have it)

Deploy the RSA Live ESA Rules

  1. Go to (Configure) > Live Content.
  2. In the Resource Types field, select Event Steam Analysis Rule and click Search.
  3. In the Matching Resources list, select the ESA Rules from the following User Behavior table that you are interested in monitoring and deploy them (click Deploy).
  4. Go to (Configure) > ESA Rules > Rules tab, and in the Rule Library Filter drop-down list, select RSA Live ESA Rule.
  5. To add a new ESA rule deployment, in the drop-down list near Deployments, click Add.
    1. In the ESA Services section, add and then select your ESA service.
    2. In the Data Sources section, click Add icon and add a data source to use for the ESA rule deployment.
    3. In the ESA Rules section, click Add icon and in the Deploy ESA Rules dialog, select the ESA Rules that you selected from the User Behavior table, and then click Save.
      The selected ESA rules are listed with a status of Added.
  6. Select the ESA rules that you added from the previous step, and click Deploy Now.
    The status of the selected ESA rules changes to Deployed.
  7. Go to (Configure) > ESA Rules > Services tab.
    In the Deployed Rule Stats for your ESA service, the rules that you added should have a status of enabled, which is indicated by a green circle in the Enable column.

Adjust and Enable the User Behavior Default Rule (or Create It If You Do Not Have It)

If you have the User Behavior default rule, you can adjust it for your environment and enable it. If you do not have the User Behavior default rule, you can create it manually.

(Optional) To create the User Behavior default rule:

  1. Go to (Configure) > Incident Rules.
    The Incident Rules view is displayed. (The following figure shows what the User Behavior rule looks like if it was there.)
    Incident Rules List view
  2. Click Create Rule and in the Incident Rule Details view, create the User Behavior default incident rule using the values in the User Behavior table following this procedure. The conditions as well as the values not listed in the table should be set for your business requirements. For details about various parameters that can be set as criteria for an incident rule, see Incident Rule Details View.

    The following figure shows a portion of the User Behavior default rule details. Notice that there are two groups in this rule.
    User Behavior default rule - Incident Details view showing the two groups
  3. If you are ready to enable your rule, in the Basic Settings section, select Enabled.
  4. Click Save.
    The rule appears in the Incidents Rules list. If you selected Enabled, the rule is enabled and it starts creating incidents depending on the incoming alerts that are matched as per the rule criteria.
  5. Verify the order of your incident rules. For more information, see Verify the Order of Your Incident Rules.

User Behavior

The following table shows the values for the User Behavior default incident rule.

                                                                                                                                                                                                                                                   
Field

Condition Field

Condition Operator

Value

Name 

 

User Behavior
Description  This incident rule captures network user behavior.
Query Mode:

 

 

Rule Builder

Note: For information about advanced query mode, see Incident Rule Details View

1st Group: 

 

All of these
Condition:Sourceis equal toEvent Stream Analysis
2nd Group:

 

 

Any of these
Conditions:Alert Nameis equal toAccount Added to Administrators Group and Removed
 Alert Nameis equal toAccount Removals From Protected Groups on Domain Controller
 Alert Nameis equal toDetects Router Configuration Attempts
 Alert Nameis equal toDirect Login By A Guest Account
 Alert Nameis equal toDirect Login to an Administrative Account
 Alert Nameis equal toFailed Logins Followed By Successful Login Password Change
 Alert Nameis equal toInsider Threat Mass Audit Clearing
 Alert Nameis equal toInternal Data Posting to 3rd Party Sites
 Alert Nameis equal tokbrtgt Account Modified on Domain controller
 Alert Nameis equal toLateral Movement Suspected Windows
 Alert Nameis equal toLogins across Multiple Servers
 Alert Nameis equal toLogins by Same User to Multiple Servers
 Alert Nameis equal toMalicious Account Creation Followed by Failed Authorization
 Alert Nameis equal toMultiple Account Lockouts From Same or Different Users
 Alert Nameis equal toMultiple Failed Logins Followed By a Successful Login
 Alert Nameis equal toMultiple Failed Logins from Same User Originating from Different Countries

 

Alert Nameis equal toMultiple Failed Privilege Escalations by Same User
 Alert Nameis equal toMultiple Intrusion Scan Events from Same User to Unique Destinations

 

Alert Nameis equal toMultiple Login Failures by Administrators to Domain Controller
 Alert Nameis equal toMultiple Login Failures by Guest to Domain Controller

 

Alert Nameis equal toMultiple Failed Logons from Same Source IP with Unique Usernames
 Alert Nameis equal toMultiple Successful Logins from Multiple Diff Src to Diff Dest

 

Alert Nameis equal toMultiple Successful Logins from Multiple Diff Src to Same Dest
 Alert Nameis equal toPrivilege Escalation Detected

 

Alert Nameis equal toPrivilege Escalation Detected in Unix
 Alert Nameis equal toPrivilege User Account Password Change

 

Alert Nameis equal toFailed Logins Outside Business Hours
 Alert Nameis equal toDNS Tunneling
 Alert Nameis equal toUser Login Baseline
Group By

 

 

Destination User Account
Time Window   1 Hour
Title  ${ruleName} for ${groupByValue1}

Set up or Verify a Default Incident Rule

  1. Go to (Configure) > Incident Rules.
    The Incident Rules view is displayed.
    Incident Rules view
  2. Click the link in the Name field of a default incident rule to view the Incident Rule Details view. Set up or verify the default incident rule using the values in the default incident rules tables in this topic. Values not listed in the tables should be set for your business requirements. For details about various parameters that can be set as criteria for an incident rule, see Incident Rule Details View.
  3. When you are ready to enable your rule, in the Basic Settings section, select Enabled.
  4. Click Save.
  5. Verify the order of your incident rules. For more information, see Verify the Order of Your Incident Rules.

Suspected Command & Control Communication By Domain

The following table shows the values for the Suspected Command & Control Communication By Domain default incident rule.

                                                                     
Field

Condition Field

Condition Operator

Value

Name 

 

Suspected Command & Control Communication By Domain
Description  This incident rule captures suspected communication with a Command & Control server and groups results by domain.
Group: 

 

All of these
Conditions:Sourceis equal toEvent Stream Analysis
 Alert Rule Idis equal toSuspected C&C
Group By

 

 

Domain for Suspected C& C
Time Window   7 Days
Title  Suspected C&C with ${groupByValue1}
Summary  NetWitness Platform detected communications with ${groupByValue1} that may be command and control malware.
1. Evaluate if the domain is legitimate (online radio, news feed, partner, automated testing, etc.).
2. Review the domain registration for suspect information (Registrant country, registrar, no registration data found, etc).
3. If the domain is suspect, go to the Investigation module to locate other activity to or from it.

High Risk Alerts: Malware Analysis

The following table shows the values for the High Risk Alerts: Malware Analysis default incident rule.

                                                               
Field

Condition Field

Condition Operator

Value

Name 

 

High Risk Alerts: Malware Analysis
Description  This incident rule captures alerts generated by the RSA Malware Analysis platform as having a Risk Score of "High" or "Critical".
Group: 

 

All of these
Conditions:Sourceis equal toMalware Analysis
 Risk Scoreis equal or greater than50
Group By

 

 

Source IP Address
Time Window   1 Hour
Title  ${ruleName} for ${groupByValue1}

 

High Risk Alerts: NetWitness Endpoint

The following table shows the values for the High Risk Alerts: NetWitness Endpoint default incident rule.

                                                               
Field

Condition Field

Condition Operator

Value

Name 

 

High Risk Alerts: NetWitness Endpoint
Description  This incident rule captures alerts generated by the RSA NetWitness Endpoint platform as having a Risk Score of "High" or "Critical".
Group: 

 

All of these
Conditions:Sourceis equal toNetWitness Endpoint
 Risk Scoreis equal or greater than50
Group By

 

 

Host Name*
Time Window   1 Hour
Title  ${ruleName} for ${groupByValue1}

*To aggregate NetWitness Endpoint alerts based on the File Hash, create another NetWitness Endpoint Rule using the File Hash as the Group By value. See Create a NetWitness Endpoint Incident Rule using File Hash for step-by-step instructions.

High Risk Alerts: Reporting Engine

The following table shows the values for the High Risk Alerts: Reporting Engine default incident rule.

                                                               
Field

Condition Field

Condition Operator

Value

Name 

 

High Risk Alerts: Reporting Engine
Description  This incident rule captures alerts generated by the RSA Reporting Engine as having a Risk Score of "High" or "Critical".
Group: 

 

All of these
Conditions:Sourceis equal toReporting Engine
 Risk Scoreis equal or greater than50
Group By

 

 

Source IP Address
Time Window   1 Hour
Title  ${ruleName} for ${groupByValue1}

 

High Risk Alerts: ESA

The following table shows the values for the High Risk Alerts: ESA default incident rule.

                                                               
Field

Condition Field

Condition Operator

Value

Name 

 

High Risk Alerts: ESA
Description  This incident rule captures alerts generated by the RSA ESA platform as having a Risk Score of "High" or "Critical".
Group: 

 

All of these
Conditions:Sourceis equal toEvent Stream Analysis
 Risk Scoreis equal or greater than50
Group By

 

 

Source IP Address
Time Window   1 Hour
Title  ${ruleName} for ${groupByValue1}

 

IP Watch List: Activity Detected

The following table shows the values for the IP Watch List: Activity Detected default incident rule.

                                                                           
Field

Condition Field

Condition Operator

Value

Name 

 

IP Watch List: Activity Detected
Description  This incident rule captures alerts generated by IP addresses that have been added as "Source IP Address" *and* "Destination IP Address" conditions of the rule. To add additional IP addresses to the watch list, simply add a new Source and Destination IP Address conditional pair.
Group: 

 

Any of these
Conditions:Source IP Addressis equal to1.1.1.1
 Destination IP Address

is equal to

1.1.1.1
 Source IP Addressis equal to2.2.2.2
 Destination IP Address

is equal to

2.2.2.2
Group By

 

 

Source IP Address
Time Window

 

 

4 Hours
Title  ${ruleName}

 

User Watch List: Activity Detected

The following table shows the values for the User Watch List: Activity Detected default incident rule.

                                                               
Field

Condition Field

Condition Operator

Value

Name 

 

User Watch List: Activity Detected
Description  This incident rule captures alerts generated by network users whose user names have been added as a "Source UserName" condition. To add more than one Username to the watch list, simply add an additional Source Username condition.
Group: 

 

Any of these
Conditions:Source Usernameis equal tojsmith
 Source Usernameis equal tojdoe
Group By

 

 

Source Username
Time Window

 

 

4 Hours
Title  ${ruleName}

 

Suspicious Activity Detected: Windows Worm Propagation

The following table shows the values for the Suspicious Activity Detected: Windows Worm Propagation default incident rule.

                                                                           
Field

Condition Field

Condition Operator

Value

Name 

 

Suspicious Activity Detected: Windows Worm Propagation
Description  This incident rule captures alerts that are indicative of worm propagation activity on a Microsoft network
1st Group: 

 

All of these
Condition:Sourceis equal toEvent Stream Analysis
2nd Group: 

 

Any of these
Conditions:Alert Nameis equal toWindows Worm Activity Detected Logs

 

Alert Nameis equal toWindows Worm Activity Detected Packets
Group By

 

 

Source IP Address
Time Window

 

 

1 Hour
Title  ${ruleName}

 

Suspicious Activity Detected: Reconnaissance

The following table shows the values for the Suspicious Activity Detected: Reconnaissance default incident rule.

                                                                                       
Field

Condition Field

Condition Operator

Value

Name 

 

Suspicious Activity Detected: Reconnaissance
Description  This incident rule captures alerts that identify common ICMP host identification techniques (i.e. "ping") accompanied by connection attempts to multiple service ports on a host
1st Group: 

 

All of these
Condition:Sourceis equal toEvent Stream Analysis
2nd Group: 

 

Any of these
Conditions:Alert Nameis equal toPort Scan Horizontal Packet

 

Alert Nameis equal to

Port Scan Vertical Packet

 Alert Nameis equal toPort Scan Horizontal Log
 Alert Nameis equal toPort Scan Vertical Log
Group By

 

 

Source IP Address
Time Window

 

 

4 Hours
Title  ${ruleName}

 

Monitoring Failure: Device Not Reporting

The following table shows the values for the Monitoring Failure: Device Not Reporting default incident rule.

                                                               
Field

Condition Field

Condition Operator

Value

Name 

 

Monitoring Failure: Device Not Reporting
Description  This incident rule captures any instance of an alert designed to detect the absence of log traffic from a previously reporting device
Group: 

 

All of these
Conditions:Sourceis equal toEvent Stream Analysis
 Alert Nameis equal toNo logs traffic from device in given time frame
Group By

 

 

Source IP Address
Time Window

 

 

2 Hours
Title  ${ruleName}

 

Web Threat Detection

The following table shows the values for the Web Threat Detection default incident rule.

                                                         
Field

Condition Field

Condition Operator

Value

Name 

 

Web Threat Detection
Description  This incident rule captures alerts generated by the RSA Web Threat Detection platform.
Group: 

 

All of these
Condition:Sourceis equal toWeb Threat Detection
Group By

 

 

Alert Rule Id
Time Window

 

 

1 Hour
Title  ${ruleName} for ${groupByValue1}

 

User Entity Behavior Analytics

The following table shows the values for the User Entity Behavior Analytics default incident rule.

                                                         
Field

Condition Field

Condition Operator

Value

Name 

 

User Entity Behavior Analytics
Description  This incident rule captures user entity behavior.
Group: 

 

All of these
Condition:Sourceis equal toUser Entity Behavior Analytics
Group By

 

 

UEBA Classifier Id
Time Window

 

 

1 Hour
Title  ${ruleName} for ${groupByValue1}

Create a NetWitness Endpoint Incident Rule using File Hash

To aggregate NetWitness Endpoint alerts based on the File Hash, create another NetWitness Endpoint Rule using the File Hash as the Group By value. To do this, clone the default NetWitness Endpoint incident rule and change the Group By value.

  1. Go to (Configure) > Incident Rules.
    The Incident Rules view is displayed.
  2. Select the High Risk Alerts: NetWitness Endpoint default incident rule and click Clone.
    Incident Rules View showing a selected NetWitness Endpoint Rule and the Clone button selected
    You will receive a message that you successfully cloned the selected rule.
  3. Change the Name of the rule to an appropriate name, such as High Risk Alerts: NetWitness Endpoint File Hash.
  4. In the Group By field, remove the previous Group By value and add File MD5 Hash.
    It is important that File MD5 Hash is the only Group By value listed.
    Incident Rule Details view of a cloned NetWitness Endpoint rule showing Group By value File MD5 Hash"
  5. If you are ready to enable your rule, in the Basic Settings section, select Enabled.
  6. Click Save to create the rule.
    The Incident Rules view shows your new rule.
    Part of New Incident Rule showing new name and status
  7. Verify the order of your incident rules. For more information, see Verify the Order of Your Incident Rules.

You are here
Table of Contents > Additional Procedures for Respond Configuration > Set Up and Verify Default Incident Rules

Attachments

    Outcomes