Hi,
I am going through RSA NetWitness Security Analytics a huge amount of Data Leak matches, but each of them so far are false positive.
For example, how can I filter for "cc.number exists and match traffic flow is outbound?"
Or for customer matches as well.
Thanks
Do you have the "Traffic_Flow" parser and the "Traffic_Flow_Options" file deployed to your decoders from RSA Live?
Once deployed:
<key description="Network Name" level="IndexValues" name="netname" format="Text" valueMax="10000"/>
<key description="Traffic Flow Direction" level="IndexValues" name="direction" format="Text" valueMax="10000"/>
In the "Network Name"(netname) key, you will see values like "private.src" & "private.dst", whatever names you put on the networks will show up with .src and .dst entries. any networks NOT defined will show up as "external..src" & "external.dst"
In the "Traffic Flow Direction"(direction) key, you will get three entries, "inbound", "outbound" & lateral"
Inbound = Unknown Source Network to Known Destination Network
Outbound = Known Source Network to Unknown Destination Network
Lateral - Known Source Network to Known Destination Network
For partners nets, if you name them "partner", then you could add application rules for those directions:
internal-partner netname='internal.src' && netname='partner.dst' alert=direction
partner-internal netname='partner.src' && netname='internal.dst' alert=direction
The partner nets would show up in the direction key as both "lateral" & 'internal-partner' or 'partner-internal'
Now you can use the direction key for tuning your rules and alerts
Hope this helps