This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

New Content Categorization Model

MehlamShakir
Employee
Employee
‎2016-06-03 01:33 PM

The RSA Live Content team recently released a new Content Categorization Model for ALL content available via the RSA Live service.  This means over 1000+ pieces of content such as app & ESA rules, reports and parsers are now tagged with one or more Categories.  This compliments previous categorization models provided in Security Analytics (SA).

The first two-levels of the new four-level deep categorization model are currently exposed as Live Search Tags in the SA UI.  You can find detailed information about the current implementation in SA docs, Content Live Search Tags​.

Screen Shot 2016-06-03 at 11.42.01 AM.png

Our analyst practitioners crafted the new categorization model by use scenario’s to closely replicate an Incident Response service-based approach. 

For example,

The attack phase category is designed to assist incident response practitioners with the escalation, remediation and classification of observed indicator of compromise activity.  The malware category, ties content that looks for malicious behaviors attributable to remote access trojans, crimeware, web shells and key loggers.  The risk category, ties intelligence SA may discover about the enterprise such as vulnerabilities, organizational hazards or business context provided through integrations with risk management systems like RSA Archer.

Our goal in Phase-I (which is now available for consumption) was to make it easier for users on all versions of SA to find and deploy Live content by Use Scenarios.

What to expect going forward?

Our goal in Phase-II is to allow SA users to leverage the new categories in rules and screens throughout SA to make it easier to detect, filter and drill-down using these categories (e.g. category=malware AND attack_phase=delivery) in addition to providing valuable context for all events and alerts.

Users can also expect a re-imagined user experience when working with Live Content in our upcoming major version of SA.  It will not only allow for more intuitive browsing & searching of Live content, but it will also include content versioning and reporting to determine at a glance what’s deployed in your environment and how it compares with the latest content on the RSA Live portal.

© 2022 RSA Security LLC or its affiliates. All rights reserved.