This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

NetWitness Threat Detection Content Report - September 2021

Anonymous
Not applicable
‎2021-09-09 02:27 PM

NetWitness announces the release of the following threat content and publications:

Blog Posts

 

Ransomware: A Beginner’s Guide to a Major Threat

At NetWitness we understand how devastating it can be to find yourself impacted by a ransomware attack. This primer was created to provide a ransomware FAQ on basic ransomware concepts and equip IT and non-IT professionals with a greater understanding of this growing threat.

AmitRotem_1-1631201664743.png

 

 

Videos

 

Visit the NetWitness Threat Detection and Response Playlist on www.youtube.com

 

AmitRotem_3-1631201897056.png

 

AmitRotem_5-1631202003709.png

 

Application Rules

 

OPSWAT rules (Endpoint)

OPSWAT (MetaDefender Core) provides advanced malware detection capabilities by scanning files with multiple anti-malware engines simultaneously. OPSWAT is integrated into the endpoint servers.

The following OPSWAT app rules are now available on RSA Live:

  • opswat reported infected
  • opswat reported suspicious
  • process with opswat reported infected
  • process with opswat reported suspicious

See the following article for details on how to configure OPSWAT scans:

https://community.rsa.com/t5/netwitness-platform-online/configure-opswat/ta-p/634816

 

AWS CloudTrail – Anomalous Activity Detection App Rules

AWS CloudTrail is an AWS service that helps in governance, compliance and operational risk auditing of an AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. We have used CloudTrail Events to create Log based App Rules and ESA Rules which will be effective in detecting Anomalous Behavioral Activity across multiple AWS services and will be helpful in maintaining security monitoring.

  • EC2 - Multiple instances created
  • EC2 - Multiple large instances created
  • EC2 - Multiple instances terminated
  • Critical changes to logging


Event Streaming Analytics (ESA) Rules

 

AWS CloudTrail - Anomalous Activity Detection ESA Rules

  • IAM - Multiple failed API calls from a single user (Unauthorized Access)
  • IAM - Multiple users created within a short period of time
  • IAM - Multiple users deleted within a short period of time
  • IAM - Multiple worldwide successful console logins were observed
  • EC2 - Multiple instances created within a short period of time
  • EC2 - Multiple large instances created within a short period of time
  • EC2 - Multiple instances terminated within a short period of time
  • EC2 - Multiple instances created in multiple regions within a short period of time
  • S3 - Mass copy objects
  • S3 - Mass delete objects
  • S3 - Buckets enumerated

 

Threat Intel Feeds

OSINT (open-source intelligence) IP Threat Intel Feed

This feed contains IP Address (IPv4 and IPv6) indicators that are suspected to be malicious. These indicators are extracted from multiple openly available sources (OSINT) and aggregated and scored through a partnership with ThreatConnect. The score (ThreatAssess) combines the severity and confidence of an indicator into a single value to help analysts understand the potential risk when that indicator is observed in their environment. This feed will trigger when one of the feed indicators is observed in network, log, and/or endpoint event data.

 

OSINT Non-IP Threat Intel Feed

This feed contains Non-IP Address, text-based indicators like Host, URL, File Hashes etc. that are suspected to be malicious. These indicators are extracted from multiple openly available sources (OSINT) and aggregated and scored through a partnership with ThreatConnect. The score (ThreatAssess) combines the severity and confidence of an indicator into a single value to help analysts understand the potential risk when that indicator is observed in their environment. This feed will trigger when one of the feed indicators is observed in network, log, and/or endpoint event data.

More details can be found on RSA Link at https://community.netwitness.com/t5/netwitness-community-blog/introducing-the-new-rsa-osint-threat-feeds/ba-p/521129

 

Investigation Feed

The Investigation feed generates metadata based upon the Investigation Model and MITRE ATT&CK® framework to assist an analyst with threat hunting and content generation. This is useful for front-line analysts as it minimizes the time dedicated to mining logs or sessions in support of their findings. To trigger the feed, a match to an application rule or part of a Lua parser logic is required.

More details can be found on NetWitness Community at https://community.netwitness.com/t5/netwitness-platform-threat/investigation-feed/ta-p/677895

 

Investigate Content


The following Investigate Profiles, Meta Groups and Column Groups for the UI

Investigate Profiles

  • ATT&CK Tactics
  • ATT&CK Techniques
  • Device classes
  • Protocols
  • Sources
  • UEBA models

 

Cloud Integrations


New Integration:            

  • MS Azure Graph Plugin

New plugin that can be used to collect any type of events/alerts from MS Graph API

Updated cloud integration:

  • Amazon CloudWatch Plugin

Added support for AWS Windows AD and Windows VM logs

  • S3 Universal Connector

Added support for AWS Windows AD and Windows VM logs

  • MS Azure Monitor

Added support for Azure Sentinel Incidents

  • MS Azure NSG

Added support for Gov cloud endpoint

  • MS Office 365
  • Google Cloud

 

Protocol (Lua) Parsers


New parsers:

  • TNS_lua

Identifies Oracle TNS database protocol. Extracts database, client host, client program, and username.

Updated parsers:

  • SMB_lua

Added specific meta for v1 negotiate and setup commands and responses.

Expanded support for Unicode character encodings.

Added extraction of action meta from EFSRPC

  • HTTP_lua

Expanded support for character encodings.

Added specific meta for authentication mechanisms.

Expanded plaintext credential detection and extraction.

Added support for decompression of brotli encoded responses (11.6+ only)

  • SMTP_lua

Added extraction of credentials from PLAIN and LOGIN authentication mechanisms

  • POP3_lua

Added extraction of credentials from LOGIN authentication mechanism.

  • IMAP_lua

Improved identification of IMAP sessions.

  • DNS_verbose_lua

Added detection of hex-encoded TXT records.

Improved identification of DNS sessions.

 

Log Parsers

 

Updated parsers:

  • Symantec Antivirus/Endpoint Protection
  • Tenable Network Security Nessus
  • Cisco IOS
  • PostgreSQL
  • Pulse Secure
  • Windows Events (Snare)
  • Aruba ClearPass Policy Manager
  • Netapp
  • Trend Micro IMSS
  • Rapid7 NeXpose
  • Palo Alto Networks Firewall
  • Astaro Security Gateway
  • Fortinet FortiGate
  • Microsoft Windows
  • Snort/Sourcefire
  • Big-IP Access Policy Manager
  • Windows Events (NIC)
  • Oracle
  • Symantec CEP
© 2022 RSA Security LLC or its affiliates. All rights reserved.