Set Up and Verify Default Incident Rules

The User Entity Behavior Analytics default incident rule is available in NetWitness Platform 11.3 and later. It captures user entity behavior grouped by Classifier ID to create incidents from alerts.

The Detect AI default incident rule is available in NetWitness Platform 11.6 and later. It captures the anomalies generated by Detect AI.

The User Behavior incident rule, which captures network user behavior, is available in NetWitness Platform 11.1 and later. This rule uses deployed RSA Live ESA Rules to create incidents from alerts. You can select and deploy the RSA Live ESA Rules that you want to monitor.

The following default incident rules changed slightly for 11.1 and later and now have Source IP Address as the Group By value:

  • High Risk Alerts: Reporting Engine
  • High Risk Alerts: Malware Analysis
  • High Risk Alerts: ESA

The following default incident rule changed slightly for 11.3 and later and now has the Host Name as the Group By value:

  • High Risk Alerts: NetWitness Endpoint*

*If you have NetWitness Endpoint, the High Risk Alerts: NetWitness Endpoint default incident rule captures alerts generated by NetWitness Endpoint with a risk score of High or Critical. To aggregate NetWitness Endpoint alerts based on the File Hash instead of Host Name, create another NetWitness Endpoint Rule using the File Hash as the Group By value. See Create a NetWitness Endpoint Incident Rule using File Hash for step-by-step instructions.

To verify your existing default incident rules with the 11.5 default incident rules, look at the default incident rule tables following these procedures. If you are missing a default incident rule, you can create it manually. Review the default incident rules and adjust them to your environment as required.

Set Up the User Behavior Incident Rule

In order to use the default User Behavior incident rule, you need to deploy the RSA Live ESA Rules that you want to monitor from those listed in the User Behavior incident rule conditions. Complete the following procedures to start aggregating alerts for the User Behavior default incident rule:

  • Deploy the RSA Live ESA Rules
  • Adjust and enable the User Behavior default rule (or create it if you do not have it)

Deploy the RSA Live ESA Rules

  1. Go to netwitness_configureicon_24x21.png (Configure) > Live Content.
  2. In the Resource Types field, select Event Steam Analysis Rule and click Search.
  3. In the Matching Resources list, select the ESA Rules from the following User Behavior table that you are interested in monitoring and deploy them (click Deploy).
  4. Go to netwitness_configureicon_24x21.png (Configure) > ESA Rules > Rules tab, and in the Rule Library Filter drop-down list, select RSA Live ESA Rule.
  5. To add a new ESA rule deployment, in the drop-down list near Deployments, click Add.
    1. In the ESA Services section, add and then select your ESA service.
    2. In the Data Sources section, click Add icon and add a data source to use for the ESA rule deployment.
    3. In the ESA Rules section, click Add icon and in the Deploy ESA Rules dialog, select the ESA Rules that you selected from the User Behavior table, and then click Save.
      The selected ESA rules are listed with a status of Added.
  6. Select the ESA rules that you added from the previous step, and click Deploy Now.
    The status of the selected ESA rules changes to Deployed.
  7. Go to netwitness_configureicon_24x21.png (Configure) > ESA Rules > Services tab.
    In the Deployed Rule Stats for your ESA service, the rules that you added should have a status of enabled, which is indicated by a green circle in the Enable column.

Adjust and Enable the User Behavior Default Rule (or Create It If You Do Not Have It)

If you have the User Behavior default rule, you can adjust it for your environment and enable it. If you do not have the User Behavior default rule, you can create it manually.

(Optional) To create the User Behavior default rule:

  1. Go to netwitness_configureicon_24x21.png (Configure) > Incident Rules.
    The Incident Rules view is displayed. (The following figure shows what the User Behavior rule looks like if it was there.)
    Incident Rules List view
  2. Click Create Rule and in the Incident Rule Details view, create the User Behavior default incident rule using the values in the User Behavior table following this procedure. The conditions as well as the values not listed in the table should be set for your business requirements. For details about various parameters that can be set as criteria for an incident rule, see Incident Rule Details View.

    The following figure shows a portion of the User Behavior default rule details. Notice that there are two groups in this rule.
    User Behavior default rule - Incident Details view showing the two groups
  3. If you are ready to enable your rule, in the Basic Settings section, select Enabled.
  4. Click Save.
    The rule appears in the Incidents Rules list. If you selected Enabled, the rule is enabled and it starts creating incidents depending on the incoming alerts that are matched as per the rule criteria.
  5. Verify the order of your incident rules. For more information, see Verify the Order of Your Incident Rules.

The following table shows the values for the User Behavior default incident rule.

Field

Condition Field

Condition Operator

Value

Name

User Behavior
Description This incident rule captures network user behavior.
Query Mode:

Rule Builder

Note: For information about advanced query mode, see Incident Rule Details View

1st Group:

All of these
Condition: Source is equal to Event Stream Analysis
2nd Group:

Any of these
Conditions: Alert Name is equal to Account Added to Administrators Group and Removed
Alert Name is equal to Account Removals From Protected Groups on Domain Controller
Alert Name is equal to Detects Router Configuration Attempts
Alert Name is equal to Direct Login By A Guest Account
Alert Name is equal to Direct Login to an Administrative Account
Alert Name is equal to Failed Logins Followed By Successful Login Password Change
Alert Name is equal to Insider Threat Mass Audit Clearing
Alert Name is equal to Internal Data Posting to 3rd Party Sites
Alert Name is equal to kbrtgt Account Modified on Domain controller
Alert Name is equal to Lateral Movement Suspected Windows
Alert Name is equal to Logins across Multiple Servers
Alert Name is equal to Logins by Same User to Multiple Servers
Alert Name is equal to Malicious Account Creation Followed by Failed Authorization
Alert Name is equal to Multiple Account Lockouts From Same or Different Users
Alert Name is equal to Multiple Failed Logins Followed By a Successful Login
Alert Name is equal to Multiple Failed Logins from Same User Originating from Different Countries

Alert Name is equal to Multiple Failed Privilege Escalations by Same User
Alert Name is equal to Multiple Intrusion Scan Events from Same User to Unique Destinations

Alert Name is equal to Multiple Login Failures by Administrators to Domain Controller
Alert Name is equal to Multiple Login Failures by Guest to Domain Controller

Alert Name is equal to Multiple Failed Logons from Same Source IP with Unique Usernames
Alert Name is equal to Multiple Successful Logins from Multiple Diff Src to Diff Dest

Alert Name is equal to Multiple Successful Logins from Multiple Diff Src to Same Dest
Alert Name is equal to Privilege Escalation Detected

Alert Name is equal to Privilege Escalation Detected in Unix
Alert Name is equal to Privilege User Account Password Change

Alert Name is equal to Failed Logins Outside Business Hours
Alert Name is equal to DNS Tunneling
Alert Name is equal to User Login Baseline
Group By

Destination User Account
Time Window 1 Hour
Title ${ruleName} for ${groupByValue1}

Set up or Verify a Default Incident Rule

  1. Go to netwitness_configureicon_24x21.png (Configure) > Incident Rules.
    The Incident Rules view is displayed.
    Incident Rules view
  2. Click the link in the Name field of a default incident rule to view the Incident Rule Details view. Set up or verify the default incident rule using the values in the default incident rules tables in this topic. Values not listed in the tables should be set for your business requirements. For details about various parameters that can be set as criteria for an incident rule, see Incident Rule Details View.
  3. When you are ready to enable your rule, in the Basic Settings section, select Enabled.
  4. Click Save.
  5. Verify the order of your incident rules. For more information, see Verify the Order of Your Incident Rules.

Suspected Command & Control Communication By Domain

The following table shows the values for the Suspected Command & Control Communication By Domain default incident rule.

Field

Condition Field

Condition Operator

Value

Name

Suspected Command & Control Communication By Domain
Description This incident rule captures suspected communication with a Command & Control server and groups results by domain.
Group:

All of these
Conditions: Source is equal to Event Stream Analysis
Alert Rule Id is equal to Suspected C&C
Group By

Domain for Suspected C& C
Time Window 7 Days
Title Suspected C&C with ${groupByValue1}
Summary NetWitness Platform detected communications with ${groupByValue1} that may be command and control malware.
1. Evaluate if the domain is legitimate (online radio, news feed, partner, automated testing, etc.).
2. Review the domain registration for suspect information (Registrant country, registrar, no registration data found, etc).
3. If the domain is suspect, go to the Investigation module to locate other activity to or from it.

High Risk Alerts: Malware Analysis

The following table shows the values for the High Risk Alerts: Malware Analysis default incident rule.

Field

Condition Field

Condition Operator

Value

Name

High Risk Alerts: Malware Analysis
Description This incident rule captures alerts generated by the RSA Malware Analysis platform as having a Risk Score of "High" or "Critical".
Group:

All of these
Conditions: Source is equal to Malware Analysis
Risk Score is equal or greater than 50
Group By

Source IP Address
Time Window 1 Hour
Title ${ruleName} for ${groupByValue1}

High Risk Alerts: NetWitness Endpoint

The following table shows the values for the High Risk Alerts: NetWitness Endpoint default incident rule.

Field

Condition Field

Condition Operator

Value

Name

High Risk Alerts: NetWitness Endpoint
Description This incident rule captures alerts generated by the RSA NetWitness Endpoint platform as having a Risk Score of "High" or "Critical".
Group:

All of these
Conditions: Source is equal to NetWitness Endpoint
Risk Score is equal or greater than 50
Group By

Host Name*
Time Window 1 Hour
Title ${ruleName} for ${groupByValue1}

*To aggregate NetWitness Endpoint alerts based on the File Hash, create another NetWitness Endpoint Rule using the File Hash as the Group By value. See Create a NetWitness Endpoint Incident Rule using File Hash for step-by-step instructions.

High Risk Alerts: Reporting Engine

The following table shows the values for the High Risk Alerts: Reporting Engine default incident rule.

Field

Condition Field

Condition Operator

Value

Name

High Risk Alerts: Reporting Engine
Description This incident rule captures alerts generated by the RSA Reporting Engine as having a Risk Score of "High" or "Critical".
Group:

All of these
Conditions: Source is equal to Reporting Engine
Risk Score is equal or greater than 50
Group By

Source IP Address
Time Window 1 Hour
Title ${ruleName} for ${groupByValue1}

High Risk Alerts: ESA

The following table shows the values for the High Risk Alerts: ESA default incident rule.

Field

Condition Field

Condition Operator

Value

Name

High Risk Alerts: ESA
Description This incident rule captures alerts generated by the RSA ESA platform as having a Risk Score of "High" or "Critical".
Group:

All of these
Conditions: Source is equal to Event Stream Analysis
Risk Score is equal or greater than 50
Group By

Source IP Address
Time Window 1 Hour
Title ${ruleName} for ${groupByValue1}

IP Watch List: Activity Detected

The following table shows the values for the IP Watch List: Activity Detected default incident rule.

Field

Condition Field

Condition Operator

Value

Name

IP Watch List: Activity Detected
Description This incident rule captures alerts generated by IP addresses that have been added as "Source IP Address" *and* "Destination IP Address" conditions of the rule. To add additional IP addresses to the watch list, simply add a new Source and Destination IP Address conditional pair.
Group:

Any of these
Conditions: Source IP Address is equal to 1.1.1.1
Destination IP Address

is equal to

1.1.1.1
Source IP Address is equal to 2.2.2.2
Destination IP Address

is equal to

2.2.2.2
Group By

Source IP Address
Time Window

4 Hours
Title ${ruleName}

User Watch List: Activity Detected

The following table shows the values for the User Watch List: Activity Detected default incident rule.

Field

Condition Field

Condition Operator

Value

Name

User Watch List: Activity Detected
Description This incident rule captures alerts generated by network users whose user names have been added as a "Source UserName" condition. To add more than one Username to the watch list, simply add an additional Source Username condition.
Group:

Any of these
Conditions: Source Username is equal to jsmith
Source Username is equal to jdoe
Group By

Source Username
Time Window

4 Hours
Title ${ruleName}

Suspicious Activity Detected: Windows Worm Propagation

The following table shows the values for the Suspicious Activity Detected: Windows Worm Propagation default incident rule.

Field

Condition Field

Condition Operator

Value

Name

Suspicious Activity Detected: Windows Worm Propagation
Description This incident rule captures alerts that are indicative of worm propagation activity on a Microsoft network
1st Group:

All of these
Condition: Source is equal to Event Stream Analysis
2nd Group:

Any of these
Conditions: Alert Name is equal to Windows Worm Activity Detected Logs

Alert Name is equal to Windows Worm Activity Detected Packets
Group By

Source IP Address
Time Window

1 Hour
Title ${ruleName}

Suspicious Activity Detected: Reconnaissance

The following table shows the values for the Suspicious Activity Detected: Reconnaissance default incident rule.

Field

Condition Field

Condition Operator

Value

Name

Suspicious Activity Detected: Reconnaissance
Description This incident rule captures alerts that identify common ICMP host identification techniques (i.e. "ping") accompanied by connection attempts to multiple service ports on a host
1st Group:

All of these
Condition: Source is equal to Event Stream Analysis
2nd Group:

Any of these
Conditions: Alert Name is equal to Port Scan Horizontal Packet

Alert Name is equal to

Port Scan Vertical Packet

Alert Name is equal to Port Scan Horizontal Log
Alert Name is equal to Port Scan Vertical Log
Group By

Source IP Address
Time Window

4 Hours
Title ${ruleName}

Monitoring Failure: Device Not Reporting

The following table shows the values for the Monitoring Failure: Device Not Reporting default incident rule.

Field

Condition Field

Condition Operator

Value

Name

Monitoring Failure: Device Not Reporting
Description This incident rule captures any instance of an alert designed to detect the absence of log traffic from a previously reporting device
Group:

All of these
Conditions: Source is equal to Event Stream Analysis
Alert Name is equal to No logs traffic from device in given time frame
Group By

Source IP Address
Time Window

2 Hours
Title ${ruleName}

Web Threat Detection

The following table shows the values for the Web Threat Detection default incident rule.

Field

Condition Field

Condition Operator

Value

Name

Web Threat Detection
Description This incident rule captures alerts generated by the RSA Web Threat Detection platform.
Group:

All of these
Condition: Source is equal to Web Threat Detection
Group By

Alert Rule Id
Time Window

1 Hour
Title ${ruleName} for ${groupByValue1}

User Entity Behavior Analytics

The following table shows the values for the User Entity Behavior Analytics default incident rule.

Field

Condition Field

Condition Operator

Value

Name

User Entity Behavior Analytics
Description This incident rule captures user entity behavior.
Group:

All of these
Condition: Source is equal to User Entity Behavior Analytics
Group By

UEBA Classifier Id
Time Window

1 Hour
Title ${ruleName} for ${groupByValue1}

Detect AI

The following table shows the values for the Detect AI default incident rule.

Field

Condition Field

Condition Operator

Value

Name

DetectAI
Description This incident rule captures anomalies generated by Detect AI
Group:

All of these
Condition: Source is equal to DetectAI
Group By

UEBA Classifier Id, UEBA Entity Name
Time Window

1 Hour
Title ${ruleName} for ${groupByValue2}

Create a NetWitness Endpoint Incident Rule using File Hash

To aggregate NetWitness Endpoint alerts based on the File Hash, create another NetWitness Endpoint Rule using the File Hash as the Group By value. To do this, clone the default NetWitness Endpoint incident rule and change the Group By value.

  1. Go to netwitness_configureicon_24x21.png (Configure) > Incident Rules.
    The Incident Rules view is displayed.
  2. Select the High Risk Alerts: NetWitness Endpoint default incident rule and click Clone.
    Incident Rules View showing a selected NetWitness Endpoint Rule and the Clone button selected
    You will receive a message that you successfully cloned the selected rule.
  3. Change the Name of the rule to an appropriate name, such as High Risk Alerts: NetWitness Endpoint File Hash.
  4. In the Group By field, remove the previous Group By value and add File MD5 Hash.
    It is important that File MD5 Hash is the only Group By value listed.
    Incident Rule Details view of a cloned NetWitness Endpoint rule showing Group By value File MD5 Hash"
  5. If you are ready to enable your rule, in the Basic Settings section, select Enabled.
  6. Click Save to create the rule.
    The Incident Rules view shows your new rule.
    Part of New Incident Rule showing new name and status
  7. Verify the order of your incident rules. For more information, see Verify the Order of Your Incident Rules.