This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
      • Netwitness XDR
      • EC-Council Training
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
    • Role-Based Training
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • Blog
  • Content Hygiene – Application Rule Alert Mapping Updates

Content Hygiene – Application Rule Alert Mapping Updates

DarrenMccutchen
Frequent Contributor DarrenMccutchen Frequent Contributor
Frequent Contributor
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Printer Friendly Page
  • Report Inappropriate Content
‎2023-07-11 10:13 AM

To help facilitate future content improvements such as new bundles and feeds, we have adjusted the alert meta mappings for several Application Rules.  By more strictly adhering to the original intention for the alert detection categories, NetWitness users will gain more meaningful and accurate insights into activity within their environments. Rules were re-aligned with the Hunting Compromise and Analysis Keys:

  • Behavior of Compromise (boc): Designated for suspect or nefarious behavior outside the standard signature-based detection
  • Service Analysis (analysis.service): Core application protocols identification and inspection
  • Session Analysis (analysis.session): Client-server communication deviations
  • File Analysis (analysis.file): A large inspection library that highlights file characteristics and anomalies

Updated Application Rules:

 

Name

Previous Key

New Key

exe filetype but not exe extension*

boc

analysis.file

Small Executable

alert.id

analysis.file

Small Executable Extension Mismatch

alert.id

analysis.file

Small Executable No Directory

alert.id

analysis.file

Small Executable No Host

alert.id

analysis.file

Small Executable Root Directory

alert.id

analysis.file

DoH Usage*

boc

analysis.service

IRC File Transfer

alert.id

analysis.service

Passwords Over FTP

alert.id

analysis.service

Passwords Over HTTP

alert.id

analysis.service

Passwords Over Other Protocols

alert.id

analysis.service

Passwords Over Pop3

alert.id

analysis.service

Passwords Over SMTP

alert.id

analysis.service

Passwords Over Telnet

alert.id

analysis.service

Possible SMB Scanning Detected*

boc

analysis.service

BYOD Mobile Web Agent Detected

alert.id

analysis.session

Possible Port Scanning Detected*

boc

analysis.session

suspicious long filename get request

alert.id

analysis.session

suspicious PHP url-encoded put

alert.id

analysis.session

Unknown Service Over DNS Port

alert.id

analysis.session

Unknown Service Over FTP Port

alert.id

analysis.session

Unknown Service Over HTTP Port

alert.id

analysis.session

Unknown Service Over IRC Port

alert.id

analysis.session

Unknown Service Over NNTP Port

alert.id

analysis.session

Unknown Service Over POP3 Port

alert.id

analysis.session

Unknown Service Over SMB Port

alert.id

analysis.session

Unknown Service Over SMTP Port

alert.id

analysis.session

Unknown Service Over SSL Port

alert.id

analysis.session

Unknown Service Over Telnet Port

alert.id

analysis.session

Archive From IP Address

alert.id

boc

Attachment Overload

alert.id

boc

File Transport Over Unknown Protocol

alert.id

boc

Non-Standard Port Use - DHCP

alert.id

boc

Non-Standard Port Use - DNS

alert.id

boc

Non-Standard Port Use - FTP

alert.id

boc

Non-Standard Port Use - H323

alert.id

boc

Non-Standard Port Use - HTTP

alert.id

boc

Non-Standard Port Use - IRC

alert.id

boc

Non-Standard Port Use - NetBios

alert.id

boc

Non-Standard Port Use - NNTP

alert.id

boc

Non-Standard Port Use - POP3

alert.id

boc

Non-Standard Port Use - RDP

alert.id

boc

Non-Standard Port Use - RIP

alert.id

boc

Non-Standard Port Use - RPC

alert.id

boc

Non-Standard Port Use - RTP

alert.id

boc

Non-Standard Port Use - SIP

alert.id

boc

Non-Standard Port Use - SMB

alert.id

boc

Non-Standard Port Use - SMTP

alert.id

boc

Non-Standard Port Use - SNMP

alert.id

boc

Non-Standard Port Use - SSH

alert.id

boc

Non-Standard Port Use - SSL

alert.id

boc

Non-Standard Port Use - TDS

alert.id

boc

Non-Standard Port Use - Telnet

alert.id

boc

Non-Standard Port Use - TFTP

alert.id

boc

Non-Standard Port Use - TNS

alert.id

boc

* - Users subscribed to these alerts will have rules automatically updated

 

Note - Application Rules formerly keyed to ‘alert.id’ will need to be added from NetWitness Live.

 

Removed Content

 

As an additional content hygiene measure, the following outdated/discontinued content has been removed from NetWitness Live:

  • Advanced Analytics (Warehouse) / Data Science Model
    • ETL for Mapr
    • ETL
    • ETL for Pivotal
    • Host Profile for Mapr
    • Host Profile for Pivotal
    • Suspicious DNS Activity for Mapr
    • Suspicious DNS Activity for Pivotal
    • Suspicious Domains for Mapr
    • Suspicious Domains for Pivotal
  • Application Rules
    • HttpBrowser Malware
    • NTP DDoS Attack 234-byte Request: Packets
    • NTP DDoS Attack 50-byte Request: Packets
    • NTP DDoS Attack 60-byte Request: Packets
    • NTP DDoS Attack 234-byte Request: Netflow
    • NTP DDoS Attack 50-byte Request: Netflow
    • NTP DDoS Attack 60-byte Request: Netflow
    • Large Outbound Encrypted session
    • Large Outbound Session
  • Event Stream Analysis
    • Cerber Ransomware
    • Inbound Packet Followed by Recipient Outbound Encrypted Connection
    • Internal Data Posting to 3rd party sites
    • Malware Dropper
    • Web DoS Alert
    • BYOD Mobile Web Agent Detected
    • Detection of Encrypted Traffic to Countries
    • Multiple SYN packets from Same Source
    • Potential HTTP Slow Post DoS
    • Detect Port Knocking Packet
    • Punycode Phishing Attempt
  • Investigation Column Group
    • Email Analysis Column Group
    • Endpoint Analysis Column Group
    • Web Analysis Group Column
    • Malware Analysis Column Group
    • Threat Analysis Column Group
    • User and Entity Behaviour Analysis Column Group
  • Lua Parsers
    • Poison_Ivy
    • plugx
    • rekaf
    • struts_exploit
    • pvid
    • MSU_rat
    • CustomTCP
    • supercmd
    • china_chopper
    • apt_artifacts
    • cerber
    • duqu_lua
    • electricfish
    • Evilgrab
  • NetWitness Reports
    • Malware Activity Report
    • Large Outbound Connections to 3rd Party Sites Sessions
    • Large Outbound Encrypted Sessions
    • Large Outbound Sessions
    • Hunting Summary
    • Hunting Detail
    • Encrypted Traffic
  • NetWitness Rules
    • Large Outbound Encrypted Sessions
    • Large Outbound Sessions
    • Malware Activity DNS
    • Malware Activity Unidentified
    • Malware Activity Web
  • Application Rules
  • Content Update
  • netwitness live
1 Like
6 Comments

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • FirstWatch Threat Spotlight: HAVOC C2
  • FirstWatch Threat Spotlight – BlueSky Ransomware
  • Advanced HTTP and TLS Concepts (Video)
  • Using NetWitness to Detect Command and Control: SILENTTRINITY C2
  • FirstWatch Threat Spotlight – Remcos RAT
  • FirstWatch Threat Spotlight: The LockBit Conundrum - A Glimpse into Ransomware Warfare
  • Content Hygiene – Application Rule Alert Mapping Updates
  • Microsoft Azure Log Analytics workspace integration with Netwitness
  • FirstWatch Threat Spotlight: Cryptonite Ransomware
  • Deployment Inventory (Serial Numbers)
Labels
  • Announcements 64
  • Events 8
  • Features 11
  • Integrations 12
  • Resources 67
  • Tutorials 32
  • Use Cases 29
  • Videos 118
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.