We have a poorly coding internal application that keeps triggering the Endpoint ESA rule 'unsigned outbound from temp directory'
What would be the best way to whitelist this so it doesn't keep showing up in alerts in the respond module?
We have a poorly coding internal application that keeps triggering the Endpoint ESA rule 'unsigned outbound from temp directory'
What would be the best way to whitelist this so it doesn't keep showing up in alerts in the respond module?
Thanks Josh.
Just thinking, could I use a list in context hub to collect a number of 'whitelisted' checksums.
could I use a list in context hub to collect a number of 'whitelisted' checksums.
You absolutely could, but I don't think that would actually help for this kind of use case....for a couple reasons.
First, the Endpoint Bundle rules are not normal ESA rules - in order to maximize their efficiency (remember, some of them will trigger tens or even hundreds of thousands of times per day), they will only accept and process 'key=value' rule syntax...not even 'key=value1,value2,etc'...only 'key=value'. Which means you can't use context hub lists with them as you could with a normal ESA rule.
Second (assuming here that part of the goal in using a context hub list was to leverage it in the app rule), CH lists don't create any meta (and so cannot provide anything for an app rule to use)...and they are downstream in the NW data flow (a CH list works with already-created metas).
Third, if you're thinking about using a Feed (which does create a duplicate CH list) to trigger against your checksums and generate some custom whitelisted meta...that could certainly provide use information and context for your analysts, as well as be useful in non-Endpoint Bundle ESA rules. But...you would still have to add that whitelisted meta to the App rule to prevent the corresponding Endpoint Bundle rule from firing...so it wouldn't save you any time or work in the end.
Thanks for that. Yeah I think a feed is what I was more thinking about.
Right now, we only have one checksum but I'm thinking about if this becomes a bigger thing and we start to maintain a list of whitelisted checksums, rather than editing the ESA rule every time to add the additional checksum it could just be automatically imported using something like MISP and a feed file.
Jeremy Kerwin
Your easiest and best option will be to adjust the companion App Rule that is the source of that ESA rule:
..and add the additional syntax to filter out your internal application.
You can figure out this additional syntax by looking at the endpoint events triggering that app rule by querying for it in NetWitness:
...and picking out the meta keys and values that will identify that specific application (checksum.src is probably a good one).
You would then add that as a != filter in the app rule:
The more specific and precise you can be to positively identify that application, the better.