To help facilitate future content improvements such as new bundles and feeds, we have adjusted the alert meta mappings for several Application Rules. By more strictly adhering to the original intention for the alert detection categories, NetWitness users will gain more meaningful and accurate insights into activity within their environments. Rules were re-aligned with the Hunting Compromise and Analysis Keys:
Name |
Previous Key |
New Key |
exe filetype but not exe extension* |
boc |
analysis.file |
Small Executable |
alert.id |
analysis.file |
Small Executable Extension Mismatch |
alert.id |
analysis.file |
Small Executable No Directory |
alert.id |
analysis.file |
Small Executable No Host |
alert.id |
analysis.file |
Small Executable Root Directory |
alert.id |
analysis.file |
DoH Usage* |
boc |
analysis.service |
IRC File Transfer |
alert.id |
analysis.service |
Passwords Over FTP |
alert.id |
analysis.service |
Passwords Over HTTP |
alert.id |
analysis.service |
Passwords Over Other Protocols |
alert.id |
analysis.service |
Passwords Over Pop3 |
alert.id |
analysis.service |
Passwords Over SMTP |
alert.id |
analysis.service |
Passwords Over Telnet |
alert.id |
analysis.service |
Possible SMB Scanning Detected* |
boc |
analysis.service |
BYOD Mobile Web Agent Detected |
alert.id |
analysis.session |
Possible Port Scanning Detected* |
boc |
analysis.session |
suspicious long filename get request |
alert.id |
analysis.session |
suspicious PHP url-encoded put |
alert.id |
analysis.session |
Unknown Service Over DNS Port |
alert.id |
analysis.session |
Unknown Service Over FTP Port |
alert.id |
analysis.session |
Unknown Service Over HTTP Port |
alert.id |
analysis.session |
Unknown Service Over IRC Port |
alert.id |
analysis.session |
Unknown Service Over NNTP Port |
alert.id |
analysis.session |
Unknown Service Over POP3 Port |
alert.id |
analysis.session |
Unknown Service Over SMB Port |
alert.id |
analysis.session |
Unknown Service Over SMTP Port |
alert.id |
analysis.session |
Unknown Service Over SSL Port |
alert.id |
analysis.session |
Unknown Service Over Telnet Port |
alert.id |
analysis.session |
Archive From IP Address |
alert.id |
boc |
Attachment Overload |
alert.id |
boc |
File Transport Over Unknown Protocol |
alert.id |
boc |
Non-Standard Port Use - DHCP |
alert.id |
boc |
Non-Standard Port Use - DNS |
alert.id |
boc |
Non-Standard Port Use - FTP |
alert.id |
boc |
Non-Standard Port Use - H323 |
alert.id |
boc |
Non-Standard Port Use - HTTP |
alert.id |
boc |
Non-Standard Port Use - IRC |
alert.id |
boc |
Non-Standard Port Use - NetBios |
alert.id |
boc |
Non-Standard Port Use - NNTP |
alert.id |
boc |
Non-Standard Port Use - POP3 |
alert.id |
boc |
Non-Standard Port Use - RDP |
alert.id |
boc |
Non-Standard Port Use - RIP |
alert.id |
boc |
Non-Standard Port Use - RPC |
alert.id |
boc |
Non-Standard Port Use - RTP |
alert.id |
boc |
Non-Standard Port Use - SIP |
alert.id |
boc |
Non-Standard Port Use - SMB |
alert.id |
boc |
Non-Standard Port Use - SMTP |
alert.id |
boc |
Non-Standard Port Use - SNMP |
alert.id |
boc |
Non-Standard Port Use - SSH |
alert.id |
boc |
Non-Standard Port Use - SSL |
alert.id |
boc |
Non-Standard Port Use - TDS |
alert.id |
boc |
Non-Standard Port Use - Telnet |
alert.id |
boc |
Non-Standard Port Use - TFTP |
alert.id |
boc |
Non-Standard Port Use - TNS |
alert.id |
boc |
* - Users subscribed to these alerts will have rules automatically updated
Note - Application Rules formerly keyed to ‘alert.id’ will need to be added from NetWitness Live.
As an additional content hygiene measure, the following outdated/discontinued content has been removed from NetWitness Live:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.