Dear Valued RSA Customer,
RSA is pleased to announce the addition of new and updated content to RSA Live’s Content Library. We have added a few useful submission links this month, so please take a moment to review the various sections in this announcement to become familiar with the latest tools we are providing you to detect threats to your environment.
The categories of new and updated content is as follows:
Application Rules
Correlation Rules
RE Rules
RE Reports
Event Stream Analysis Rules
Log (Device) Parsers
Lua Parsers
We look forward to presenting you new content updates next month!
Regards,
The RSA Security Analytics Content Team
Content Updates
New Application Rules
Title: ScribD Document Upload
Desc: Detects document uploads to the site ScribD.
Title: Wikileaks Email Submission
Desc: Detects emails being sent to the Wikileaks domain, sunshinepress.org.
New Correlation Rules
Title: IPv4 Bulk Data Transfer 20 Mb
Desc: Detects when a IPV4 source and destination addresses exchange more than 20MB of data in 5 min
Title: IPv6 Bulk Data Transfer 20 Mb
Desc: Detects when a IPV6 source and destination addresses exchange more than 20MB of data in 5 min
Title: IPv4 Bulk Data Transfer 50 Mb
Desc: Detects when a IPV4 source and destination addresses exchange more than 50MB of data in 5 min
Title: IPv6 Bulk Data Transfer 50 Mb
Desc: Detects when a IPV6 source and destination addresses exchange more than 50MB of data in 5 min
New RE Rules
Title: Top Alias Host Destination by Session Count
Desc: Aggregates sessions by alias.host and displays the top five results by session count in descending order.
Title: Top Alias Host Destination by Source IP
Desc: Aggregates sessions by alias.host and displays the top five results grouped by ip.src and summarized by session count in descending order.
Title: Top Destination Country by Session Count
Desc: Aggregates sessions by country.dst and displays the top five results by session count in descending order.
Title: Top Destination Country by Session Size
Desc: Aggregates sessions by country.dst and displays the top five results by session size in descending order.
Title: Top Destination Country by Source IP
Desc: Aggregates sessions by country.dst and displays the top five results grouped by ip.src and summarized by session count in descending order.
Title: Top HTTPS Destination IP by Session Size
Desc: Aggregates sessions by ip.dst and displays the top five results where the tcp.dstport equals 443 or the client equals HTTPS. The results are summarized by session count in descending order.
Title: Top Network Service by Session Count
Desc: Aggregates sessions by service and displays the top five results by session count in descending order.
Title: Botnet Activity
Desc: Botnet Activity,This rule fires when any or one of 128 different Botnets has been detected.
Title: Cleartext Authentications
Desc: This rule displays events in which passwords were sent over cleartext using network protocols such as FTP, HTTP, POP3 and SMTP.
Title: Bulk Data Transfer
Desc: Displays events where the amount of data transferred between the Source-Destination IP pairs is over 20 Mb or 50 Mb.
Title: Known Service detected over Non Standard Network Port
Desc: Displays sessions whose service is detected on a non-standard network port. For example, DNS detected on port 555 when the default port is 53.
Title: Unknown Service detected over Standard Network Port
Desc: Displays sessions where unknown service is detected on the standard network port. For example, unknown service detected on port 53, which is the standard DNS port
Title: Top 10 Risk Warning by Source IP
Desc: Aggregates sessions by risk.warning and displays the top ten results by ip.src in descending order.
Title: Top 10 Risk Warning by Destination IP
Desc: Aggregates sessions by risk.warning and displays the top ten results by ip.dst in descending order.
Title: Top 10 Risk Warning by Session Size
Desc: Aggregates sessions by risk.warning and displays the top ten results by session size in descending order.
Title: Top 10 Risk Suspicious by Source IP
Desc: Aggregates sessions by risk.suspicious and displays the top ten results by ip.src in descending order.
Title: Top 10 Risk Suspicious by Destination IP
Desc: Aggregates sessions by risk.suspicious and displays the top ten results by ip.dst in descending order.
Title: Top 10 Risk Suspicious by Session Size
Desc: Aggregates sessions by risk.suspicious and displays the top ten results by session size in descending order.
Title: All Risk Warning by Source IP
Desc: Aggregates sessions by risk.warning and displays all results by ip.src in descending order.
Title: All Risk Warning by Destination IP
Desc: Aggregates sessions by risk.warning and displays all results by ip.dst in descending order.
Title: All Risk Warning by Session Size
Desc: Aggregates sessions by risk.warning and displays all results by session size in descending order.
Title: All Risk Suspicious by Source IP
Desc: Aggregates sessions by risk.suspicious and displays all results by ip.src in descending order.
Title: All Risk Suspicious by Destination IP
Desc: Aggregates sessions by risk.suspicious and displays all results by ip.dst in descending order.
Title: All Risk Suspicious by Session Size
Desc: Aggregates sessions by risk.suspicious and displays all results by session size in descending order.
New RE Reports
Title: SSAE 16 - Compliance Report
Desc: Statement on Standards for Attestation Engagements (SSAE 16) is an attestation standard issued by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) specifically geared towards addressing engagements conducted by service organizations to report on the design of controls and their operating effectiveness.
Title: FFIEC - Compliance Report
Desc: This article introduces the Federal Financial Institutions Examination Council (FFIEC) compliance templates available in Security Analytics. The Federal Financial Institutions Examination Council (FFIEC) is a body of the United States government empowered to prescribe principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), Mergers & Acquisitions International Clearing (MAIC), and the Consumer Financial Protection Bureau (CFPB).
Title: FISMA - Compliance Report
Desc: This article introduces the Federal Information Security Management Act (FISMA) compliance templates available in RSA Security Analytics. The Federal Information Security Management Act (FISMA) is designed to ensure appropriate security controls for government information systems.
Title: Botnet Activity
Desc: This report can display Botnet activity of 128 different Botnets. It reports based on threat.category=botnet.
Filename: Botnet Activity
Title: Cleartext Authentications
Desc: This report displays events in which passwords were sent over cleartext using network protocols such as FTP, HTTP, POP3 and SMTP.
Title: Bulk Data Transfer - Report
Desc: Displays events where the amount of data transferred between the Source-Destination IP pairs is over 20 Mb or 50 Mb.
Title: Non-Standard Traffic
Desc: This report displays sessions which are categorized as unusual based on service and port usage. Sessions will either include session found on non standard port or unknown service on standard port
Title: Network Activity
Desc: This report displays summary data for top network activity for the following:Top Alias Host Destination by Session Count,Top Alias Host Destination by Source IP,Top Destination Country by Session Count,Top Destination Country by Session Size,Top Destination Country by Source IP,Top HTTPS Destination IP by Session Size,Top Network Service by Session Count
Title: Top 10 Risk Warning
Desc: This report summarizes Top 10 Risk Warning by Source, Destination and Session Size
Title: Top 10 Risk Suspicious
Desc: This report summarizes Top 10 Risk Suspicious by Source, Destination and Session Size
Title: All Risk Suspicious
Desc: This report lists All Risk Suspicious by Source, Destination and Session Size
Title: All Risk Warning
Desc: This report lists All Risk Warning by Source, Destination and Session Size
Title: PCI-Compliance Report
Desc: The Payment Card Industry (PCI) Data Security Standard applies to all payment card industry members, merchants, and service providers that store, process, or transmit payment cardholder data. Additionally, these security requirements apply to all "system components" - any network component, server, or application included in, or connected to, the cardholder data environment.
Title: SOX - Compliance Report
Desc: Sarbanes-Oxley Act of 2002 (SOX). Congress passed the Sarbanes-Oxley Act (SOX) in large part to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws. Section 404 of Sarbanes-Oxley not only requires companies to establish and maintain an adequate internal control structure, but also to assess its effectiveness on an annual basis.
Title: HIPAA - Compliance Report
Desc: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates that providers, health plans, clearinghouses, and their business associates establish appropriate administrative, technical, and physical safeguards to protect the privacy and security of sensitive health information.
Title: BASEL II - Compliance Report
Desc: This article introduces Basel II report templates available for use with Security Analytics Reporter. Basel II compliance reports are based on recommendations by bank supervisors and central bankers to improve the consistency of capital regulations internationally, make regulatory capital more risk sensitive, and promote enhanced risk-management practices among international banking organizations.
Title: BILL 198 - Compliance Report
Desc: This article introduces Bill 198 compliance reports available in RSA Security Analytics. Bill 198 empowers the Ontario Securities Commission to develop guidelines to protect investors in public Canadian companies by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws.
Title: FERPA - Compliance Report
Desc: This article introduces the Family Educational Rights and Privacy Act (FERPA) compliance report templates available in Security Analytics. The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. 1232g, 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
Title: NISPOM - Compliance Report
Desc: This article introduces the National Industrial Security Program Operating Manual (NISPOM) templates available in Security Analytics Reporter. The National Industrial Security Program Operating Manual (NISPOM) developed by the Department of Defense, sets comprehensive standards for protecting classified data. All government agencies and commercial contractors who have access to classified data are required to implement system protection processes to ensure continued availability and integrity of this data, and prevent its unauthorized disclosure. These regulations apply to systems used in the capture, creation, storage, processing, or distribution of restricted information.
Title: GLBA - Compliance Report
Desc: This article introduces the Gramm-Leach-Bliley Act (GLBA) compliance templates available in RSA Security Analytics. The Gramm-Leach-Bliley Act (GLBA) requires companies defined under the law as "financial institutions" to ensure the security and confidentiality of this type of information. As part of its implementation of GLBA, the Federal Trade Commission (FTC) issued the Safeguards Rule, which requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure.
Title: GPG-13 - Compliance Report
Desc: Good Practice Guide 13 (GPG13) defines requirements for protective monitoring-for example, the use of intrusion detection and prevention systems(IDS/IPS)-with which local authorities must comply in order to prevent accidental or malicious data loss.
Title: NERC-CIP - Compliance Report
Desc: The NERC CIP compliance reports in RSA Security Analytics are based on North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) program requirements. The CIP program coordinates NERCs efforts to improve physical and cyber security for the bulk power system of North America as it pertains to reliability. This includes standards development, compliance enforcement, assessments of risk and preparedness, disseminating critical information via alerts to industry, and raising awareness of key issues.
Title: ISO27002 - Compliance Report
Desc: ISO 27002 establishes guidelines and general principles for initiating, implementing, maintaining and improving information security management in an organization. ISO 27002 is used as the foundation and technical guidelines for many international and industry compliance standards and are generally good practices for all organizations.
New ESA Rules
Title: SSH connection from internet routable IP followed by HTTP/SSH service restart on destination: Log
Desc: SSH connection is detected from an internet routable IP (non-RFC 1918 standard IP or external IP addresses) followed by a HTTP/SSH service restart on destination. The default time is 5 minutes and the default service names being monitored are sshd and httpd. This rule uses a non-indexed key - service.name. It needs to be indexed on Log Decoder in table-map.xml and added to Concentrator through index_concentrator_custom.xml.
Title: Windows Worm Activity Detected Packets
Desc: Detects a single source IP reaching out to 10 distinct destination IP addresses on ports 137, 138, 139, or 445 within 1 minute. The list of destination ports, event time window and number of unique destination IPs are configurable
Title: Windows Worm Activity Detected Logs
Desc: Detects log messages indicative of a worm with a destination port of 137, 138, 139 or 445 from at least 10 unique RFC-1918 source IPs within 1 minute. The list of destination ports, event time window and number of unique source IPs are configurable.
Updated Log Parsers
Title: Dragon IDS
Desc: Log Device content for event source Dragon IDS - dragonids
Title: Tipping Point
Desc: Log Device content for event source Tipping Point - tippingpoint
Title: Envision Content File
Desc: This file is used to update the content file for NWFL
Title: Microsoft IIS
Desc: Log Device content for event source Microsoft IIS - microsoftiis
Title: Airdefense Enterprise
Desc: Log Device content for event source Airdefense Enterprise - airdefense
Title: F5 BigIP
Desc: Log Device content for event source F5 BigIP - bigip
Title: F5 Big-IP Application Security Manager
Desc: Log Device content for event source F5 Big-IP Application Security Manager - bigipasm
Title: Check Point FW-1
Desc: Log Device content for event source Check Point FW-1 - checkpointfw1
Title: Cisco ASA
Desc: Log Device content for event source Cisco ASA - ciscoasa
Title: Cisco Secure IDS XML
Desc: Log Device content for event source Cisco Secure IDS XML - ciscoidsxml
Title: Citrix NetScaler
Desc: Log Device content for event source Citrix NetScaler - citrixns
Title: Cyberoam UTM
Desc: Log Device content for event source Cyberoam UTM - cyberoamutm
Title: McAfee ePolicy Orchestrator
Desc: Log Device content for event source McAfee ePolicy Orchestrator - epolicy
Title: Fabric OS
Desc: Log Device content for event source Fabric OS - fabricos
Title: Infoblox NIOS
Desc: Log Device content for event source Infoblox NIOS - infobloxnios
Title: IntruShield
Desc: Log Device content for event source IntruShield - intrushield
Title: ISS Realsecure
Desc: Log Device content for event source ISS Realsecure - iss
Title: Juniper SSL VPN
Desc: Log Device content for event source Juniper SSL VPN - junipervpn
Title: McAfee Web Gateway
Desc: Log Device content for event source McAfee Web Gateway - mcafeewg
Title: Microsoft Exchange
Desc: Log Device content for event source Microsoft Exchange - msexchange
Title: Netscreen IDP
Desc: Log Device content for event source Netscreen IDP - netscreenidp
Title: Palo Alto Networks Firewall
Desc: Log Device content for event source Palo Alto Networks Firewall - paloaltonetworks
Title: Linux
Desc: Log Device content for event source Linux - rhlinux
Title: RSA Access Manager
Desc: Log Device content for event source RSA Access Manager - rsaaccessmanager
Title: Snort/Sourcefire
Desc: Log Device content for event source Snort/Sourcefire - snort
Title: UNIX Solaris
Desc: Log Device content for event source UNIX Solaris - solaris
Title: Solaris Basic Security Module
Desc: Log Device content for event source Solaris Basic Security Module - solarisbsm
Title: Symantec AntiVirus/Endpoint Protection
Desc: Log Device content for event source Symantec AntiVirus/Endpoint Protection - symantecav
Title: Symantec Brightmail
Desc: Log Device content for event source Symantec Brightmail - symantecbrightmail
Title: Symantec Critical Systems Protection
Desc: Log Device content for event source Symantec Critical Systems Protection - symanteccsp
Title: Voltage SecureData
Desc: Log Device content for event source Voltage SecureData - voltagesecuredata
Title: Windows Events (ER)
Desc: Log Device content for event source Windows Events (ER) - winevent_er
Title: Windows Events (Snare)
Desc: Log Device content for event source Windows Events (Snare) - winevent_snare
Title: Envision Config File
Desc: This file is used to update the Log Device base config files: table-map.xml,ipaddr.tab,etc.ini
Title: Cisco Secure ACS Appliance
Desc: Log Device content for event source Cisco Secure ACS Appliance - ciscosecureacs
Title: Cisco UCS Manager
Desc: Log Device content for event source Cisco UCS Manager - ciscoucs
Title: Netwitness Spectrum
Desc: Log Device content for event source Netwitness Spectrum - netwitnessspectrum
Title: RSA ECAT
Desc: Log Device content for event source RSA ECAT – rsaecat
New Lua Parsers
Title: Poison_Ivy
Desc: Detects Poison Ivy RAT activity
Title: Proxy_Block_Page
Desc: Parses proxy denied exception pages. Registers the url that was requested and the reason for denial. Blue Coat and Palo Alto are currently supported.
Seeking Customer Developed Parsers, Rules, and Reports
Security Analytics content will be evolving in 2014, both in functionality and presentation. We’d like to work more closely with our customers in order to provide content that helps you find the threats that matter most to you. Your feedback, suggestions, and general questions are always appreciated.
1. Have you created a parser, rule, or report that you think is widely applicable across the SA User Community? Let us know about it! Reach out to us at:
Your emails will go directly to the Content Management team and we are looking forward to working with you to help evolve our content offering.
2. Do you want to request support for a new log source or protocol?
For Log Parser Requests go here: https://emcinformation.com/64308/REG/.ashx
For Protocol Parser Requests go here: https://emcinformation.com/139605/SI/.ashx
3. Do you want to request use cases for Event Stream Analysis Rules?
Please use our request form: https://emcinformation.com/204401/REG/.ashx
4. The content team will also be heavily engaged with the EMC Community portal this year. Not only is the Community a great place for us to communicate directly with our customers, but it’s a wonderful resource for our customers to gain tips and tricks from our research engineers as well as gain early access to our various pieces of security research. Not a member? Sign up here:
https://developer-content.emc.com/login/register.asp
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.