This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- NetWitness Community
- Blog
- Content Hygiene – Application Rule Alert Mapping Updates
DarrenMccutchen
Frequent Contributor
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
2023-07-11
10:13 AM
To help facilitate future content improvements such as new bundles and feeds, we have adjusted the alert meta mappings for several Application Rules. By more strictly adhering to the original intention for the alert detection categories, NetWitness users will gain more meaningful and accurate insights into activity within their environments. Rules were re-aligned with the Hunting Compromise and Analysis Keys:
- Behavior of Compromise (boc): Designated for suspect or nefarious behavior outside the standard signature-based detection
- Service Analysis (analysis.service): Core application protocols identification and inspection
- Session Analysis (analysis.session): Client-server communication deviations
- File Analysis (analysis.file): A large inspection library that highlights file characteristics and anomalies
Updated Application Rules:
|
Name |
Previous Key |
New Key |
|
exe filetype but not exe extension* |
boc |
analysis.file |
|
Small Executable |
alert.id |
analysis.file |
|
Small Executable Extension Mismatch |
alert.id |
analysis.file |
|
Small Executable No Directory |
alert.id |
analysis.file |
|
Small Executable No Host |
alert.id |
analysis.file |
|
Small Executable Root Directory |
alert.id |
analysis.file |
|
DoH Usage* |
boc |
analysis.service |
|
IRC File Transfer |
alert.id |
analysis.service |
|
Passwords Over FTP |
alert.id |
analysis.service |
|
Passwords Over HTTP |
alert.id |
analysis.service |
|
Passwords Over Other Protocols |
alert.id |
analysis.service |
|
Passwords Over Pop3 |
alert.id |
analysis.service |
|
Passwords Over SMTP |
alert.id |
analysis.service |
|
Passwords Over Telnet |
alert.id |
analysis.service |
|
Possible SMB Scanning Detected* |
boc |
analysis.service |
|
BYOD Mobile Web Agent Detected |
alert.id |
analysis.session |
|
Possible Port Scanning Detected* |
boc |
analysis.session |
|
suspicious long filename get request |
alert.id |
analysis.session |
|
suspicious PHP url-encoded put |
alert.id |
analysis.session |
|
Unknown Service Over DNS Port |
alert.id |
analysis.session |
|
Unknown Service Over FTP Port |
alert.id |
analysis.session |
|
Unknown Service Over HTTP Port |
alert.id |
analysis.session |
|
Unknown Service Over IRC Port |
alert.id |
analysis.session |
|
Unknown Service Over NNTP Port |
alert.id |
analysis.session |
|
Unknown Service Over POP3 Port |
alert.id |
analysis.session |
|
Unknown Service Over SMB Port |
alert.id |
analysis.session |
|
Unknown Service Over SMTP Port |
alert.id |
analysis.session |
|
Unknown Service Over SSL Port |
alert.id |
analysis.session |
|
Unknown Service Over Telnet Port |
alert.id |
analysis.session |
|
Archive From IP Address |
alert.id |
boc |
|
Attachment Overload |
alert.id |
boc |
|
File Transport Over Unknown Protocol |
alert.id |
boc |
|
Non-Standard Port Use - DHCP |
alert.id |
boc |
|
Non-Standard Port Use - DNS |
alert.id |
boc |
|
Non-Standard Port Use - FTP |
alert.id |
boc |
|
Non-Standard Port Use - H323 |
alert.id |
boc |
|
Non-Standard Port Use - HTTP |
alert.id |
boc |
|
Non-Standard Port Use - IRC |
alert.id |
boc |
|
Non-Standard Port Use - NetBios |
alert.id |
boc |
|
Non-Standard Port Use - NNTP |
alert.id |
boc |
|
Non-Standard Port Use - POP3 |
alert.id |
boc |
|
Non-Standard Port Use - RDP |
alert.id |
boc |
|
Non-Standard Port Use - RIP |
alert.id |
boc |
|
Non-Standard Port Use - RPC |
alert.id |
boc |
|
Non-Standard Port Use - RTP |
alert.id |
boc |
|
Non-Standard Port Use - SIP |
alert.id |
boc |
|
Non-Standard Port Use - SMB |
alert.id |
boc |
|
Non-Standard Port Use - SMTP |
alert.id |
boc |
|
Non-Standard Port Use - SNMP |
alert.id |
boc |
|
Non-Standard Port Use - SSH |
alert.id |
boc |
|
Non-Standard Port Use - SSL |
alert.id |
boc |
|
Non-Standard Port Use - TDS |
alert.id |
boc |
|
Non-Standard Port Use - Telnet |
alert.id |
boc |
|
Non-Standard Port Use - TFTP |
alert.id |
boc |
|
Non-Standard Port Use - TNS |
alert.id |
boc |
* - Users subscribed to these alerts will have rules automatically updated
Note - Application Rules formerly keyed to ‘alert.id’ will need to be added from NetWitness Live.
Removed Content
As an additional content hygiene measure, the following outdated/discontinued content has been removed from NetWitness Live:
- Advanced Analytics (Warehouse) / Data Science Model
- ETL for Mapr
- ETL
- ETL for Pivotal
- Host Profile for Mapr
- Host Profile for Pivotal
- Suspicious DNS Activity for Mapr
- Suspicious DNS Activity for Pivotal
- Suspicious Domains for Mapr
- Suspicious Domains for Pivotal
- Application Rules
- HttpBrowser Malware
- NTP DDoS Attack 234-byte Request: Packets
- NTP DDoS Attack 50-byte Request: Packets
- NTP DDoS Attack 60-byte Request: Packets
- NTP DDoS Attack 234-byte Request: Netflow
- NTP DDoS Attack 50-byte Request: Netflow
- NTP DDoS Attack 60-byte Request: Netflow
- Large Outbound Encrypted session
- Large Outbound Session
- Event Stream Analysis
- Cerber Ransomware
- Inbound Packet Followed by Recipient Outbound Encrypted Connection
- Internal Data Posting to 3rd party sites
- Malware Dropper
- Web DoS Alert
- BYOD Mobile Web Agent Detected
- Detection of Encrypted Traffic to Countries
- Multiple SYN packets from Same Source
- Potential HTTP Slow Post DoS
- Detect Port Knocking Packet
- Punycode Phishing Attempt
- Investigation Column Group
- Email Analysis Column Group
- Endpoint Analysis Column Group
- Web Analysis Group Column
- Malware Analysis Column Group
- Threat Analysis Column Group
- User and Entity Behaviour Analysis Column Group
- Lua Parsers
- Poison_Ivy
- plugx
- rekaf
- struts_exploit
- pvid
- MSU_rat
- CustomTCP
- supercmd
- china_chopper
- apt_artifacts
- cerber
- duqu_lua
- electricfish
- Evilgrab
- NetWitness Reports
- Malware Activity Report
- Large Outbound Connections to 3rd Party Sites Sessions
- Large Outbound Encrypted Sessions
- Large Outbound Sessions
- Hunting Summary
- Hunting Detail
- Encrypted Traffic
- NetWitness Rules
- Large Outbound Encrypted Sessions
- Large Outbound Sessions
- Malware Activity DNS
- Malware Activity Unidentified
- Malware Activity Web
6 Comments
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Latest Articles
- FirstWatch Threat Spotlight: HAVOC C2
- FirstWatch Threat Spotlight – BlueSky Ransomware
- Advanced HTTP and TLS Concepts (Video)
- Using NetWitness to Detect Command and Control: SILENTTRINITY C2
- FirstWatch Threat Spotlight – Remcos RAT
- FirstWatch Threat Spotlight: The LockBit Conundrum - A Glimpse into Ransomware Warfare
- Content Hygiene – Application Rule Alert Mapping Updates
- Microsoft Azure Log Analytics workspace integration with Netwitness
- FirstWatch Threat Spotlight: Cryptonite Ransomware
- Deployment Inventory (Serial Numbers)
Labels
-
Announcements
64 -
Events
8 -
Features
11 -
Integrations
12 -
Resources
67 -
Tutorials
32 -
Use Cases
29 -
Videos
118
