This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- NetWitness Community
- Blog
- Content Hygiene – Application Rule Alert Mapping Updates
DarrenMccutchen
Frequent Contributor
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
2023-07-11
10:13 AM
To help facilitate future content improvements such as new bundles and feeds, we have adjusted the alert meta mappings for several Application Rules. By more strictly adhering to the original intention for the alert detection categories, NetWitness users will gain more meaningful and accurate insights into activity within their environments. Rules were re-aligned with the Hunting Compromise and Analysis Keys:
- Behavior of Compromise (boc): Designated for suspect or nefarious behavior outside the standard signature-based detection
- Service Analysis (analysis.service): Core application protocols identification and inspection
- Session Analysis (analysis.session): Client-server communication deviations
- File Analysis (analysis.file): A large inspection library that highlights file characteristics and anomalies
Updated Application Rules:
|
Name |
Previous Key |
New Key |
|
exe filetype but not exe extension* |
boc |
analysis.file |
|
Small Executable |
alert.id |
analysis.file |
|
Small Executable Extension Mismatch |
alert.id |
analysis.file |
|
Small Executable No Directory |
alert.id |
analysis.file |
|
Small Executable No Host |
alert.id |
analysis.file |
|
Small Executable Root Directory |
alert.id |
analysis.file |
|
DoH Usage* |
boc |
analysis.service |
|
IRC File Transfer |
alert.id |
analysis.service |
|
Passwords Over FTP |
alert.id |
analysis.service |
|
Passwords Over HTTP |
alert.id |
analysis.service |
|
Passwords Over Other Protocols |
alert.id |
analysis.service |
|
Passwords Over Pop3 |
alert.id |
analysis.service |
|
Passwords Over SMTP |
alert.id |
analysis.service |
|
Passwords Over Telnet |
alert.id |
analysis.service |
|
Possible SMB Scanning Detected* |
boc |
analysis.service |
|
BYOD Mobile Web Agent Detected |
alert.id |
analysis.session |
|
Possible Port Scanning Detected* |
boc |
analysis.session |
|
suspicious long filename get request |
alert.id |
analysis.session |
|
suspicious PHP url-encoded put |
alert.id |
analysis.session |
|
Unknown Service Over DNS Port |
alert.id |
analysis.session |
|
Unknown Service Over FTP Port |
alert.id |
analysis.session |
|
Unknown Service Over HTTP Port |
alert.id |
analysis.session |
|
Unknown Service Over IRC Port |
alert.id |
analysis.session |
|
Unknown Service Over NNTP Port |
alert.id |
analysis.session |
|
Unknown Service Over POP3 Port |
alert.id |
analysis.session |
|
Unknown Service Over SMB Port |
alert.id |
analysis.session |
|
Unknown Service Over SMTP Port |
alert.id |
analysis.session |
|
Unknown Service Over SSL Port |
alert.id |
analysis.session |
|
Unknown Service Over Telnet Port |
alert.id |
analysis.session |
|
Archive From IP Address |
alert.id |
boc |
|
Attachment Overload |
alert.id |
boc |
|
File Transport Over Unknown Protocol |
alert.id |
boc |
|
Non-Standard Port Use - DHCP |
alert.id |
boc |
|
Non-Standard Port Use - DNS |
alert.id |
boc |
|
Non-Standard Port Use - FTP |
alert.id |
boc |
|
Non-Standard Port Use - H323 |
alert.id |
boc |
|
Non-Standard Port Use - HTTP |
alert.id |
boc |
|
Non-Standard Port Use - IRC |
alert.id |
boc |
|
Non-Standard Port Use - NetBios |
alert.id |
boc |
|
Non-Standard Port Use - NNTP |
alert.id |
boc |
|
Non-Standard Port Use - POP3 |
alert.id |
boc |
|
Non-Standard Port Use - RDP |
alert.id |
boc |
|
Non-Standard Port Use - RIP |
alert.id |
boc |
|
Non-Standard Port Use - RPC |
alert.id |
boc |
|
Non-Standard Port Use - RTP |
alert.id |
boc |
|
Non-Standard Port Use - SIP |
alert.id |
boc |
|
Non-Standard Port Use - SMB |
alert.id |
boc |
|
Non-Standard Port Use - SMTP |
alert.id |
boc |
|
Non-Standard Port Use - SNMP |
alert.id |
boc |
|
Non-Standard Port Use - SSH |
alert.id |
boc |
|
Non-Standard Port Use - SSL |
alert.id |
boc |
|
Non-Standard Port Use - TDS |
alert.id |
boc |
|
Non-Standard Port Use - Telnet |
alert.id |
boc |
|
Non-Standard Port Use - TFTP |
alert.id |
boc |
|
Non-Standard Port Use - TNS |
alert.id |
boc |
* - Users subscribed to these alerts will have rules automatically updated
Note - Application Rules formerly keyed to ‘alert.id’ will need to be added from NetWitness Live.
Removed Content
As an additional content hygiene measure, the following outdated/discontinued content has been removed from NetWitness Live:
- Advanced Analytics (Warehouse) / Data Science Model
- ETL for Mapr
- ETL
- ETL for Pivotal
- Host Profile for Mapr
- Host Profile for Pivotal
- Suspicious DNS Activity for Mapr
- Suspicious DNS Activity for Pivotal
- Suspicious Domains for Mapr
- Suspicious Domains for Pivotal
- Application Rules
- HttpBrowser Malware
- NTP DDoS Attack 234-byte Request: Packets
- NTP DDoS Attack 50-byte Request: Packets
- NTP DDoS Attack 60-byte Request: Packets
- NTP DDoS Attack 234-byte Request: Netflow
- NTP DDoS Attack 50-byte Request: Netflow
- NTP DDoS Attack 60-byte Request: Netflow
- Large Outbound Encrypted session
- Large Outbound Session
- Event Stream Analysis
- Cerber Ransomware
- Inbound Packet Followed by Recipient Outbound Encrypted Connection
- Internal Data Posting to 3rd party sites
- Malware Dropper
- Web DoS Alert
- BYOD Mobile Web Agent Detected
- Detection of Encrypted Traffic to Countries
- Multiple SYN packets from Same Source
- Potential HTTP Slow Post DoS
- Detect Port Knocking Packet
- Punycode Phishing Attempt
- Investigation Column Group
- Email Analysis Column Group
- Endpoint Analysis Column Group
- Web Analysis Group Column
- Malware Analysis Column Group
- Threat Analysis Column Group
- User and Entity Behaviour Analysis Column Group
- Lua Parsers
- Poison_Ivy
- plugx
- rekaf
- struts_exploit
- pvid
- MSU_rat
- CustomTCP
- supercmd
- china_chopper
- apt_artifacts
- cerber
- duqu_lua
- electricfish
- Evilgrab
- NetWitness Reports
- Malware Activity Report
- Large Outbound Connections to 3rd Party Sites Sessions
- Large Outbound Encrypted Sessions
- Large Outbound Sessions
- Hunting Summary
- Hunting Detail
- Encrypted Traffic
- NetWitness Rules
- Large Outbound Encrypted Sessions
- Large Outbound Sessions
- Malware Activity DNS
- Malware Activity Unidentified
- Malware Activity Web
6 Comments
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Latest Articles
- Using NetWitness to Detect Phishing reCAPTCHA Campaign
- Netwitness Platform Integration with Amazon Elastic Kubernetes Service
- Netwitness Platform Integration with MS Azure Sentinel Incidents
- Netwitness Platform Integration with AWS Application Load Balancer Access logs
- The Sky Is Crying: The Wake of the 19 JUL 2024 CrowdStrike Content Update for Microsoft Windows and ...
- The Sky Is Crying: The Wake of the 19 JUL 2024 CrowdStrike Content Update for Microsoft Windows and ...
- New HotFix: Addresses Kernel Panic After Upgrading to 12.4.1
- Automation with NetWitness: Core and NetWitness APIs
- HYDRA Brute Force
- DDoS using BotNet Use Case
Labels
-
Announcements
64 -
Events
12 -
Features
12 -
Integrations
15 -
Resources
68 -
Tutorials
32 -
Use Cases
31 -
Videos
119
