Respond Config: Set Up and Verify Default Incident Rules

Document created by RSA Information Design and Development on Mar 27, 2018Last modified by RSA Information Design and Development on Sep 11, 2018
Version 2Show Document
  • View in full screen mode
 

The User Behavior incident rule, which captures network user behavior, was introduced in NetWitness Platform 11.1. This rule uses deployed RSA Live ESA Rules to create incidents from alerts. You can select and deploy the RSA Live ESA Rules that you want to monitor.
The following default incident rules changed slightly for 11.1 and later and now have Source IP Address as the Group By value:

  • High Risk Alerts: Reporting Engine
  • High Risk Alerts: Malware Analysis
  • High Risk Alerts: NetWitness Endpoint*
  • High Risk Alerts: ESA

*To aggregate NetWitness Endpoint alerts based on the Detector IP Address, create another NetWitness Endpoint Rule using the Detector IP Address as the Group By value. See Create a NetWitness Endpoint Incident Rule using Detector IP for step-by-step instructions.

To verify your existing default incident rules with the 11.2 default incident rules, look at the default incident rule tables following these procedures.

Set up the User Behavior Incident Rule

In order to use the default User Behavior incident rule, you need to deploy the RSA Live ESA Rules that you want to monitor from those listed in the User Behavior incident rule conditions. Complete the following procedures to start aggregating alerts for the User Behavior default incident rule:

  • Deploy the RSA Live ESA Rules
  • Adjust and enable the User Behavior default rule (or create it if you do not have it)

Deploy the RSA Live ESA Rules

  1. Go to CONFIGURE > Live Content.
  2. In the Resource Types field, select Event Steam Analysis Rule and click Search.
  3. In the Matching Resources list, select the ESA Rules from the following User Behavior table that you are interested in monitoring and deploy them (click Deploy).
  4. Go to CONFIGURE > ESA Rules > Rules tab, and in the Rule Library Filter drop-down list, select RSA Live ESA Rule.
  5. To add a new Deployment, in the drop-down list near DEPLOYMENTS, click Add.
    1. In the ESA Services section, add and then select your ESA service.
    2. In the ESA Rules section, click Add icon and in the Deploy ESA Rules dialog, select the ESA Rules that you selected from the User Behavior table, and then click Save.
      The selected ESA rules are listed with a status of Added.
  6. Select the ESA rules that you added from the previous step, and click Deploy Now.
    The status of the selected ESA rules changes to Deployed.
  7. Go to CONFIGURE > ESA Rules > Services tab.
    In the Deployed Rule Stats for your ESA service, the rules that you added should have a status of enabled, which is indicated by a green circle in the Enable column.

Adjust and Enable the User Behavior Default Rule (or Create It If You Do Not Have It)

If you have the User Behavior default rule, you can adjust it for your environment and enable it. If you do not have the User Behavior default rule, you can create it manually.

(Optional) To create the User Behavior default rule:

  1. Go to CONFIGURE > Incident Rules.
    The Incident Rules List view is displayed.
    Incident Rules List view
  2. Click Create Rule and in the Incident Rule Details view, create the User Behavior default incident rule using the values in the User Behavior table following this procedure. Values not listed in the table should be set for your business requirements. For details about various parameters that can be set as criteria for an incident rule, see Incident Rule Details View.

    The following figure shows a portion of the User Behavior default rule details. Notice that there are two groups in this rule.
    User Behavior default rule - Incident Details view showing the two groups
  3. If you are ready to enable your rule, in the Basic Settings section, select Enabled.
  4. Click Save.
    The rule appears in the Incidents Rules list. If you selected Enabled, the rule is enabled and it starts creating incidents depending on the incoming alerts that are matched as per the rule criteria.
  5. Verify the order of your incident rules. For more information, see Verify the Order of your Incident Rules .

User Behavior

The following table shows the values for the User Behavior default incident rule.

                                                                                                                                                                                                                                             
Field

Condition Field

Condition Operator

Value

Name 

 

User Behavior

Description

  

This incident rule captures network user behavior.

1st Group: 

 

All of these
Condition:Sourceis equal toEvent Stream Analysis

2nd Group:

 

 

Any of these

Conditions:Alert Name

is equal to

Account Added to Administrators Group and Removed
 Alert Name

is equal to

Account Removals From Protected Groups on Domain Controller
 Alert Name

is equal to

Detects Router Configuration Attempts
 Alert Name

is equal to

Direct Login By A Guest Account
 Alert Name

is equal to

Direct Login to an Administrative Account
 Alert Name

is equal to

Failed Logins Followed By Successful Login Password Change
 Alert Name

is equal to

Insider Threat Mass Audit Clearing
 Alert Name

is equal to

Internal Data Posting to 3rd Party Sites
 Alert Name

is equal to

kbrtgt Account Modified on Domain controller
 Alert Name

is equal to

Lateral Movement Suspected Windows
 Alert Name

is equal to

Logins across Multiple Servers
 Alert Name

is equal to

Logins by Same User to Multiple Servers
 Alert Name

is equal to

Malicious Account Creation Followed by Failed Authorization
 Alert Name

is equal to

Multiple Account Lockouts From Same or Different Users
 Alert Name

is equal to

Multiple Failed Logins Followed By a Successful Login
 Alert Name

is equal to

Multiple Failed Logins from Same User Originating from Different Countries

 

Alert Name

is equal to

Multiple Failed Privilege Escalations by Same User

 Alert Name

is equal to

Multiple Intrusion Scan Events from Same User to Unique Destinations

 

Alert Name

is equal to

Multiple Login Failures by Administrators to Domain Controller

 Alert Name

is equal to

Multiple Login Failures by Guest to Domain Controller

 

Alert Name

is equal to

Multiple Failed Logons from Same Source IP with Unique Usernames

 Alert Name

is equal to

Multiple Successful Logins from Multiple Diff Src to Diff Dest

 

Alert Name

is equal to

Multiple Successful Logins from Multiple Diff Src to Same Dest

 Alert Name

is equal to

Privilege Escalation Detected

 

Alert Name

is equal to

Privilege Escalation Detected in Unix

 Alert Name

is equal to

Privilege User Account Password Change

 

Alert Name

is equal to

Failed Logins Outside Business Hours

 Alert Name

is equal to

DNS Tunneling
 Alert Name

is equal to

User Login Baseline

Group By

 

 

Destination User Account

Time Window   1 Hour
Title  ${ruleName} for ${groupByValue1}

Set up or Verify a Default Incident Rule

  1. Go to CONFIGURE > Incident Rules.
    The Incident Rules List view is displayed.
    Incident Rules List view
  2. Click the link in the Name field of a default incident rule to view the Incident Rule Details view. Set up or verify the default incident rule using the values in the default incident rules tables in this topic. Values not listed in the tables should be set for your business requirements. For details about various parameters that can be set as criteria for an incident rule, see Incident Rule Details View.
  3. When you are ready to enable your rule, in the Basic Settings section, select Enabled.
  4. Click Save.
  5. Verify the order of your incident rules. For more information, see Verify the Order of your Incident Rules .

Suspected Command & Control Communication By Domain

The following table shows the values for the Command & Control Communication By Domain default incident rule.

                                                                     
Field

Condition Field

Condition Operator

Value

Name 

 

Command & Control Communication By Domain

Description

  

This incident rule captures suspected communication with a Command & Control server and groups results by domain.

Group: 

 

All of these
Conditions:Sourceis equal toEvent Stream Analysis
 Alert Rule Id

is equal to

Suspected C&C

Group By

 

 

Domain for Suspected C& C

Time Window   7 Days
Title  Suspected C&C with ${groupByValue1}
Summary  NetWitness Platform detected communications with ${groupByValue1} that may be command and control malware.
1. Evaluate if the domain is legitimate (online radio, news feed, partner, automated testing, etc.).
2. Review the domain registration for suspect information (Registrant country, registrar, no registration data found, etc).
3. If the domain is suspect, go to the Investigation module to locate other activity to or from it.

High Risk Alerts: Malware Analysis

The following table shows the values for the High Risk Alerts: Malware Analysis default incident rule.

                                                               
Field

Condition Field

Condition Operator

Value

Name 

 

High Risk Alerts: Malware Analysis

Description

  

This incident rule captures alerts generated by the RSA Malware Analysis platform as having a Risk Score of "High" or "Critical".

Group: 

 

All of these
Conditions:Sourceis equal toMalware Analysis
 Risk Score

is equal or greater than

50

Group By

 

 

Source IP Address

Time Window   1 Hour
Title  ${ruleName} for ${groupByValue1}

 

High Risk Alerts: NetWitness Endpoint

The following table shows the values for the High Risk Alerts: NetWitness Endpoint default incident rule.

                                                               
Field

Condition Field

Condition Operator

Value

Name 

 

High Risk Alerts: NetWitness Endpoint

Description

  

This incident rule captures alerts generated by the RSA NetWitness Endpoint platform as having a Risk Score of "High" or "Critical".

Group: 

 

All of these
Conditions:Sourceis equal toNetWitness Endpoint
 Risk Score

is equal or greater than

50

Group By

 

 

Source IP Address*

Time Window   1 Hour
Title  ${ruleName} for ${groupByValue1}

*To aggregate NetWitness Endpoint alerts based on the Detector IP Address, create another NetWitness Endpoint Rule using the Detector IP Address as the Group By value. See Create a NetWitness Endpoint Incident Rule using Detector IP for step-by-step instructions.

High Risk Alerts: Reporting Engine

The following table shows the values for the High Risk Alerts: Reporting Engine default incident rule.

                                                               
Field

Condition Field

Condition Operator

Value

Name 

 

High Risk Alerts: Reporting Engine

Description

  

This incident rule captures alerts generated by the RSA Reporting Engine as having a Risk Score of "High" or "Critical".

Group: 

 

All of these
Conditions:Sourceis equal toReporting Engine
 Risk Score

is equal or greater than

50

Group By

 

 

Source IP Address

Time Window   1 Hour
Title  ${ruleName} for ${groupByValue1}

 

High Risk Alerts: ESA

The following table shows the values for the High Risk Alerts: ESA default incident rule.

                                                               
Field

Condition Field

Condition Operator

Value

Name 

 

High Risk Alerts: ESA

Description

  

This incident rule captures alerts generated by the RSA ESA platform as having a Risk Score of "High" or "Critical".

Group: 

 

All of these
Conditions:Sourceis equal toEvent Stream Analysis
 Risk Score

is equal or greater than

50

Group By

 

 

Source IP Address

Time Window   1 Hour
Title  ${ruleName} for ${groupByValue1}

IP Watch List: Activity Detected

The following table shows the values for the IP Watch List: Activity Detected default incident rule.

                                                                           
Field

Condition Field

Condition Operator

Value

Name 

 

IP Watch List: Activity Detected

Description

  

This incident rule captures alerts generated by IP addresses that have been added as "Source IP Address" *and* "Destination IP Address" conditions of the rule. To add additional IP addresses to the watch list, simply add a new Source and Destination IP Address conditional pair.

Group: 

 

Any of these
Conditions:Source IP Addressis equal to1.1.1.1
 Destination IP Address

is equal to

1.1.1.1
 Source IP Addressis equal to2.2.2.2
 Destination IP Address

is equal to

2.2.2.2

Group By

 

 

Source IP Address

Time Window

 

 

4 Hours

Title  ${ruleName}

 

User Watch List: Activity Detected

The following table shows the values for the User Watch List: Activity Detected default incident rule.

                                                               
Field

Condition Field

Condition Operator

Value

Name 

 

User Watch List: Activity Detected

Description

  

This incident rule captures alerts generated by network users whose user names have been added as a "Source UserName" condition. To add more than one Username to the watch list, simply add an additional Source Username condition.

Group: 

 

Any of these
Conditions:Source Usernameis equal tojsmith
 Source Username

is equal to

jdoe

Group By

 

 

Source Username

Time Window

 

 

4 Hours

Title  ${ruleName}

 

Suspicious Activity Detected: Windows Worm Propagation

The following table shows the values for the Suspicious Activity Detected: Windows Worm Propagation default incident rule.

                                                                           
Field

Condition Field

Condition Operator

Value

Name 

 

Suspicious Activity Detected: Windows Worm Propagation

Description

  

This incident rule captures alerts that are indicative of worm propagation activity on a Microsoft network

1st Group: 

 

All of these
Condition:Sourceis equal toEvent Stream Analysis
2nd Group: 

 

Any of these
Conditions:Alert Nameis equal toWindows Worm Activity Detected Logs

 

Alert Nameis equal to

Windows Worm Activity Detected Logs

Group By

 

 

Source IP Address

Time Window

 

 

1 Hour

Title  ${ruleName}

 

Suspicious Activity Detected: Reconnaissance

The following table shows the values for the Suspicious Activity Detected: Reconnaissance default incident rule.

                                                                                       
Field

Condition Field

Condition Operator

Value

Name 

 

Suspicious Activity Detected: Reconnaissance

Description

  

This incident rule captures alerts that identify common ICMP host identification techniques (i.e. "ping") accompanied by connection attempts to multiple service ports on a host

1st Group: 

 

All of these
Condition:Sourceis equal toEvent Stream Analysis
2nd Group: 

 

Any of these
Conditions:Alert Nameis equal toPort Scan Horizontal Packet

 

Alert Nameis equal to

Port Scan Vertical Packet

 Alert Nameis equal toPort Scan Horizontal Log
 Alert Nameis equal toPort Scan Vertical Log

Group By

 

 

Source IP Address

Time Window

 

 

4 Hours

Title  ${ruleName}

 

Monitoring Failure: Device Not Reporting

The following table shows the values for the Monitoring Failure: Device Not Reporting default incident rule.

                                                               
Field

Condition Field

Condition Operator

Value

Name 

 

Monitoring Failure: Device Not Reporting

Description

  

This incident rule captures any instance of an alert designed to detect the absence of log traffic from a previously reporting device

Group: 

 

All of these
Conditions:Sourceis equal toEvent Stream Analysis
 Alert Nameis equal toNo logs traffic from device in given time frame

Group By

 

 

Source IP Address

Time Window

 

 

2 Hours

Title  ${ruleName}

 

Web Threat Detection

The following table shows the values for the Web Threat Detection default incident rule.

                                                         
Field

Condition Field

Condition Operator

Value

Name 

 

Web Threat Detection

Description

  

This incident rule captures alerts generated by the RSA Web Threat Detection platform.

Group: 

 

All of these
Condition:Sourceis equal toWeb Threat Detection

Group By

 

 

Alert Rule Id

Time Window

 

 

1 Hour

Title  ${ruleName} for ${groupByValue1}

Create a NetWitness Endpoint Incident Rule using Detector IP

To aggregate NetWitness Endpoint alerts based on the Detector IP Address, create another NetWitness Endpoint Rule using the Detector IP Address as the Group By value. To do this, you clone the default NetWitness Endpoint incident rule and change the Group By IP address.

  1. Go to CONFIGURE > Incident Rules.
    The Incident Rules List view is displayed.
  2. Select the High Risk Alerts: NetWitness Endpoint default incident rule and click Clone.
    Incident List View showing a selected NetWitness Endpoint Rule and the Clone button
    You will receive a message that you successfully cloned the selected rule.
  3. Change the Name of the rule to an appropriate name, such as High Risk Alerts: NetWitness Endpoint Detector IP.
  4. In the Group By field, remove Source IP Address and add Detector IP Address.
    It is important that Detector IP Address is the only Group By value listed.
    Incident Rule Details view of a cloned NetWitness Endpoint rule showing Group By value "Detector IP Address"
  5. If you are ready to enable your rule, in the Basic Settings section, select Enabled.
  6. Click Save to create the rule.
    The Incident Rules list view shows your new rule.
    Part of New Incident Rule showing new name and status
  7. Verify the order of your incident rules. For more information, see Verify the Order of your Incident Rules .
You are here
Table of Contents > Additional Procedures for Respond Configuration > Set Up and Verify Default Incident Rules

Attachments

    Outcomes