NetWitness Community

The RSA Content team is pleased to announce the addition of the following new features along with new and updated content to the RSA Live Content Library. 

Live Content Search Tags

A new set of Advanced Security Operations Center (ASOC) tags have been introduced in Live to provide an easier way to search for relevant content. These tags are used to organize Live content and to deliver an accurate path to information security incident response. The tags are found in the Tags field in the Live Search Criteria view. The objective of a tag is to catalog existing content for deployment according to an incident response approach. RSA LINK.

Traffic Flow- Directionality

Decoders can now derive the directionality of traffic using the source and destination hosts referenced within a session. This information provides the context of whether a session was initiated from an internal host to an external host (outbound), from an external host to an internal host (inbound), or was between two internal hosts (lateral). RSA LINK.

Ransomware Indicators in Feeds

Ransomware continues to be a significant threat to our customers, so this is a very timely addition.  Abuse.ch has added a ransomware tracker which tracks the following families of ransomware:

TeslaCrypt

CryptoWall

TorrentLocker

PadCrypt

Locky

CTB-Locker

FAKBEN

PayCrypt

We’ve added these indicators to the following feeds in LIVE:

1.    Third Party IOC Domains

2.    Third Party IOC IPs

Here is the link to the Blog Post.

10.6.1 Related Updates

Enhanced Log Parsing functionality

An enhancement has been made to the transfer of logs from the Log Collector to the Log Decoder which can minimize the chances of incorrect parsing. As part of the Log Collector configuration of certain types of event sources, such as File or ODBC, the Administrator can now specify the event source type, such as Apache or Oracle. The Log Collector now passes this information to the Log Decoder so that the Log Decoder can directly use the specified parser. No configuration changes are necessary, but new Log Collector content will need to be applied from Live in order to benefit from this enhancement.

Enhanced Content Deprecation

All the content on Live has been reviewed to see if there is any that is outdated and can be discontinued. Individual services can be scanned for discontinued content.  The discontinued resources are displayed in red on the UI. Refer to the Live Services Management guide for more details.

Here is a list of all Discontinued Content on Live. RSA LINK. 

Out of the Box Content Updates

RSA Security Analytics Content team has updated the following parsers and analytical content based on feedback from our customers and partners:

For a full breakdown please go to RSA LINK.

Analytical Content

Application Rules

1 New Rules has been added.

1 Rule has been updated.

Feeds

4 Feeds have been updated.

Security Analytics Rules

4 New Rules have been added.

2 Rules have been updated.

Security Analytics Reports

1 New Report has been added.

Parser Content

Packet Parsers

3 New Parsers have been added.

15 Parsers have been updated.

Log Parsers

45 parsers have been updated

Additional Information

The entire content library can be viewed here:

https://sadocs.emc.com/0_en-us/300_RSA_ContentAndResources

Content requests can be made here:

https://sadocs.emc.com/0_en-us/300_RSA_ContentAndResources/RSA_Content_Resources/40_Request_Portals

Regards,

The ASOC Content Team ( ASOC.Content@rsa.com )