For RSA NetWitness Platform 11.1 and later, ESA Rules can use Context Hub (CH) Lists as whitelists and blacklists in their construction and processing. To see details about these rules, see RSA ESA Rules.
This topic discusses the following:
- Use CH Lists in ESA Rules
- OOTB Context Hub Lists
- How to Update a Context Hub List
- How to Create a Context Hub List
- How to Add a Context Hub List as an Enrichment source
- Create an ESA Rule that Uses a Context Hub list
- Example of an ESA Rule that Uses a CH list
- EPL Syntax for whitelists and Blacklists
- Known Limitations
Use CH Lists in ESA RulesUse CH Lists in ESA Rules
As of RSA NetWitness 11.1, Context Hub lists can be used in the processing of ESA Rules.
- Configure an existing CH list, or create and configure your own CH list. Basically, you need to add a list of values to either an existing CH list or create your own and then add values.
- Configure the CH List within ESA by adding it as an Enrichment source.
- Load the CH list into an ESA Rule when you build statements and define the rule.
An advantage of using CH lists in ESA rules, is that from the Respond and Investigate screens in NetWitness, you can right-click on an item and update the list on-the-fly. For the selected item, you can add it to or remove it from any of your CH lists.
For details, see the following documentation in the RSA NetWitness Logs & Network 11.x Documentation space on RSA Link:
- Investigate: "Manage Context Hub Lists and List Values" topic in Investigate topic in the NetWitness Investigate User Guide
- Respond: "Context Lookup Panel" or "Investigate the Incident" topics in the NetWitness Respond User Guide
OOTB Context Hub Lists OOTB Context Hub Lists
The following Context Hub lists are available out of the box in RSA NetWitness 11.1. They are delivered empty: users need to configure the lists by adding entries.
Without this configuration step, the rules may not deliver results. You can add entries to the lists manually, or through import of CSV files. For details, see Configure Lists as a Data source in the Context Hub Guide.
The following lists are delivered with RSA NetWitness 11.1:
- User_Whitelist: A list of users that should be excluded from monitoring within rules configured to use it.
- User_Blacklist: A list of users that should be included for monitoring within rules configured to use it.
- Admin_Accounts: A list of privileged user accounts that should be included for monitoring within rules configured to use it.
- Service_Accounts: A list of service accounts that should be included for monitoring within rules configured to use it.
- Guest_Accounts : A list of guest user accounts that should be included for monitoring within rules configured to use it.
- Domain_Controllers: A list of domain controllers that should be included for monitoring within rules configured to use it.
- Host_Whitelist: A list of host names that should be excluded from monitoring within rules configured to use it.
- Host_Blacklist: A list of host names that should be included for monitoring within rules configured to use it.
- IP_Whitelist: A list of IP addresses that should be excluded from monitoring within rules configured to use it. CIDR notation and regular expressions may not be used.
- IP_Blacklist: A list of IP addresses that should be included for monitoring within rules configured to use it. CIDR notation and regular expressions may not be used.
The following table lists the rules that use each of the CH Lists.
| CH List Name | ESA Rules that Use the List | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
User_Whitelist |
| ||||||||||||||||||||
User_Blacklist | Direct Login By A Watchlist Account | ||||||||||||||||||||
Admin_Accounts | Privilege User Account Password Change Privilege Escalation Detected Suspicious Privileged User Access Activity Multiple Failed Privilege Escalations by the Same User Multiple Login Failures by Administrators to Domain Controller | ||||||||||||||||||||
Guest_Accounts | Multiple Login Failures by Guest to Domain Controller | ||||||||||||||||||||
Host_Whitelist | Multiple Failed Logins from Multiple Diff Sources to Same Dest Multiple Successful Logins from Multiple Diff Src to Diff Dest Multiple Successful Logins from Multiple Diff Src to Same Dest Multiple Failed Logins from Multiple Users to Same Destination Lateral Movement Suspected Windows | ||||||||||||||||||||
Host_Blacklist | krbtgt Account Modified on Domain controller Multiple Login Failures by Administrators to Domain Controller Multiple Login Failures by Guest to Domain Controller | ||||||||||||||||||||
IP_Whitelist | Multiple Failed Logins from Multiple Diff Sources to Same Dest Multiple Successful Logins from Multiple Diff Src to Diff Dest Multiple Successful Logins from Multiple Diff Src to Same Dest Multiple Failed Logins from Multiple Users to Same Destination | ||||||||||||||||||||
IP_Blacklist | krbtgt Account Modified on Domain controller Multiple Login Failures by Administrators to Domain Controller Multiple Login Failures by Guest to Domain Controller |
How to Update a Context Hub ListHow to Update a Context Hub List
Go to ADMIN > Services.
The services view is displayed.
Select the Context Hub service and click
> View > Config.The Services Config View of Context Hub is displayed.
Select the Lists tab.
In the Lists tab, select the list that you wish to update.
In the List Values section, there are controls for adding and removing items, as well as for importing a list.
- To add an entry: click then enter a new value.
- To remove an entry: select it then click .
- To import a list, click , then navigate to a CSV file that contains the entries for your list.
- To add an entry: click
Do either of the following:
- Click Save to save your changes, or
- Click anywhere outside the List Values section to discard your changes. You receive a confirmation message asking you to make sure you want to discard your changes: click Yes to discard your changes or No to go back to the screen with your unsaved changes.
For more information, see the topic "Configure Lists as a Data source" in the Context Hub Configuration Guide in RSA NetWitness Platform space on RSA Link.
How to Create a Context Hub ListHow to Create a Context Hub List
Creating a list is very similar to updating an existing list.
- Go to ADMIN > Services.
- Select the Context Hub service and click > View > Config.
- Select the Lists tab.
In the Lists tab, click
, then enter a name for your list.Note: Make sure the name does not contain spaces. If the name of a list contains spaces, it cannot be used in an ESA Rule.
Add values to the list, or import an existing list:
- To add an entry: click then enter a new value.
- To import a list, click , then navigate to a CSV file that contains the entries for your list.
- To add an entry: click
- Click Save to save your new list.
How to Add a Context Hub List as an Enrichment sourceHow to Add a Context Hub List as an Enrichment source
If you add a new CH list, before you can use it in an ESA Rule, you need to add it as an enrichment source.
- Go to CONFIGURE > ESA Rules.
Select the Settings tab, then Enrichment sources.
Click
> Context Hub.The Context Hub List dialog box is displayed.
Select a list, add a description, and select a column.
- Click Save to finish.
For more information, see the topic "Configure Context Hub List as an Enrichment source " in the Alerting with ESA Correlation Rules User Guide in RSA NetWitness Platform space on RSA Link.
Create an ESA Rule that Uses a Context Hub listCreate an ESA Rule that Uses a Context Hub list
- Go to CONFIGURE > ESA Rules.
In the Rules tab, click
> Rule Builder.A New Rule tab opens.
- In the New Rule tab, enter a name and description.
- In the Conditions section, click to open the Build a Statement dialog box.
You can add a whitelist, blacklist, or meta condition. This procedure details adding a list, so choose either:
- Add whitelist Condition, or
- Add Blacklist Condition
In this example, we add a whitelist condition.
Click
> Add whitelist Condition.In the Key column, from the drop-down menu, select a whitelist to use, for example User_Whitelist.
Select a column name from the list, then select an operator and enter the meta value for the corresponding value field.
- Click Save to save the statement and close the dialog box.
- Continue defining the rule until it is complete. For details, see "Add a Rule Builder Rule" in the Alerting Using ESA Guide.
Example of an ESA Rule that Uses a CH listExample of an ESA Rule that Uses a CH list
The Failed Logins Followed By Successful Login Password Change ESA rule uses the User_Whitelist context hub list.
You can view the syntax in RSA NetWitness:
- Go to CONFIGURE > ESA Rules.
In the Rules tab, select the Failed Logins Followed By Successful Login Password Change rule and click
.A tab for editing the rule is displayed.
Scroll down to the bottom of the page and click Show Syntax.
The Rule Syntax dialog box is displayed.
Look over the syntax to get a sense of the EPL for this rule. When finished, click Close to close the Rule Syntax dialog box.
EPL Syntax for whitelists and BlacklistsEPL Syntax for whitelists and Blacklists
A whitelist ("known good") is a list of event meta value to exempt from alerts.
Whitelist Example Syntax (in bold):
@RSAAlert(oneInSeconds=0, identifiers={"user_dst"})
@UsesEnrichment(name="User_Whitelist")
SELECT * FROM
Event (
medium = 32
AND ec_activity = 'Logon'
AND ec_outcome = 'Success'
AND logon_type IN ('2','10','11','12')
AND device_class = 'Windows Hosts'
AND reference_id IN ('4624', '528', '540')
AND user_dst IS NOT NULL
AND NOT EXISTS (SELECT * FROM User_Whitelist WHERE (LIST = Event.user_dst.toLowerCase()))
AND NOT EXISTS (SELECT * FROM User_Whitelist WHERE (LIST = Event.user_dst))
);
A Blacklist ("known bad") is a list of event meta value used to trigger alerts.
Blacklist Example Syntax (in bold):
@RSAAlert(oneInSeconds=0, identifiers={"user_dst"})
@UsesEnrichment(name="User_Blacklist")
SELECT * FROM
Event (
medium = 32
AND ec_activity = 'Logon'
AND ec_outcome = 'Success'
AND logon_type IN ('2','10','11','12')
AND device_class = 'Windows Hosts'
AND reference_id IN ('4624', '528', '540')
AND user_dst IS NOT NULL
AND
(EXISTS (SELECT * FROM User_Blacklist WHERE (LIST = Event.user_dst.toLowerCase()))
OR
EXISTS (SELECT * FROM User_Blacklist WHERE (LIST = Event.user_dst)))
);
If you create your own rules using CH lists, make sure to the UsesEnrichment() statement, as shown in the above example:
@UsesEntrichment(name="User_Whitelist")
In this example, we are loading the User_Whitelist into the system for this rule.
Note: It is fine to have the same list loaded (that is, named in multiple UsesEnrichment statements) in multiple deployed ESA Rules. The system only loads each CH list once.
Use the toLowerCase() function to convert the received meta to all lower case.
Event.user_dst.tolowerCase()
In the above example, the user_dst meta values are converted to all lowercase. If you have created your CH lists so that all entries are also in all lowercase, your comparison is case-insensitive.
Known LimitationsKnown Limitations
Can the Context Hub lists comparison be case-insensitive?Can the Context Hub lists comparison be case-insensitive?
In order to get case-insensitive matching between CH lists and event meta, customers must add users within the CH lists as all lower case. Context hub lists do not have the ability to make the entries lower case before performing the match. Additionally, be sure to use the toLowerCase() function in your rules, so that the meta values are converted to all lowercase for the comparison.
What are the limitations between Basic Rule Builder and Live / Advanced Rules?What are the limitations between Basic Rule Builder and Live / Advanced Rules?
Only able to use a single whitelist or blacklist within the basic rule builder.
What happens when you deploy an 11.1 CH List ESA rule to version prior to 11.1?What happens when you deploy an 11.1 CH List ESA rule to version prior to 11.1?
The rule will be unable to deploy, it will be disabled, and an error will be written to the log file, mentioning that the list cannot be found.
