NetWitness Community

Dear Valued RSA Customer,

RSA is pleased to announce the addition of new and updated content to RSA Live’s Content Library. We have added a few useful submission links this month, so please take a moment to review the various sections in this announcement to become familiar with the latest tools we are providing you to detect threats to your environment.

The categories of new and updated content is as follows:

Application Rules

Correlation Rules

RE Rules

RE Reports

Event Stream Analysis Rules

Log (Device) Parsers

Lua Parsers

We look forward to presenting you new content updates next month!

Regards,

The RSA Security Analytics Content Team

Content Updates

New Application Rules

Title: ScribD Document Upload

Desc: Detects document uploads to the site ScribD.

Title: Wikileaks Email Submission

Desc: Detects emails being sent to the Wikileaks domain, sunshinepress.org.

New Correlation Rules

Title: IPv4 Bulk Data Transfer 20 Mb

Desc: Detects when a IPV4 source and destination addresses exchange more than 20MB of data in 5 min

Title: IPv6 Bulk Data Transfer 20 Mb

Desc: Detects when a IPV6 source and destination addresses exchange more than 20MB of data in 5 min

Title: IPv4 Bulk Data Transfer 50 Mb

Desc: Detects when a IPV4 source and destination addresses exchange more than 50MB of data in 5 min

Title: IPv6 Bulk Data Transfer 50 Mb

Desc: Detects when a IPV6 source and destination addresses exchange more than 50MB of data in 5 min

New RE Rules

Title: Top Alias Host Destination by Session Count

Desc: Aggregates sessions by alias.host and displays the top five results by session count in descending order.

Title: Top Alias Host Destination by Source IP

Desc: Aggregates sessions by alias.host and displays the top five results grouped by ip.src and summarized by session count in descending order.

Title: Top Destination Country by Session Count

Desc: Aggregates sessions by country.dst and displays the top five results by session count in descending order.

Title: Top Destination Country by Session Size

Desc: Aggregates sessions by country.dst and displays the top five results by session size in descending order.

Title: Top Destination Country by Source IP

Desc: Aggregates sessions by country.dst and displays the top five results grouped by ip.src and summarized by session count in descending order.

Title: Top HTTPS Destination IP by Session Size

Desc: Aggregates sessions by ip.dst and displays the top five results where the tcp.dstport equals 443 or the client equals HTTPS.  The results are summarized by session count in descending order.

Title: Top Network Service by Session Count

Desc: Aggregates sessions by service and displays the top five results by session count in descending order.

Title: Botnet Activity

Desc: Botnet Activity,This rule fires when any or one of 128 different Botnets has been detected.

Title: Cleartext Authentications

Desc: This rule displays events in which passwords were sent over cleartext using network protocols such as FTP, HTTP, POP3 and SMTP.

Title: Bulk Data Transfer

Desc: Displays events where the amount of data transferred between the Source-Destination IP pairs is over 20 Mb or 50 Mb.

Title: Known Service detected over Non Standard Network Port

Desc: Displays sessions whose service is detected on a non-standard network port. For example, DNS detected on port 555 when the default port is 53.

Title: Unknown Service detected over Standard Network Port

Desc: Displays sessions where unknown service is detected on the standard network port. For example, unknown service detected on port 53, which is the standard DNS port

Title: Top 10 Risk Warning by Source IP

Desc: Aggregates sessions by risk.warning and displays the top ten results by ip.src in descending order.

Title: Top 10 Risk Warning by Destination IP

Desc: Aggregates sessions by risk.warning and displays the top ten results by ip.dst in descending order.

Title: Top 10 Risk Warning by Session Size

Desc: Aggregates sessions by risk.warning and displays the top ten results by session size in descending order.

Title: Top 10 Risk Suspicious by Source IP

Desc: Aggregates sessions by risk.suspicious and displays the top ten results by ip.src in descending order.

Title: Top 10 Risk Suspicious by Destination IP

Desc: Aggregates sessions by risk.suspicious and displays the top ten results by ip.dst in descending order.

Title: Top 10 Risk Suspicious by Session Size

Desc: Aggregates sessions by risk.suspicious and displays the top ten results by session size in descending order.

Title: All Risk Warning by Source IP

Desc: Aggregates sessions by risk.warning and displays all results by ip.src in descending order.

Title: All Risk Warning by Destination IP

Desc: Aggregates sessions by risk.warning and displays all results by ip.dst in descending order.

Title: All Risk Warning by Session Size

Desc: Aggregates sessions by risk.warning and displays all results by session size in descending order.

Title: All Risk Suspicious by Source IP

Desc: Aggregates sessions by risk.suspicious and displays all results by ip.src in descending order.

Title: All Risk Suspicious by Destination IP

Desc: Aggregates sessions by risk.suspicious and displays all results by ip.dst in descending order.

Title: All Risk Suspicious by Session Size

Desc: Aggregates sessions by risk.suspicious and displays all results by session size in descending order.

New RE Reports

Title: SSAE 16 - Compliance Report

Desc: Statement on Standards for Attestation Engagements (SSAE 16) is an attestation standard issued by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) specifically geared towards addressing engagements conducted by service organizations to report on the design of controls and their operating effectiveness.

Title: FFIEC - Compliance Report

Desc: This article introduces the Federal Financial Institutions Examination Council (FFIEC) compliance templates available in Security Analytics. The Federal Financial Institutions Examination Council (FFIEC) is a body of the United States government empowered to prescribe principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), Mergers & Acquisitions International Clearing (MAIC), and the Consumer Financial Protection Bureau (CFPB).

Title: FISMA - Compliance Report

Desc: This article introduces the Federal Information Security Management Act (FISMA) compliance templates available in RSA Security Analytics. The Federal Information Security Management Act (FISMA) is designed to ensure appropriate security controls for government information systems.

Title: Botnet Activity

Desc: This report can display Botnet activity of 128 different Botnets. It reports based on threat.category=botnet.

Filename: Botnet Activity

Title: Cleartext Authentications

Desc: This report displays events in which passwords were sent over cleartext using network protocols such as FTP, HTTP, POP3 and SMTP.

Title: Bulk Data Transfer - Report

Desc: Displays events where the amount of data transferred between the Source-Destination IP pairs is over 20 Mb or 50 Mb.

Title: Non-Standard Traffic

Desc: This report displays sessions which are categorized as unusual based on service and port usage. Sessions will either include session found on non standard port or unknown service on standard port

Title: Network Activity

Desc: This report displays summary data for top network activity for the following:Top Alias Host Destination by Session Count,Top Alias Host Destination by Source IP,Top Destination Country by Session Count,Top Destination Country by Session Size,Top Destination Country by Source IP,Top HTTPS Destination IP by Session Size,Top Network Service by Session Count

Title: Top 10 Risk Warning

Desc: This report summarizes Top 10 Risk Warning by Source, Destination and Session Size

Title: Top 10 Risk Suspicious

Desc: This report summarizes Top 10 Risk Suspicious by Source, Destination and Session Size

Title: All Risk Suspicious

Desc: This report lists All Risk Suspicious by Source, Destination and Session Size

Title: All Risk Warning

Desc: This report lists All Risk Warning by Source, Destination and Session Size

Title: PCI-Compliance Report

Desc: The Payment Card Industry (PCI) Data Security Standard applies to all payment card industry members, merchants, and service providers that store, process, or transmit payment cardholder data. Additionally, these security requirements apply to all "system components" - any network component, server, or application included in, or connected to, the cardholder data environment.

Title: SOX - Compliance Report

Desc: Sarbanes-Oxley Act of 2002 (SOX). Congress passed the Sarbanes-Oxley Act (SOX) in large part to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws. Section 404 of Sarbanes-Oxley not only requires companies to establish and maintain an adequate internal control structure, but also to assess its effectiveness on an annual basis.

Title: HIPAA - Compliance Report

Desc: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates that providers, health plans, clearinghouses, and their business associates establish appropriate administrative, technical, and physical safeguards to protect the privacy and security of sensitive health information.

Title: BASEL II - Compliance Report

Desc: This article introduces Basel II report templates available for use with Security Analytics Reporter. Basel II compliance reports are based on recommendations by bank supervisors and central bankers to improve the consistency of capital regulations internationally, make regulatory capital more risk sensitive, and promote enhanced risk-management practices among international banking organizations.

Title: BILL 198 - Compliance Report

Desc: This article introduces Bill 198 compliance reports available in RSA Security Analytics. Bill 198 empowers the Ontario Securities Commission to develop guidelines to protect investors in public Canadian companies by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws.

Title: FERPA - Compliance Report

Desc: This article introduces the Family Educational Rights and Privacy Act (FERPA) compliance report templates available in Security Analytics. The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. 1232g, 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.

Title: NISPOM - Compliance Report

Desc: This article introduces the National Industrial Security Program Operating Manual (NISPOM) templates available in Security Analytics Reporter. The National Industrial Security Program Operating Manual (NISPOM) developed by the Department of Defense, sets comprehensive standards for protecting classified data. All government agencies and commercial contractors who have access to classified data are required to implement system protection processes to ensure continued availability and integrity of this data, and prevent its unauthorized disclosure. These regulations apply to systems used in the capture, creation, storage, processing, or distribution of restricted information.

Title: GLBA - Compliance Report

Desc: This article introduces the Gramm-Leach-Bliley Act (GLBA) compliance templates available in RSA Security Analytics. The Gramm-Leach-Bliley Act (GLBA) requires companies defined under the law as "financial institutions" to ensure the security and confidentiality of this type of information. As part of its implementation of GLBA, the Federal Trade Commission (FTC) issued the Safeguards Rule, which requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure.

Title: GPG-13 - Compliance Report

Desc: Good Practice Guide 13 (GPG13) defines requirements for protective monitoring-for example, the use of intrusion detection and prevention systems(IDS/IPS)-with which local authorities must comply in order to prevent accidental or malicious data loss.

Title: NERC-CIP - Compliance Report

Desc: The NERC CIP compliance reports in RSA Security Analytics are based on North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) program requirements. The CIP program coordinates NERCs efforts to improve physical and cyber security for the bulk power system of North America as it pertains to reliability. This includes standards development, compliance enforcement, assessments of risk and preparedness, disseminating critical information via alerts to industry, and raising awareness of key issues.

Title: ISO27002 - Compliance Report

Desc: ISO 27002 establishes guidelines and general principles for initiating, implementing, maintaining and improving information security management in an organization. ISO 27002 is used as the foundation and technical guidelines for many international and industry compliance standards and are generally good practices for all organizations.

New ESA Rules

Title: SSH connection from internet routable IP followed by HTTP/SSH service restart on destination: Log

Desc: SSH connection is detected from an internet routable IP (non-RFC 1918 standard IP or external IP addresses) followed by a HTTP/SSH service restart on destination. The default time is 5 minutes and the default service names being monitored are sshd and httpd. This rule uses a non-indexed key - service.name. It needs to be indexed on Log Decoder in table-map.xml and added to Concentrator through index_concentrator_custom.xml.

Title: Windows Worm Activity Detected Packets

Desc: Detects a single source IP reaching out to 10 distinct destination IP addresses on ports 137, 138, 139, or 445 within 1 minute.   The list of destination ports, event time window and number of unique destination IPs are configurable

Title: Windows Worm Activity Detected Logs

Desc: Detects log messages indicative of a worm with a destination port of 137, 138, 139 or 445 from at least 10 unique RFC-1918 source IPs within 1 minute. The list of destination ports, event time window and number of unique source IPs are configurable.

Updated Log Parsers

Title: Dragon IDS

Desc: Log Device content for event source Dragon IDS - dragonids

Title: Tipping Point

Desc: Log Device content for event source Tipping Point - tippingpoint

Title: Envision Content File

Desc: This file is used to update the content file for NWFL

Title: Microsoft IIS

Desc: Log Device content for event source Microsoft IIS - microsoftiis

Title: Airdefense Enterprise

Desc: Log Device content for event source Airdefense Enterprise - airdefense

Title: F5 BigIP

Desc: Log Device content for event source F5 BigIP - bigip

Title: F5 Big-IP Application Security Manager

Desc: Log Device content for event source F5 Big-IP Application Security Manager - bigipasm

Title: Check Point FW-1

Desc: Log Device content for event source Check Point FW-1 - checkpointfw1

Title: Cisco ASA

Desc: Log Device content for event source Cisco ASA - ciscoasa

Title: Cisco Secure IDS XML

Desc: Log Device content for event source Cisco Secure IDS XML - ciscoidsxml

Title: Citrix NetScaler

Desc: Log Device content for event source Citrix NetScaler - citrixns

Title: Cyberoam UTM

Desc: Log Device content for event source Cyberoam UTM - cyberoamutm

Title: McAfee ePolicy Orchestrator

Desc: Log Device content for event source McAfee ePolicy Orchestrator - epolicy

Title: Fabric OS

Desc: Log Device content for event source Fabric OS - fabricos

Title: Infoblox NIOS

Desc: Log Device content for event source Infoblox NIOS - infobloxnios

Title: IntruShield

Desc: Log Device content for event source IntruShield - intrushield

Title: ISS Realsecure

Desc: Log Device content for event source ISS Realsecure - iss

Title: Juniper SSL VPN

Desc: Log Device content for event source Juniper SSL VPN - junipervpn

Title: McAfee Web Gateway

Desc: Log Device content for event source McAfee Web Gateway - mcafeewg

Title: Microsoft Exchange

Desc: Log Device content for event source Microsoft Exchange - msexchange

Title: Netscreen IDP

Desc: Log Device content for event source Netscreen IDP - netscreenidp

Title: Palo Alto Networks Firewall

Desc: Log Device content for event source Palo Alto Networks Firewall - paloaltonetworks

Title: Linux

Desc: Log Device content for event source Linux - rhlinux

Title: RSA Access Manager

Desc: Log Device content for event source RSA Access Manager - rsaaccessmanager

Title: Snort/Sourcefire

Desc: Log Device content for event source Snort/Sourcefire - snort

Title: UNIX Solaris

Desc: Log Device content for event source UNIX Solaris - solaris

Title: Solaris Basic Security Module

Desc: Log Device content for event source Solaris Basic Security Module - solarisbsm

Title: Symantec AntiVirus/Endpoint Protection

Desc: Log Device content for event source Symantec AntiVirus/Endpoint Protection - symantecav

Title: Symantec Brightmail

Desc: Log Device content for event source Symantec Brightmail - symantecbrightmail

Title: Symantec Critical Systems Protection

Desc: Log Device content for event source Symantec Critical Systems Protection - symanteccsp

Title: Voltage SecureData

Desc: Log Device content for event source Voltage SecureData - voltagesecuredata

Title: Windows Events (ER)

Desc: Log Device content for event source Windows Events (ER) - winevent_er

Title: Windows Events (Snare)

Desc: Log Device content for event source Windows Events (Snare) - winevent_snare

Title: Envision Config File

Desc: This file is used to update the Log Device base config files: table-map.xml,ipaddr.tab,etc.ini

Title: Cisco Secure ACS Appliance

Desc: Log Device content for event source Cisco Secure ACS Appliance - ciscosecureacs

Title: Cisco UCS Manager

Desc: Log Device content for event source Cisco UCS Manager - ciscoucs

Title: Netwitness Spectrum

Desc: Log Device content for event source Netwitness Spectrum - netwitnessspectrum

Title: RSA ECAT

Desc: Log Device content for event source RSA ECAT – rsaecat

New Lua Parsers

Title: Poison_Ivy

Desc: Detects Poison Ivy RAT activity

Title: Proxy_Block_Page

Desc: Parses proxy denied exception pages. Registers the url that was requested and the reason for denial. Blue Coat and Palo Alto are currently supported.

Seeking Customer Developed Parsers, Rules, and Reports

Security Analytics content will be evolving in 2014, both in functionality and presentation. We’d like to work more closely with our customers in order to provide content that helps you find the threats that matter most to you. Your feedback, suggestions, and general questions are always appreciated.

1. Have you created a parser, rule, or report that you think is widely applicable across the SA User Community? Let us know about it!  Reach out to us at:

ASOC-LIVE-CONTENT@emc.com

Your emails will go directly to the Content Management team and we are looking forward to working with you to help evolve our content offering.

2.  Do you want to request support for a new log source or protocol?

              For Log Parser Requests go here: https://emcinformation.com/64308/REG/.ashx

               For Protocol Parser Requests go here: https://emcinformation.com/139605/SI/.ashx

3.  Do you want to request use cases for Event Stream Analysis Rules?

                           Please use our request form: https://emcinformation.com/204401/REG/.ashx

4. The content team will also be heavily engaged with the EMC Community portal this year. Not only is the Community a great place for us to communicate directly with our customers, but it’s a wonderful resource for our customers to gain tips and tricks from our research engineers as well as gain early access to our various pieces of security research. Not a member? Sign up here:

https://developer-content.emc.com/login/register.asp