NetWitness Respond Configuration

Guide
for Version 11.1
Copyright © 1994-2018 Dell Inc. or its subsidiaries. All Rights Reserved.

Contact Information
RSA Link at https://community.rsa.com contains a knowledgebase that answers common
questions and provides solutions to known problems, product documentation, community
discussions, and case management.

Trademarks
For a list of RSA trademarks, go to www.emc.com/legal/emc-corporation-trademarks.htm#rsa.

License Agreement
This software and the associated documentation are proprietary and confidential to Dell, are
furnished under license, and may be used and copied only in accordance with the terms of such
license and with the inclusion of the copyright notice below. This software and the
documentation, and any copies thereof, may not be provided or otherwise made available to any
other person.
No title to or ownership of the software or documentation or any intellectual property rights
thereto is hereby transferred. Any unauthorized use or reproduction of this software and the
documentation may be subject to civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment
by Dell.

Third-Party Licenses
This product may include software developed by parties other than RSA. The text of the license
agreements applicable to third-party software in this product may be viewed on the product
documentation page on RSA Link. By using this product, a user of this product agrees to be fully
bound by terms of the license agreements.

Note on Encryption Technologies

This product may contain encryption technology. Many countries prohibit or restrict the use,
import, or export of encryption technologies, and current use, import, and export regulations
should be followed when using, importing or exporting this product.

Distribution
Dell believes the information in this publication is accurate as of its publication date. The
information is subject to change without notice.
September 2018
Contents

About this Document 5

NetWitness Respond Configuration Overview 5

Configuring NetWitness Respond 7

Step 1. Configure Alert Sources to Display Alerts in Respond View 8
Prerequisites 8
Configure Reporting Engine to Display Alerts Triggered by Reporting Engine in
Respond View 8
Configure Malware Analytics to View Alerts Triggered by Malware Analytics in
Respond view 8
Configure NetWitness Endpoint to View Alerts Triggered by NetWitness Endpoint in
Respond View 9
Configure NetWitness Endpoint to Display NetWitness Endpoint Alerts 9
Step 2. Assign Respond View Permissions 12
Respond-server 13
Incidents 14
Integration-server 15
Respond Role Permission Examples 16
Step 3. Enable and Create Incident Rules for Alerts 17
Enable an Incident Rule 17
Create an Incident Rule 19
Verify the Order of your Incident Rules 22
Clone an Incident Rule 22
Edit an Incident Rule 22

Additional Procedures for Respond Configuration 24

Set Up and Verify Default Incident Rules 25
Set up the User Behavior Incident Rule 25
Set up or Verify a Default Incident Rule 32
Configure Respond Email Notification Settings 42
Set a Retention Period for Alerts and Incidents 44
Prerequisites 44
Procedure 44
 NetWitness Respond Configuration

Result 45
Obfuscate Private Data 46
Prerequisites 46
Procedure 46
Manage Incidents in NetWitness SecOps Manager 48
Prerequisites 48
Procedure 48
Set Counter for Matched Alerts and Incidents 50
Configure a Database for the Respond Server Service 52
Prerequisites 52
Procedure 52

NetWitness Respond Configuration Reference 55

Configure View 55
Incident Rules List View 56
What do you want to do? 56
Related Topics 56
Incident Rules List View 56
Incident Rule Details View 59
What do you want to do? 59
Related Topics 59
Incident Rule Details View 59
Group By Meta Key Mappings 64
Respond Notification Settings View 66
What do you want to do? 66
Related Topics 66
Respond Notification Settings 66
Aggregation Rules Tab 69
What do you want to do? 69
Related Topics 69
Aggregation Rules 69
New Rule Tab 72
What do you want to do? 72
Related Topics 72
New Rule 72

4
NetWitness Respond Configuration

About this Document

This guide provides an overview of NetWitness Respond, detailed instructions on how to
configure NetWitness Respond in your network, additional procedures that are used at other
times, and reference materials that describe the user interface for configuring NetWitness
Respond in your network.

Topics
l NetWitness Respond Configuration Overview

l Configuring NetWitness Respond

l Additional Procedures for Respond Configuration

l NetWitness Respond Configuration Reference

NetWitness Respond Configuration Overview

RSA NetWitness® Suite NetWitness Respond consumes Alert data from various sources via the
Message Bus and displays these alerts on the NetWitness Suite user interface. The Respond
Server service allows you to group the alerts logically and start a NetWitness Respond workflow
to investigate and remediate the security issues raised.
The Respond Server service consumes alerts from the message bus and normalizes the data to a
common format (while retaining the original data) to enable simpler rule processing. It
periodically runs rules to aggregate multiple alerts into an incident and set some attributes of the
Incident (for example, severity, category, and so on). The incidents are persisted into MongoDb
by the Respond Server service. Incidents are also posted onto the message bus for consumption
by other systems (for example, Archer integration).

Note: NetWitness Respond requires an ESA primary server that contains the MongoDb.
Alerts, Incidents, and Task records are persisted into this MongoDb by the Respond Server.

5 About this Document

 NetWitness Respond Configuration

The following diagram illustrates the high level flow of alerts.

You have to configure various sources from which the alerts are collected and aggregated by the
Respond Server service.

About this Document 6

NetWitness Respond Configuration

Configuring NetWitness Respond

This topic provides the high-level tasks required to configure the Respond Server service. The
administrator needs to complete the steps in the sequence provided.

Topics
l Step 1. Configure Alert Sources to Display Alerts in Respond View

l Step 2. Assign Respond View Permissions

l Step 3. Enable and Create Incident Rules for Alerts

7 Configuring NetWitness Respond

 NetWitness Respond Configuration

Step 1. Configure Alert Sources to Display Alerts in Respond View

This procedure is required so that alerts from the alert sources are displayed in NetWitness
Respond. You have an option to enable or disable the alerts being populated in the Respond
view. By default this option is disabled in the Reporting Engine, Malware Analytics, and
NetWitness Endpoint and enabled only in Event Stream Analysis. So when you install the
Respond Server service you need to enable this option in the Reporting Engine, Malware
Analytics, and NetWitness Endpoint to populate the corresponding alerts in the Respond view.

Prerequisites
Ensure that:
l The Respond Server service is installed and running on NetWitness Suite.

l NetWitness Endpoint is installed and running. This is necessary only if you want to configure
NetWitness Endpoint as an alert source in the Respond view.

Configure Reporting Engine to Display Alerts Triggered by Reporting

Engine in Respond View
The Reporting Engine alerts are by default disabled from being displayed in Respond view. To
display and view the Reporting Engine alerts, you have to enable the NetWitness Respond alerts
in the Services Config view > General tab for the Reporting Engine.

1. Go to ADMIN > Services, select a Reporting Engine service, and then select
> View > Config.
The Services Config view is displayed with the Reporting Engine General tab open.

2. Select System Configuration.

3. Select the checkbox for Forward Alerts to Respond.

The Reporting Engine now forwards the alerts to NetWitness Respond.
For details on parameters in the General tab, see the "Reporting Engine General Tab" topic in
the Reporting Engine Configuration Guide.

Configure Malware Analytics to View Alerts Triggered by Malware Analytics

in Respond view
Viewing NetWitness Respond alerts is a function of auditing in Malware Analysis. The
procedure of enabling NetWitness Respond alerts is described in the "(Optional) Configure
Auditing on Malware Analysis Host" topic in the Malware Analysis Configuration Guide.

Configuring NetWitness Respond 8

NetWitness Respond Configuration

Configure NetWitness Endpoint to View Alerts Triggered by NetWitness

Endpoint in Respond View
This procedure is required to integrate NetWitness Endpoint with NetWitness Suite so that the
NetWitness Endpoint alerts are picked up by the NetWitness Respond component of NetWitness
Suite and displayed in the RESPOND > Alerts view.

Note: RSA supports NetWitness Endpoint versions 4.3.0.4, 4.3.0.5, or later for NetWitness
Respond integration. For more detailed information, see the "RSA NetWitness Suite
Integration" topic in the NetWitness Endpoint User Guide.

The diagram below represents the flow of NetWitness Endpoint alerts to the NetWitness Suite
Respond Server service and its display in the RESPOND > Alerts view.

Configure NetWitness Endpoint to Display NetWitness Endpoint Alerts

To configure NetWitness Endpoint to display NetWitness Endpoint alerts in the

NetWitness Suite user interface:
1. In the NetWitness Endpoint user interface, click Configure > Monitoring and External
Components.

9 Configuring NetWitness Respond

 NetWitness Respond Configuration

The External Components Configuration dialog is displayed.

2. From the components listed, select Incident Message Broker and click + to add a new IM
broker.

3. Enter the following fields:

a. Instance Name: Enter a unique name to identify the IM broker.

b. Server Hostname/IP address: Enter the Host DNS or IP address of the IM broker
(NetWitness Server).

c. Port number: The default port is 5671.

4. Click Save.

5. Navigate to the ConsoleServer.exe.Config file in C:\Program Files\RSA\ECAT\Server.

6. Modify the virtual host configurations in the file as follows:

<add key="IMVirtualHost" value="/rsa/system" />

Note: In NetWitness Suite 11.0, the virtual host is “/rsa/system”. For version 10.6.x and
below, the virtual host is “/rsa/sa”.

7. Restart the API Server and Console Server.

8. To set up SSL for Respond Alerts, perform the following steps on the NetWitness Endpoint
primary console server to set the SSL communications:

a. Export the NetWitness Endpoint CA certificate to .CER format (Base-64 encoded X.509)
from the personal certificate store of the local computer (without selecting the private
key).

b. Generate a client certificate for NetWitness Endpoint using the NetWitness Endpoint CA
certificate. (You MUST set the CN name to ecat.)
makecert -pe -n "CN=ecat" -len 2048 -ss my -sr LocalMachine -a
sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.2 -in "NWECA" -is MY -ir
LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -
cy end -sy 12 client.cer

Configuring NetWitness Respond 10

 NetWitness Respond Configuration

Note: In the above code sample, if you upgraded to Endpoint version 4.3 from a
previous version and did not generate new certificates, you should substitute "EcatCA"
for "NWECA".

c. Make a note of the thumbprint of the client certificate generated in step b. Enter the
thumbprint value of the client certificate in the
IMBrokerClientCertificateThumbprint section of the ConsoleServer.Exe.Config file as
shown.
<add key="IMBrokerClientCertificateThumbprint"
value="896df0efacf0c976d955d5300ba0073383c83abc"/>

9. On the NetWitness Server, copy the NetWitness Endpoint CA certificate file in .CER format
into the import folder:
/etc/pki/nw/trust/import

10. Issue the following command to initiate the necessary Chef run:
orchestration-cli-client --update-admin-node
This appends all of those certificates into the truststore.

11. Restart the RabbitMQ server:

systemctl restart rabbitmq-server
The NetWitness Endpoint account should automatically be available on RabbitMQ.

12. Import the /etc/pki/nw/ca/nwca-cert.pem and /etc/pki/nw/ca/ssca-cert.pem files from the

NetWitness Server and add them to the Trusted Root Certification stores in the Endpoint
Server.

11 Configuring NetWitness Respond

 NetWitness Respond Configuration

Step 2. Assign Respond View Permissions

Add users with the required permissions to investigate incidents and alerts in NetWitness
Respond. Users with access to the Respond view need both Incidents and Respond-server
permissions. Users with access to configure Respond notification settings need additional
Integration-server permissions.
The following pre-configured roles have permissions in the Respond view:
l Analysts: The Security Operations Center (SOC) Analysts have access to Alerting,
NetWitness Respond, Investigation, and Reporting, but not system configurations.

l Malware Analysts: Malware Analysts have access to investigations and malware events.

l Operators: Operators have access to configurations, but not Investigation, ESA, Alerting,
Reporting and NetWitness Respond.

l SOC_Managers: The SOC Managers have the same access as Analysts plus additional
permissions to handle incidents and configure NetWitness Respond.

l Data_Privacy_Officers: Data Privacy Officers (DPOs) are like Administrators with

additional focus on configuration options that manage obfuscation and viewing of sensitive
data within the system. See Data Privacy Management for additional information.

l Respond_Administrator: The Respond Administrator has full access to NetWitness

Respond.

l Administrators: the Administrator has full system access to NetWitness Suite and has all
permissions by default.

The NetWitness Respond default permissions are shown in the following tables. You need to
assign user permissions from both the Incidents and Respond-server tabs, which are the
Permissions tab names in the ADMIN > Security view Add or Edit Roles dialogs. You may
want to add additional user permissions for Alerting, Context Hub, Investigate, Investigate-
server, and Reports.

Caution: It is very important that you assign equivalent user permissions from BOTH the
Respond-server tab AND the Incidents tab.

Users who configure Respond notification settings also need permissions in the Integration-
server tab.

Configuring NetWitness Respond 12

NetWitness Respond Configuration

Respond-server

SOC Respond Operators MAs

Permissions Analysts DPOs
Mgrs Admin

respond-server.alert.delete Yes* Yes*

respond-server.alert.manage Yes Yes Yes* Yes* Yes

respond-server.alert.read Yes Yes Yes* Yes* Yes

respond- Yes Yes* Yes*

server.alertrule.manage

respond-server.alertrule.read Yes Yes* Yes*

respond- Yes* Yes*

server.configuration.manage

respond-server.health.read Yes* Yes*

respond-server.incident.delete Yes* Yes*

respond- Yes Yes Yes* Yes* Yes

server.incident.manage

respond-server.incident.read Yes Yes Yes* Yes* Yes

respond- Yes Yes Yes* Yes* Yes

server.journal.manage

respond-server.journal.read Yes Yes Yes* Yes* Yes

respond-server.logs.manage Yes* Yes*

respond-server.metrics.read Yes* Yes*

respond- Yes Yes* Yes*

server.notification.manage
(Available in 11.1 and later)

13 Configuring NetWitness Respond

 NetWitness Respond Configuration

SOC Respond Operators MAs

Permissions Analysts DPOs
Mgrs Admin

respond- Yes Yes* Yes*

server.notification.read
(Available in 11.1 and later)

respond- Yes* Yes*

server.process.manage

respond- Yes Yes Yes* Yes* Yes

server.remediation.manage

respond- Yes Yes Yes* Yes* Yes

server.remediation.read

respond- Yes* Yes*

server.security.manage

respond-server.security.read Yes* Yes*

* Data Privacy Officers and Respond Administrators have the respond-server.* permission,
which gives them all of the Respond-server permissions.

Incidents

SOC Respond Operators MAs

Permissions Analysts DPOs
Mgrs Admin

Access Incident Module Yes Yes Yes Yes Yes

Configure Incident Yes Yes Yes

Management Integration

Delete Alerts and Incidents Yes Yes

Manage Alert Handling Rules Yes Yes Yes

View and Manage Incidents Yes Yes Yes Yes Yes

The Respond Administrator has all of the Respond-server and Incidents permissions.

Configuring NetWitness Respond 14

NetWitness Respond Configuration

Integration-server
(The Integration-server permissions are available in NetWitness Suite version 11.1 and later.)
Users who configure Respond Notifications also need Integration-server permissions. The
following table lists the Respond Notification setting permissions in the Integration-server tab
assigned to each role.

SOC Respond Operators MAs

Permissions Analysts DPOs
Mgrs Admin

integration- Yes Yes Yes

server.notification.read

integration- Yes Yes Yes

server.notification.manage

Respond Notification Settings Permissions

(The Respond notification setting permissions are available in NetWitness Suite version 11.1 and
later.)

Note: If you are updating from NetWitness Suite version 11.0 to 11.1, you will need to add
additional permissions to your existing built-in NetWitness Suite user roles. For all upgrades to
11.1, you will need to add additional permissions to custom roles.

The following permissions are required for Respond Administrators, Data Privacy Officers, and
SOC Managers to access Respond Notification Settings (CONFIGURE > Respond
Notifications).
Incidents tab:
l Configure Incident Management Integration

Respond-server tab:
l respond-server.notification.manage

l respond-server.notification.read

Integration-server tab:
l integration-server.notification.read

l integration-server.notification.manage

15 Configuring NetWitness Respond

 NetWitness Respond Configuration

Respond Role Permission Examples

The following figure shows Respond-server permissions for the default Respond Administrator
role. The Respond Administrator role contains all of the NetWitness Respond permissions.

The following figure shows the Incidents permissions for the default Analysts role:

For more information, see "Role Permissions" and "Manage Users with Roles and Permissions"
in the System Security and User Management guide.

Configuring NetWitness Respond 16

NetWitness Respond Configuration

Step 3. Enable and Create Incident Rules for Alerts

NetWitness Respond incident rules contain various criteria to automate the process of creating
incidents from alerts. Alerts that meet the rule criteria are grouped together to form an incident.
Analysts use these incidents to locate indicators of compromise. Instead of creating an incident
for a particular set of alerts and adding the alerts to that incident manually, you can save time by
using incident rules to create incidents from alerts for you.
NetWitness Suite provides predefined incident rules that you can use and you can also create
your own rules based on your business requirements.
To create incidents automatically, you need to enable at least one incident rule.
When you have two or more incident rules enabled, the order of the rules becomes very
important. The highest priority rules are at the top of the Incident Rules List. The highest priority
rule has the number 1 in the Order field. The next highest priority rule is number 2 in the Order
field, and so on. Alerts can only be part of one incident. If an alert matches more than one rule
in the Incident Rule list, it is only evaluated using the highest priority rule that it matches.
NetWitness Suite has 12 predefined incident rules that you can use. To set up your incident
rules, you can do any of the following:
l Enable predefined incident rules

l Add new rules

l Clone rules

l Edit \existing rules

The User Behavior default incident rule is available in NetWtitness Suite 11.1 and later. It
captures network user behavior and uses deployed RSA Live ESA Rules to create incidents
from alerts. You can select and deploy the RSA Live ESA Rules that you want to monitor. For
more information, see Deploy the RSA Live ESA Rules.
Some predefined (default) incident rules changed slightly in 11.1. To verify your existing default
incident rules with the 11.1 default incident rules, see Set Up and Verify Default Incident Rules.

Enable an Incident Rule

To create incidents automatically, you need to enable at least one incident rule. Predefined
(default) incident rules or rules that you create must be enabled before they start creating
incidents.
1. Go to CONFIGURE > Incident Rules.
The Incident Rules List view is displayed. The example below shows the 12 default incident
rules.

17 Configuring NetWitness Respond

 NetWitness Respond Configuration

2. Click the link in the Name column for the rule that you want to enable.
The Incident Rule Details view is displayed for the selected rule.

3. Adjust the parameters and conditions of your rule as required. For details about various
parameters that can be set as criteria for an incident rule, see Incident Rule Details View.

4. In the Basic Settings section, select Enabled.

Configuring NetWitness Respond 18

NetWitness Respond Configuration

5. Click Save to enable the rule.

Notice that the Enabled column changes from a red square (Disabled) to green triangle
(Enabled).

6. Verify the order of your incident rules.

Create an Incident Rule

1. Go to CONFIGURE > Incident Rules.

The Incident Rules List view is displayed.

2. To add a new rule, click Create Rule.

19 Configuring NetWitness Respond

 NetWitness Respond Configuration

The Incident Rule Details view is displayed.

3. Enter the parameters and conditions of your rule. All rules need to have at least one
condition. For details about various parameters that can be set as criteria for an incident rule,
see Incident Rule Details View.

The following figure shows a rule example.

Configuring NetWitness Respond 20

NetWitness Respond Configuration

4. If you are ready to enable your rule, in the Basic Settings section, select Enabled.

5. Click Save.
The rule appears in the Incidents Rules list. If you selected Enabled, the rule will be enabled
and it starts creating incidents depending on the incoming alerts that are matched as per the
criteria selected.

6. Verify the order of your incident rules.

21 Configuring NetWitness Respond

 NetWitness Respond Configuration

Verify the Order of your Incident Rules

To change the order of the rules, use the drag pads ( ) in front of the rules to move them up
and down in the list.
The rule order determines which rule takes effect if the criteria for multiple rules match the
same alert. If two rules match an alert, only the rule with the highest priority is evaluated.

Clone an Incident Rule

It is often easier to duplicate an existing rule that is similar to a rule that you want to create and
adjust it accordingly.
1. Go to CONFIGURE > Incident Rules.
The Incident Rules List view is displayed.

2. Select the rule that you would like to copy and click Clone.

3. Adjust the parameters and conditions of your rule as required. All rules need to have at least
one condition.

4. If you are ready to enable your rule, in the Basic Settings section, select Enabled.

5. Click Save to update the rule.

6. Verify the order of your incident rules.

Edit an Incident Rule

1. Go to CONFIGURE > Incident Rules and click the link in the Name column for the rule
that you want to update.
The Incident Rule Details view is displayed.

2. Adjust the parameters and conditions of your rule as required. All rules need to have at least
one condition.

3. If you are ready to enable your rule, in the Basic Settings section, select Enabled.

4. Click Save to update the rule.

5. Verify the order of your incident rules.

See Also:
l For details about various parameters that can be set as criteria for an incident rule,
see Incident Rule Details View.

Configuring NetWitness Respond 22

NetWitness Respond Configuration

l For details on the parameter and field descriptions in the Incident Rules List view,
see Incident Rules List View.

23 Configuring NetWitness Respond

 NetWitness Respond Configuration

Additional Procedures for Respond Configuration

Use this section when you are looking for instructions to perform a specific task after the initial
setup of NetWitness Respond.
l Set Up and Verify Default Incident Rules

l Configure Respond Email Notification Settings

l Set a Retention Period for Alerts and Incidents

l Obfuscate Private Data

l Manage Incidents in NetWitness SecOps Manager

l Set Counter for Matched Alerts and Incidents

l Configure a Database for the Respond Server Service

Additional Procedures for Respond Configuration 24

NetWitness Respond Configuration

Set Up and Verify Default Incident Rules

The User Behavior incident rule, which captures network user behavior, was introduced in
NetWitness Suite 11.1. This rule uses deployed RSA Live ESA Rules to create incidents from
alerts. You can select and deploy the RSA Live ESA Rules that you want to monitor.
The following default incident rules changed slightly in 11.1 and now have Source IP Address
as the Group By value:
l High Risk Alerts: Reporting Engine

l High Risk Alerts: Malware Analysis

l High Risk Alerts: NetWitness Endpoint

l High Risk Alerts: ESA

To verify your existing default incident rules with the 11.1 default incident rules, look at the
default incident rule tables following these procedures.

Set up the User Behavior Incident Rule

In order to use the default User Behavior incident rule, you need to deploy the RSA Live ESA
Rules that you want to monitor from those listed in the User Behavior incident rule conditions.
Complete the following procedures to start aggregating alerts for the User Behavior default
incident rule:
l Deploy the RSA Live ESA Rules

l Adjust and enable the User Behavior default rule (or create it if you do not have it)

25 Additional Procedures for Respond Configuration

 NetWitness Respond Configuration

Deploy the RSA Live ESA Rules

1. Go to CONFIGURE > Live Content.

2. In the Resource Types field, select Event Steam Analysis Rule and click Search.

3. In the Matching Resources list, select the ESA Rules from the following User Behavior
table that you are interested in monitoring and deploy them (click Deploy).

4. Go to CONFIGURE > ESA Rules > Rules tab, and in the Rule Library Filter drop-down
list, select RSA Live ESA Rule.

5. To add a new Deployment, in the drop-down list near DEPLOYMENTS, click Add.

a. In the ESA Service section, add and then select your ESA service.

b. In the ESA Rules section, click and in the Deploy ESA Rules dialog, select the ESA
Rules that you selected from the User Behavior table, and then click Save.
The selected ESA rules are listed with a status of Added.

6. Select the ESA rules that you added from the previous step, and click Deploy Now.
The status of the selected ESA rules changes to Deployed.

7. Go to CONFIGURE > ESA Rules > Services tab.

In the Deployed Rule Stats for your ESA service, the rules that you added should have a
status of enabled, which is indicated by a green circle in the Enable column.

Adjust and Enable the User Behavior Default Rule (or Create it if you do not have it)

If you have the User Behavior default rule, you can adjust it for your environment and enable it.
If you do not have the User Behavior default rule, you can create it manually.

(Optional) To create the User Behavior default rule:

1. Go to CONFIGURE > Incident Rules.
The Incident Rules List view is displayed.

Additional Procedures for Respond Configuration 26

NetWitness Respond Configuration

2. Click Create Rule and in the Incident Rule Details view, create the User Behavior default
incident rule using the values in the User Behavior table following this procedure. Values not
listed in the table should be set for your business requirements. For details about various
parameters that can be set as criteria for an incident rule, see Incident Rule Details View.

The following figure shows a portion of the User Behavior default rule details. Notice that

27 Additional Procedures for Respond Configuration

 NetWitness Respond Configuration

there are two groups in this rule.

3. If you are ready to enable your rule, in the Basic Settings section, select Enabled.

4. Click Save.
The rule appears in the Incidents Rules list. If you selected Enabled, the rule will be enabled
and it starts creating incidents depending on the incoming alerts that are matched as per the
rule criteria.

5. Verify the order of your incident rules. For more information, see Verify the Order of your
Incident Rules .

Additional Procedures for Respond Configuration 28

NetWitness Respond Configuration

User Behavior

The following table shows the values for the User Behavior default incident rule.

Condition Condition
Field Value
Field Operator

Name User Behavior

Description This incident rule captures network user behavior.

1st Group: All of these

Condition: Source is equal to Event Stream Analysis

2nd Group: Any of these

Conditions: Alert is equal to Account Added to Administrators Group and

Name Removed

Alert is equal to Account Removals From Protected Groups on

Name Domain Controller

Alert is equal to Detects Router Configuration Attempts

Name

Alert is equal to Direct Login By A Guest Account

Name

Alert is equal to Direct Login to an Administrative Account

Name

Alert is equal to Failed Logins Followed By Successful Login

Name Password Change

Alert is equal to Insider Threat Mass Audit Clearing

Name

Alert is equal to Internal Data Posting to 3rd Party Sites

Name

29 Additional Procedures for Respond Configuration

 NetWitness Respond Configuration

Condition Condition
Field Value
Field Operator

Alert is equal to kbrtgt Account Modified on Domain controller

Name

Alert is equal to Lateral Movement Suspected Windows

Name

Alert is equal to Logins across Multiple Servers

Name

Alert is equal to Logins by Same User to Multiple Servers

Name

Alert is equal to Malicious Account Creation Followed by Failed

Name Authorization

Alert is equal to Multiple Account Lockouts From Same or

Name Different Users

Alert is equal to Multiple Failed Logins Followed By a Successful

Name Login

Alert is equal to Multiple Failed Logins from Same User

Originating from Different Countries
Name

Alert is equal to Multiple Failed Privilege Escalations by Same

User
Name

Alert is equal to Multiple Intrusion Scan Events from Same User to

Name Unique Destinations

Alert is equal to Multiple Login Failures by Administrators to

Domain Controller
Name

Alert is equal to Multiple Login Failures by Guest to Domain

Name Controller

Additional Procedures for Respond Configuration 30

NetWitness Respond Configuration

Condition Condition
Field Value
Field Operator

Alert is equal to Multiple Failed Logons from Same Source IP with

Unique Usernames
Name

Alert is equal to Multiple Successful Logins from Multiple Diff Src

Name to Diff Dest

Alert is equal to Multiple Successful Logins from Multiple Diff Src

to Same Dest
Name

Alert is equal to Privilege Escalation Detected

Name

Alert is equal to Privilege Escalation Detected in Unix

Name

Alert is equal to Privilege User Account Password Change

Name

Alert is equal to Failed Logins Outside Business Hours

Name

Alert is equal to DNS Tunneling

Name

Alert is equal to User Login Baseline

Name

Group By Destination User Account

Time 1 Hour
Window

Title ${ruleName} for ${groupByValue1}

31 Additional Procedures for Respond Configuration

 NetWitness Respond Configuration

Set up or Verify a Default Incident Rule

1. Go to CONFIGURE > Incident Rules.

The Incident Rules List view is displayed.

2. Click the link in the Name field of a default incident rule to view the Incident Rule Details
view. Set up or verify the default incident rule using the values in the default incident rules
tables in this topic. Values not listed in the tables should be set for your business
requirements. For details about various parameters that can be set as criteria for an incident
rule, see Incident Rule Details View.

3. When you are ready to enable your rule, in the Basic Settings section, select Enabled.

4. Click Save.

5. Verify the order of your incident rules. For more information, see Verify the Order of your
Incident Rules .

Suspected Command & Control Communication By Domain

The following table shows the values for the Command & Control Communication By Domain
default incident rule.

Condition Condition
Field Value
Field Operator

Name Command & Control Communication By Domain

Description This incident rule captures suspected communication

with a Command & Control server and groups results
by domain.

Additional Procedures for Respond Configuration 32

NetWitness Respond Configuration

Condition Condition
Field Value
Field Operator

Group: All of these

Conditions: Source is equal to Event Stream Analysis

Alert Rule is equal to Suspected C&C

Id

Group By Domain for Suspected C& C

Time 7 Days
Window

Title Suspected C&C with ${groupByValue1}

Summary NetWitness Suite detected communications with

${groupByValue1} that may be command and control
malware.
1. Evaluate if the domain is legitimate (online radio,
news feed, partner, automated testing, etc.).
2. Review the domain registration for suspect
information (Registrant country, registrar, no
registration data found, etc).
3. If the domain is suspect, go to the Investigation
module to locate other activity to or from it.

High Risk Alerts: Malware Analysis

The following table shows the values for the High Risk Alerts: Malware Analysis default
incident rule.

Condition Condition
Field Value
Field Operator

Name High Risk Alerts: Malware Analysis

Description This incident rule captures alerts generated by the

RSA Malware Analysis platform as having a Risk
Score of "High" or "Critical".

33 Additional Procedures for Respond Configuration

 NetWitness Respond Configuration

Condition Condition
Field Value
Field Operator

Group: All of these

Conditions: Source is equal to Malware Analysis

Risk Score is equal or 50

greater
than

Group By Source IP Address

Time 1 Hour
Window

Title ${ruleName} for ${groupByValue1}

High Risk Alerts: NetWitness Endpoint

The following table shows the values for the High Risk Alerts: NetWitness Endpoint default
incident rule.

Condition Condition
Field Value
Field Operator

Name High Risk Alerts: NetWitness Endpoint

Description This incident rule captures alerts generated by the

RSA NetWitness Endpoint platform as having a Risk
Score of "High" or "Critical".

Group: All of these

Conditions: Source is equal to NetWitness Endpoint

Risk Score is equal or 50

greater
than

Group By Source IP Address

Time 1 Hour
Window

Additional Procedures for Respond Configuration 34

NetWitness Respond Configuration

Condition Condition
Field Value
Field Operator

Title ${ruleName} for ${groupByValue1}

High Risk Alerts: Reporting Engine

The following table shows the values for the High Risk Alerts: Reporting Engine default incident
rule.

Condition Condition
Field Value
Field Operator

Name High Risk Alerts: Reporting Engine

Description This incident rule captures alerts generated by the

RSA Reporting Engine as having a Risk Score of
"High" or "Critical".

Group: All of these

Conditions: Source is equal to Reporting Engine

Risk Score is equal or 50

greater
than

Group By Source IP Address

Time 1 Hour
Window

Title ${ruleName} for ${groupByValue1}

High Risk Alerts: ESA

The following table shows the values for the High Risk Alerts: ESA default incident rule.

Condition Condition
Field Value
Field Operator

Name High Risk Alerts: ESA

35 Additional Procedures for Respond Configuration

 NetWitness Respond Configuration

Condition Condition
Field Value
Field Operator

Description This incident rule captures alerts generated by the

RSA ESA platform as having a Risk Score of "High"
or "Critical".

Group: All of these

Conditions: Source is equal to Event Stream Analysis

Risk Score is equal or 50

greater
than

Group By Source IP Address

Time 1 Hour
Window

Title ${ruleName} for ${groupByValue1}

IP Watch List: Activity Detected

The following table shows the values for the IP Watch List: Activity Detected default incident
rule.

Condition Condition
Field Value
Field Operator

Name IP Watch List: Activity Detected

Description This incident rule captures alerts generated by IP

addresses that have been added as "Source IP
Address" *and* "Destination IP Address" conditions
of the rule. To add additional IP addresses to the
watch list, simply add a new Source and Destination
IP Address conditional pair.

Group: Any of these

Conditions: Source IP is equal to 1.1.1.1

Address

Additional Procedures for Respond Configuration 36

NetWitness Respond Configuration

Condition Condition
Field Value
Field Operator

Destination is equal to 1.1.1.1

IP Address

Source IP is equal to 2.2.2.2

Address

Destination is equal to 2.2.2.2

IP Address

Group By Source IP Address

Time 4 Hours
Window

Title ${ruleName}

User Watch List: Activity Detected

The following table shows the values for the User Watch List: Activity Detected default
incident rule.

Condition Condition
Field Value
Field Operator

Name User Watch List: Activity Detected

Description This incident rule captures alerts generated by

network users whose user names have been added as
a "Source UserName" condition. To add more than
one Username to the watch list, simply add an
additional Source Username condition.

Group: Any of these

Conditions: Source is equal to jsmith

Username

Source is equal to jdoe

Username

37 Additional Procedures for Respond Configuration

 NetWitness Respond Configuration

Condition Condition
Field Value
Field Operator

Group By Source Username

Time 4 Hours
Window

Title ${ruleName}

Suspicious Activity Detected: Windows Worm Propagation

The following table shows the values for the Suspicious Activity Detected: Windows Worm
Propagation default incident rule.

Condition Condition
Field Value
Field Operator

Name Suspicious Activity Detected: Windows Worm

Propagation

Description This incident rule captures alerts that are indicative

of worm propagation activity on a Microsoft network

1st Group: All of these

Condition: Source is equal to Event Stream Analysis

2nd Group: Any of these

Conditions: Alert is equal to Windows Worm Activity Detected Logs

Name

Alert is equal to Windows Worm Activity Detected Logs

Name

Group By Source IP Address

Time 1 Hour
Window

Title ${ruleName}

Additional Procedures for Respond Configuration 38

NetWitness Respond Configuration

Suspicious Activity Detected: Reconnaissance

The following table shows the values for the Suspicious Activity Detected: Reconnaissance
default incident rule.

Condition Condition
Field Value
Field Operator

Name Suspicious Activity Detected: Reconnaissance

Description This incident rule captures alerts that identify

common ICMP host identification techniques (i.e.
"ping") accompanied by connection attempts to
multiple service ports on a host

1st Group: All of these

Condition: Source is equal to Event Stream Analysis

2nd Group: Any of these

Conditions: Alert is equal to Port Scan Horizontal Packet

Name

Alert is equal to Port Scan Vertical Packet

Name

Alert is equal to Port Scan Horizontal Log

Name

Alert is equal to Port Scan Vertical Log

Name

Group By Source IP Address

Time 4 Hours
Window

Title ${ruleName}

39 Additional Procedures for Respond Configuration

 NetWitness Respond Configuration

Monitoring Failure: Device Not Reporting

The following table shows the values for the Monitoring Failure: Device Not Reporting default
incident rule.

Condition Condition
Field Value
Field Operator

Name Monitoring Failure: Device Not Reporting

Description This incident rule captures any instance of an alert

designed to detect the absence of log traffic from a
previously reporting device

Group: All of these

Conditions: Source is equal to Event Stream Analysis

Alert is equal to No logs traffic from device in given time frame

Name

Group By Source IP Address

Time 2 Hours
Window

Title ${ruleName}

Web Threat Detection

The following table shows the values for the Web Threat Detection default incident rule.

Condition Condition
Field Value
Field Operator

Name Web Threat Detection

Description This incident rule captures alerts generated by the

RSA Web Threat Detection platform.

Group: All of these

Condition: Source is equal to Web Threat Detection

Group By Alert Rule Id

Additional Procedures for Respond Configuration 40

NetWitness Respond Configuration

Condition Condition
Field Value
Field Operator

Time 1 Hour
Window

Title ${ruleName} for ${groupByValue1}

41 Additional Procedures for Respond Configuration

 NetWitness Respond Configuration

Configure Respond Email Notification Settings

NetWitness Respond notification settings enable email notifications to be sent to SOC Managers
and the Analyst assigned to an incident when an incident is created or updated.
1. Go to CONFIGURE > Respond Notifications.
The Respond Notifications Settings view is displayed.

2. In the Email Server section, select the email server from the drop-down list that will send
out email notifications when the notification settings are enabled.
If there is no email server configured, you will not see an email server listed in the drop-
down list. You have to configure an email server before you can continue with this
procedure. To configure an email server, click the Email Server Settings link. For more
information, click the help icon or refer to the System Configuration Guide.

3. In the SOC Manager Email Addresses section, add the email addresses of the SOC
Managers that you want to receive email notifications. To add an SOC Manager email
address to the list, type it in the field that shows Enter an email address to add and click
Add. To remove an SOC Manager email address from the list, click next to the email
address to be removed.

Additional Procedures for Respond Configuration 42

NetWitness Respond Configuration

4. In the Notification Types section, select who should receive an email notification when an
incident is created and when an incident is updated.

l Send to Assignee: An email is sent to the Analyst assigned to the incident.

l Send to SOC Manager: An email is sent to all of the addresses listed in the SOC
Manager Email Addresses list.

5. Click Apply. Changes take effect immediately.

Note: If user email address information is updated in the ADMIN > Security > Users tab, it
can take up to two minutes for the new email changes to take effect. Any incident creation or
incident update email notifications sent during this time will go to the old email address.

Migration Considerations

Notification Settings do not migrate from NetWitness Suite version 10.6.x to 11.1. The Incident
Management Notification Settings in 10.6.x are different from the Respond notification settings
available in 11.1. You will need to manually update the Respond Notification Settings in version
11.1.
Notification Servers from 10.6.x will not display in the Email Server drop-down list. The email
servers settings must be added to the Global Notification Servers (ADMIN > System > Global
Notifications > Server tab).
Custom Incident Management notification templates cannot be migrated to 11.1. No custom
templates are supported in 11.1.

43 Additional Procedures for Respond Configuration

 NetWitness Respond Configuration

Set a Retention Period for Alerts and Incidents

Sometimes data privacy officers want to retain data for a certain period of time and then delete
it. A shorter retention period frees up disk space sooner. In some cases, the retention period
must be short. For example, laws in Europe state that sensitive data cannot be retained for more
than 30 days. After 30 days, the data must be obfuscated or deleted.
Setting a retention period for data is an optional procedure. The time that NetWitness Respond
receives alerts and creates an incident determine when retention begins. Retention periods range
from 30 to 365 days. If you set a retention period, one day after the period ends data is
permanently deleted.
Retention is based on the time that NetWitness Respond receives the alerts and the incident
creation time.

Caution: Data deleted after the retention period cannot be recovered.

When the retention period expires, the following data is permanently deleted:
l Alerts

l Incidents

l Tasks

l Journal entries

Logs track retention and manual deletion so you can see what has been deleted. You can view
Respond Server logs in the following locations:
l Respond Server Service log: /var/log/netwitness/respond-server/respond-server.log

l Respond Server Audit log: /var/log/netwitness/respond-server/respond-server.audit.log

The data retention period that you set here does not apply to Archer or other third-party SOC
tools. Alerts and incidents from other systems must be deleted separately.

Prerequisites
The Administrator role must be assigned to you.

Procedure

1. Go to ADMIN > Services , select the Respond Server service, and then select >
View > Explore.

Additional Procedures for Respond Configuration 44

NetWitness Respond Configuration

2. In the Explore view node list, select respond/dataretention.

3. In the enabled field, select true to delete incidents and alerts older than the retention period.
The scheduler runs every 24 hours at 23:00.
You will see a notice that the configuration was successfully updated.

4. In the retention-period field, type the number of days to retain incidents and alerts. For
example, type 30 DAYS, 60 DAYS, 90 DAYS, 120 DAYS, 365 DAYS, or any number of
days.
You will see a notice that the configuration was successfully updated.

Result
Within 24 hours after the retention period ends, the scheduler permanently deletes all alerts and
incidents older than the specified period from NetWitness Respond. Journal entries and tasks
associated with the deleted incidents are also deleted.

45 Additional Procedures for Respond Configuration

 NetWitness Respond Configuration

Obfuscate Private Data

The Data Privacy Officer (DPO) role can identify meta keys that contain sensitive data and
should display obfuscated data. This topic explains how the administrator maps those meta
keys to display a hashed value instead of the actual value.
The following caveats apply to hashed meta values:
l NetWitness Suite supports two storage methods for hashed meta values, HEX (default) and
string.

l When a meta key is configured to display a hashed value, all security roles see only the
hashed value in the Incidents module.

l You use hashed values the same way you use actual values. For example, when you use a
hashed value in rule criteria the results are the same as if you used the actual value.

This topic explains how to obfuscate private data in NetWitness Respond. Refer to the "Data
Privacy Management Overview" topic in the Data Privacy Management Guide for additional
information about data privacy.

Mapping File to Obfuscate Meta Keys

In NetWitness Respond, the mapping file for data obfuscation is data_privacy_map.js. In it you
type an obfuscated meta key name and map it to the actual meta key name.
The following example shows the mappings to obfuscate data for two meta keys, ip.src and
user.dst:
'ip.src.hash' : 'ip.src',
'user.dst.hash' : 'user.dst'

You determine the naming convention for obfuscated meta key names. For example, ip.src.hash
could be ip.src.private or ip.src.bin. You must choose one naming convention and use it
consistently on all hosts.

Prerequisites

l DPO role must specify which meta keys require data obfuscation.

l Administrator role must map meta keys for data obfuscation.

Procedure

1. Open the data privacy mapping file:

/var/lib/netwitness/respond-server/scripts/data_privacy_map.js

Additional Procedures for Respond Configuration 46

NetWitness Respond Configuration

2. In the obfuscated_attribute_map variable , type the name of a meta key to hold

obfuscated data. Then map it to the meta key that does not contain obfuscated data according
to this format:
'ip.src.hash' : 'ip.src'

3. Repeat step 2 for every meta key that should display a hashed value.

4. Use the same naming convention as in step 2 and use it consistently on all hosts.

5. Save the file.

All mapped meta keys will display hashed values instead of actual values.
In the following figure, a hashed value displays for the destination IP address in the Event
Details:

New alerts will display obfuscated data.

Note: Existing alerts still display sensitive data. This procedure is not retroactive.

47 Additional Procedures for Respond Configuration

 NetWitness Respond Configuration

Manage Incidents in NetWitness SecOps Manager

If you want to manage incidents in RSA NetWitness® SecOps Manager instead of NetWitness
Respond, you have to configure system integration settings in the Respond Server service
Explore view. After you configure the system integration settings, all incidents are managed in
NetWitness SecOps Manager. Incidents created before the integration will not be managed in
NetWitness SecOps Manager.

Caution: If you are managing incidents in NetWitness SecOps Manager instead of

NetWitness Respond, do not use the following in the Respond view: Incidents List view,
Incident Details view, and Tasks List view. Do not create incidents from the Respond Alerts
List view or from Investigate.

For more detailed integration information, see the RSA Archer Integration Guide.

Prerequisites

l NetWitness SecOps Manager 1.3.1.2 (NetWitness Suite11.0 will only work with NetWitness
SecOps Manager 1.3.1.2.)

Procedure
Follow this procedure to configure Respond Server service settings to manage incidents in
NetWitness SecOps Manager.

1. Go to ADMIN > Services, select the Respond Server service, and then select >
Config > Explore.

Additional Procedures for Respond Configuration 48

NetWitness Respond Configuration

2. In the Explore view node list, select respond/integration/export.

3. In the archer-exchange-name field, type incidents.archer.

You will see a notice that the configuration was successfully updated.

4. In the archer-sec-ops-integration-enabled field, select true.

You will see a notice that the configuration was successfully updated.
Incidents will be managed exclusively in NetWitness SecOps Manager.

49 Additional Procedures for Respond Configuration

 NetWitness Respond Configuration

Set Counter for Matched Alerts and Incidents

This procedure is optional. Administrators can use it to change when the count for matched
alerts is reset to 0. The Incident List view displays these counts in columns on the right.

These columns provide the following information for a rule:

l Last Matched column shows the time when the rule last matched alerts.

l Matched Alerts column displays the number of matched alerts for the rule.

l Incidents column displays the number of incidents created by the rule.

By default, these values reset to zero every 7 days. Depending on how long you want the counts
to continue, you can change the default number of days.

Note: When the counter resets to zero, only the numbers in the three columns change to
zero. No alerts or incidents get deleted.

To set a counter for matched alerts and incidents:

1. Go to ADMIN > Services, select the Respond Server service and then select > View
> Explore.

Additional Procedures for Respond Configuration 50

NetWitness Respond Configuration

2. In the Explore view node list, select respond/alertrule.

3. In the right panel, type the number of days in the counter-reset-interval-days field.

4. Restart the Respond Server service for the new setting to take effect. To do this, go to
ADMIN > Services, select the Respond Server service, and then select > Restart.

51 Additional Procedures for Respond Configuration

 NetWitness Respond Configuration

Configure a Database for the Respond Server Service

This procedure is required only if you need to change the database configuration for Respond
Server after the deployment of the NetWitness or ESA Primary hosts and their corresponding
services. You have to select the ESA Primary server to act as the database host for NetWitness
Respond application data, such as alerts, incidents, and tasks. You also have to select the
NetWitness Server to act as the database host for NetWitness Respond control data, such as
incident rules and categories.

Prerequisites
Ensure that:
l You have installed a host on which you want to run the Respond Server service. Refer to
"Step 1: Deploy a Host" in the Hosts and Services Getting Started Guide for the procedure to
add a host.

l The Respond Server service is installed and running on NetWitness Suite.

l An ESA host is installed and configured.

Procedure

1. Go to ADMIN > Services.

The Services view is displayed.

2. In the Services panel, select the Respond Server service and then select > View >
Explore.

Additional Procedures for Respond Configuration 52

NetWitness Respond Configuration

3. In the Explore view node list, select data/application.

4. Provide the following information:

l db: The database name. The default value is respond-server.

l password: The password used for the deployment of the ESA primary server (password
for deploy_admin user).

l servers: The hostname or IP address of the ESA primary server to act as the database
host for NetWitness Respond application data, such as alerts, incidents, and tasks.

l user: Enter deploy_admin.

5. In the Explore view node list, select data/control.

53 Additional Procedures for Respond Configuration

 NetWitness Respond Configuration

6. Provide the following information:

l db: The database name. The default value is respond-server.

l password: The password used for the deployment of the NetWitness Server (password
for deploy_admin user).

l servers: The hostname or IP address of the NetWitness Server to act as the database
host for NetWitness Respond control data, such as incident rules and categories.

l user: Enter deploy_admin.

7. Restart the Respond Server service. To do this, go to ADMIN > Services, select the
Respond Server service, and then select > Restart.

Note: Restarting the Respond Server service is required for the database configuration to be
complete.

Additional Procedures for Respond Configuration 54

NetWitness Respond Configuration

NetWitness Respond Configuration Reference

This section contains reference information for configuring NetWitness Respond.

Configure View
The Configure view enables you to configure NetWitness Respond functionality.
You can configure incident rules to automate the Respond workflow for automatically creating
incidents. You can also configure notification settings to send emails when incidents are created
or updated.

Topics
l Incident Rules List View

l Incident Rule Details View

l Respond Notification Settings View

l Aggregation Rules Tab

l New Rule Tab

55 NetWitness Respond Configuration Reference

 NetWitness Respond Configuration

Incident Rules List View

The Incident Rules List View enables you to create and manage incident rules for automating
the incident creation process. NetWitness Suite provides preconfigured rules. You can add to
and adjust these rules for your own environment.

Note: The information in this topic applies to RSA NetWitness® Suite Version 11.1 and later.

What do you want to do?

Role I want to ... Show me how

Analyst, Content Expert, Create or edit an incident Step 3. Enable and Create Incident

SOC Manager rule. Rules for Alerts

Incident Responders, View the results of my See "Responding to Incidents"

Analysts, Content Experts, incident rule (View in the NetWitness Respond User
SOC Manager Detected Threats). Guide.

Related Topics
l Incident Rule Details View

Incident Rules List View

To access the Incident Rules List view, go to CONFIGURE > Incident Rules.

The Incident Rules List view consists of a list and series of buttons.

NetWitness Respond Configuration Reference 56

NetWitness Respond Configuration

Incident Rules List

The following table describes the columns in the Incident Rules list.

Column Description

Enables you to change the priority order of the rules. Use the drag pad ( ) in
front of a rule to move it up and down in the list.

Select Enables you to select a rule in order to take an action, such as Clone or Delete.

Order Shows the order in which the rule is placed. The rule order determines which
rule takes effect if the criteria for multiple rules match the same alert. If two
rules match an alert, only the rule with the highest priority is evaluated.

Enabled Shows whether the rule is enabled or not.

The specifies that the rule is enabled. The specifies that the rule is not

enabled.

Name Displays the name of the rule with a hyperlink. If you click the link, it opens the
Rule Details view, where you can edit the rule.

Description Displays the description of the rule.

Last Displays the time when an alert was successfully matched with the rule. This
Matched value is reset once a week.

Matched Displays the number of matched alerts. This value is reset once a week.
Alerts To change the setting, see Set Counter for Matched Alerts and Incidents.

Incidents Displays the number of incidents created by the rule. This value is reset once a
week. To change the setting, see the Set Counter for Matched Alerts and Incidents.

57 NetWitness Respond Configuration Reference

 NetWitness Respond Configuration

Incident Rules Actions

The following table shows the operations that can be performed on the Incident Rules list.

Action Description

Create Rule button Allows you to add a new rule.

Delete button Allows you to delete a rule.

Clone button Allows you to duplicate a rule.

Name hyperlink Allows you to edit a rule.

NetWitness Respond Configuration Reference 58

NetWitness Respond Configuration

Incident Rule Details View

The Incident Rule Details view enables you to create and edit incident rules for creating
incidents from alerts. This topic describes the information required when creating or editing a
new rule.

Note: The information in this topic applies to RSA NetWitness® Suite Version 11.1 and later.

What do you want to do?

Role I want to ... Show me how

Analyst, Content Expert, Enable, create, or edit an Step 3. Enable and Create Incident

SOC Manager incident rule. Rules for Alerts

Analyst, Content Expert, Set up and use the User Set Up and Verify Default

SOC Manager Behavior default rule. Incident Rules

Set up or verify the

preconfigured (default)
incident rules.

Incident Responders, View the results of my See "Responding to Incidents"

Analysts, Content Experts, incident rule (View in the NetWitness Respond User
SOC Manager Detected Threats). Guide.

Related Topics
l Incident Rules List View

Incident Rule Details View

To access the Incident Rule Details view, do one of the following:
l To create a rule, go to CONFIGURE > Incident Rules and click Create Rule.

l To edit a rule, go to CONFIGURE > Incident Rules and click the link in the Name column
for the rule that you want to update.
The Incident Rule Details view is displayed. The following figure shows the Incident Rule
Details view in Rule Builder query mode.

59 NetWitness Respond Configuration Reference

 NetWitness Respond Configuration

In the Match Conditions section, if you select Advanced query mode, a field to enter
advanced queries is available as shown in the following figure.

The following table describes the options available when creating or editing incident rules.

NetWitness Respond Configuration Reference 60

NetWitness Respond Configuration

Section Field Description

BASIC ENABLED Select to enable the rule.

SET-
TINGS NAME* Name of the rule. This is a required field.

DESCRIP- A description of the rule to indicate which alerts get aggregated.

TION

MATCH QUERY Rule Builder: Select the Rule Builder option if you want to build a
CONDI- MODE query with various conditions that can be grouped. You can also
TIONS* have nested groups of conditions.
In the Match Conditions, you can set the value to All of these, Any
of these, or None of these. Depending on what you select, the
criteria types specified in the Conditions and Group of conditions
are matched to group the alerts.
For example, if you set the match condition to All of these, alerts
that match the criteria mentioned in the Conditions and Group
Conditions are grouped into one incident.
l Add a Condition to be matched by clicking the Add Condition
button.

l Add a Group of Conditions by clicking the Add Group button

and add conditions by clicking the Add Condition button.

You can include multiple Conditions and Groups of Conditions that

can be matched as per criteria set and group the incoming alerts
into incidents.

Advanced: Select the Advanced query option if you want to use the
advanced query builder. You can add a specific condition that needs
to be matched as per the matching option selected.
For example, you can type the criteria builder format {"$and":
[{"alert.severity" : {"$gt":4}}]} to group alerts that have severity
greater than 4.
For advanced syntax, refer to
http://docs.mongodb.org/manual/reference/operator/query/ or
http://docs.mongodb.org/manual/reference/method/db.collection.fin
d/

61 NetWitness Respond Configuration Reference

 NetWitness Respond Configuration

Section Field Description

AC- CHOOSE Group into an Incident: If enabled, the alerts that match the
TION* criteria set are grouped into an alert.
THE
Suppress the Alert: If enabled, the alerts that match the criteria
ACTION
are suppressed.
TAKEN IF
THE RULE
MATCHES
THE
ALERT

GROUP- GROUP The criteria to group the alerts as per the specified alert fields. You
ING BY* can use a maximum of two fields to group the alerts. You cannot
OP- group alerts with fields that do not have values.
TIONS Grouping on an alert field means that all matching alerts containing
the same meta key value for that field are grouped together in the
same incident. (See the following Group By Meta Key Mappings
table.)

TIME The time range specified to group alerts.

WINDOW For example, if the time window is set to 1 hour, all alerts that
match the criteria set in the Group By field and that arrive within an
hour of each other are grouped into an incident.

NetWitness Respond Configuration Reference 62

NetWitness Respond Configuration

Section Field Description

INCI- TITLE* Title of the incident. You can provide placeholders based on the
DENT attributes you grouped. Placeholders are optional. If you do not use
OP- placeholders, all Incidents created by the rule will have the same
TIONS title.
For example, if you grouped them according to the source, you can
name the resulting Incident as Alerts for ${groupByValue1}, and
the incident for all alerts from NetWitness Endpoint would be
named Alerts for NetWitness Endpoint.

SUMMA- (Optional) Summary of the incident created by this rule.

RY

CATEGOR- (Optional) Category of the incident created. An incident can be

IES
classified using more than one category.

ASSIGNEE (Optional) Name of the user assigned to the incident.

PRIORITY Average of Risk Score across all of the Alerts: Takes the
average of the risk scores across all the alerts to set the priority of
the incident created.
Highest Risk Score available across all of the Alerts: Takes the
highest score available across all the alerts to set the priority of the
incident created.
Number of Alerts in the time window: Takes the count of the
number of alerts in the time window selected to set the priority of
the incident created.

Critical, High, Medium, and Low: Specify the incident priority

threshold of the matched incidents. The defaults are:
l Critical: 90

l High: 50

l Medium: 20

l Low: 1

For example, with the Critical priority set to 90, incidents with a
risk score of 90 or higher will be assigned a Critical priority for this
rule.

63 NetWitness Respond Configuration Reference

 NetWitness Respond Configuration

Group By Meta Key Mappings

The following table shows the mapped meta keys for the available Group By field selections.
For example, if you select the Group By field value Destination Host, it uses the mapped meta
key alert.groupby_host_dst. All alerts with the same meta key value for
alert.groupby_host_dst are grouped together in the same incident.

Group By Field Value Mapped Meta Key

Alert Name alert.name

Alert Rule Id alert.signature_id

Alert Type alert.groupby_type

Date Created alert.timestamp

Destination Country alert.groupby_destination_country

Destination Domain alert.groupby_domain_dst

Destination Host alert.groupby_host_dst

Destination IP Address alert.groupby_destination_ip

Destination Port alert.groupby_destination_port

Destination User Account alert.groupby_user_dst

Detector IP Address alert.groupby_detector_ip

Domain alert.groupby_domain

Domain for Suspected C&C alert.groupby_c2domain

File Analysis alert.groupby_analysis_file

Filename alert.groupby_filename

File MD5 Hash alert.groupby_data_hash

Risk Score alert.risk_score

NetWitness Respond Configuration Reference 64

NetWitness Respond Configuration

Group By Field Value Mapped Meta Key

Service Analysis alert.groupby_analysis_service

Session Analysis alert.groupby_analysis_session

Severity alert.severity

Source alert.source

Source Country alert.groupby_source_country

Source Domain alert.groupby_domain_src

Source Host alert.groupby_host_src

Source IP Address alert.groupby_source_ip

Source User Account alert.groupby_user_src

Source Username alert.groupby_source_username

User Account alert.groupby_username

65 NetWitness Respond Configuration Reference

 NetWitness Respond Configuration

Respond Notification Settings View

The Respond Notification Settings view enables you to send email notifications when incidents
are created or updated to SOC Managers and the Analysts assigned to the incidents.

Note: The information in this topic applies to RSA NetWitness® Suite Version 11.1 and later.

What do you want to do?

Role I want to ... Show me how

Administrator Configure an email Refer to the System Configuration Guide.

server. Click the Email Server Settings link or go
to ADMIN > SYSTEM > Global
Notifications.

Incident Configure email Configure Respond Email Notification Settings

Responders, notifications for when

Analysts, Content an incident is created or
Experts, SOC updated.
Manager

Related Topics
l Incident Rules List View

Respond Notification Settings

To access the Respond notification settings, go to CONFIGURE > Respond Notifications.
The Respond Notification Settings view is displayed.

NetWitness Respond Configuration Reference 66

NetWitness Respond Configuration

The following table lists the Respond notification settings.

Setting Description

Email Shows the Email server that will send the email notifications.
Server

Email If the Email server that you would like to use for notifications is not listed in the
Server Email Server drop-down list, you can configure the email server settings. Click
Settings the Email Server Settings link to go to ADMIN > SYSTEM > Global
Notifications. For instructions, refer to the System Configuration Guide.

SOC Lists the SOC Manager email addresses that will receive email notifications
Manager when you select Send to SOC Manager in the Notification Types section. You
Email can add and remove email addresses as needed.
Addresses

67 NetWitness Respond Configuration Reference

 NetWitness Respond Configuration

Setting Description

Notification Shows who should receive an email notification when an incident is created.
Types - l Send to Assignee: When an incident is created, an email is sent to the
Incident Analyst assigned to the incident.

Created l Send to SOC Manager: When an incident is created, an email is sent to all
of the addresses listed in the SOC Manager Email Addresses list.

Notification Shows who should receive an email notification when an incident is created.
Types -
l Send to Assignee: When an incident is updated, an email is sent to the
Incident
Updated Analyst assigned to the incident.

l Send to SOC Manager: When an incident is updated, an email is sent to all

of the addresses listed in the SOC Manager Email Addresses list.

Apply Changes to these settings take effect immediately.

Note: If user email address information is updated in the ADMIN > Security > Users tab, it
can take up to two minutes for the new email changes to take effect. Any incident creation or
incident update email notifications sent during this time will go to the old email address.

NetWitness Respond Configuration Reference 68

NetWitness Respond Configuration

Aggregation Rules Tab

The Aggregation Rules tab enables you to create and manage aggregation rules for automating
the incident creation process. NetWitness Suite provides 11 preconfigured rules. You can add to
and adjust these rules for your own environment.

Note: This topic applies to NetWitness Suite version 11.0 and earlier.

What do you want to do?

Role I want to ... Show me how

Analyst, Content Expert, Create an aggregation rule. Step 3. Enable and Create

SOC Manager Incident Rules for Alerts

Incident Responders, View the results of my See "Responding to Incidents"

Analysts, Content Experts, aggregation rule (View in the NetWitness Respond
SOC Manager Detected Threats). User Guide.

Related Topics

l New Rule Tab

Aggregation Rules
To access the Aggregation Rules tab, go to CONFIGURE > Incident Rules > Aggregation
Rules tab.

69 NetWitness Respond Configuration Reference

 NetWitness Respond Configuration

The Aggregation Rules tab consists of a list and toolbar.

Aggregation Rules List

The following table describes the columns in the Aggregation Rules list.

Column Description

Select Enables you to select a rule in order to take an action, such as Clone or Delete.

Order Shows the order in which the rule is placed. The rule order determines which
rule takes effect if the criteria for multiple rules match the same alert. If two
rules match an alert, only the rule with the highest priority is evaluated.

Name Displays the name of the rule.

Enabled Shows whether the rule is enabled or not.

The specifies the rule is enabled.

Description Displays the description of the rule.

Last Displays the time when an alert was successfully matched with the rule. This
Matched value is reset once a week.

NetWitness Respond Configuration Reference 70

NetWitness Respond Configuration

Column Description

Matched Displays the number of matched alerts. This value is reset once a week.
Alerts To change the setting, see Set Counter for Matched Alerts and Incidents.

Incidents Displays the number of incidents created by the rule. This value is reset once a
week. To change the setting, see the Set Counter for Matched Alerts and Incidents.

Aggregation Rules Toolbar

The following table shows the operations that can be performed in the Aggregation Rules tab.

Option Description

Allows you to add a new rule.

Allows you to edit a rule.

Allows you to delete a rule.

Allows you to duplicate a rule.

71 NetWitness Respond Configuration Reference

 NetWitness Respond Configuration

New Rule Tab

The New Rules tab enables you to create custom aggregation rules for automating the incident
creation process. This topic describes the information required when creating a new rule.

Note: This topic applies to NetWitness Suite version 11.0 and earlier.

What do you want to do?

Role I want to ... Show me how

Analyst, Content Expert, Create an aggregation rule. Step 3. Enable and Create

SOC Manager Incident Rules for Alerts

Incident Responders, View the results of my See "Responding to Incidents"

Analysts, Content Experts, aggregation rule (View in the NetWitness Respond
SOC Manager Detected Threats). User Guide.

Related Topics
l Aggregation Rules Tab

New Rule
To access the New Rule tab view:
1. Go to CONFIGURE > Incident Rules > Aggregation Rules tab.

2. Click .

NetWitness Respond Configuration Reference 72

NetWitness Respond Configuration

The New Rule tab is displayed.

The following table describes the options available when creating customized aggregation rules.

Field Description

Enabled Select to enable the rule.

Name* Name of the rule. This is a required field.

Description A description for the rule to give an idea about what alerts get aggregated.

73 NetWitness Respond Configuration Reference

 NetWitness Respond Configuration

Field Description

Match Query Builder - Select if you want to build a query with various conditions that
can be grouped. You can also have nested groups of conditions.
Conditions*
Match Conditions - You can set the value to All of these, Any of these, or
None of these. Depending on what you select, the criteria types specified in the
Conditions and Group of conditions are matched to group the alerts.
For example, if you set the match condition to All of these, alerts that match the
criteria mentioned in the Conditions and Group Conditions are grouped into one
incident.

l Add a Condition to be matched by clicking Add Condition.

l Add a Group of Conditions by clicking Add Group and adding conditions

by clicking Add Condition.

You can include multiple Conditions and Groups of Conditions that can be
matched as per criteria set and group the incoming alerts into incidents.

Advanced - Select if you want to add an advanced query builder. You can add a
specific condition that needs to be matched as per the matching option selected.
For example: you can type the criteria builder format {"$and":
[{"alert.severity" : {"$gt":4}}]} to group alerts that have severity greater than
4.
For advanced syntax, refer to
http://docs.mongodb.org/manual/reference/operator/query/
or http://docs.mongodb.org/manual/reference/method/db.collection.find/

Action Group into an Incident - If enabled, the alerts that match the criteria set are
grouped into an alert.
Suppress the Alert - If enabled, the alerts that match the criteria are
suppressed.

Grouping Group By: The criteria to group the alerts as per the specified category.​ You
can use a maximum of two attributes to group the alerts. You can group the
Options*
alerts with one or two attributes. You can no longer group alerts with attributes
that do not have values (empty attributes).
Grouping on an attribute means that all matching Alerts containing the same
value for that attribute are grouped together in the same incident.
Time Window: The time range specified to group alerts.
For example if the time window is set to 1 hour, all alerts that match the criteria
set in Group By field and that arrive within an hour of each other are grouped
into an incident.

NetWitness Respond Configuration Reference 74

NetWitness Respond Configuration

Field Description

Incident Title - (Optional) Title of the incident. You can provide placeholders based on
the attributes you grouped. Placeholders are optional. If you do not use
Options
placeholders, all Incidents created by the rule will have the same title.
For example, if you grouped them according to the source, you can name the
resulting Incident as Alerts for ${groupByValue1}, and the incident for all
alerts from NetWitness Endpoint would be named Alerts for NetWitness
Endpoint.

Summary - (Optional) Summary of the incident.

Category - (Optional) Category of the incident created. An incident can be

classified using more than one category.

Assignee - (Optional) Name of the assignee to whom the incident is assigned to.

Priority Average of Risk Score across all of the Alerts - Takes the average of the risk
scores across all the alerts to set the priority of the incident created.
Highest Risk Score available across all of the Alerts - Takes the highest score
available across all the alerts to set the priority of the incident created.
Number of Alerts in the time window - Takes the count of the number of
alerts in the time window selected to set the priority of the incident created.
Critical, High, Medium, and Low - Specify the incident priority threshold of
the matched incidents. The defaults are:
l Critical: 90

l High: 50

l Medium: 20

l Low: 1

For example, with the Critical priority set to 90, incidents with a risk score of 90
or higher will be assigned a Critical priority for this rule.
You can change these defaults by manually changing the priorities or by moving
the slider under Move slider to adjust scale.

75 NetWitness Respond Configuration Reference