This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA NetWitness Endpoint Content - Dashboards, Meta Groups, ESA Rules

SeanEnnis1
New Contributor New Contributor
New Contributor
‎2018-05-18 08:15 AM

One of the major new features found in RSA NetWitness Platform version 11.1 is RSA NetWitness Endpoint Insights.  RSA NetWitness Endpoint Insights is a free endpoint agent that provides a subset of the full RSA NetWitness Endpoint 4.4 functionality as well as the ability to perform Windows log collection.  Details of how to configure RSA NetWitness Endpoint Insights can be found herehttps://community.rsa.com/docs/DOC-86450

 

Additionally, as of RSA NetWitness Platform version 11.0, those with both RSA NetWitness Log & full RSA NetWitness Endpoint components have the option to start bringing the two worlds together under a unified interface.  This integration strengthens in version 11.1, and will continue to do so through version 11.2 and beyond.   Details of this integration can be found here: Endpoint Integ: RSA Endpoint Integration

 

I created the content below to compliment the endpoint scan data (RSA NW Endpoint and RSA NW Endpoint Insights) as well as tracking data (RSA NW Endpoint + meta integration into 11.X).  As you leverage this content, please let me know if you have any questions, and please post improvements and iterations as well.

 

Note:  If using the RSA NW Endpoint Insights agent (vs the full RSA NW Endpoint 4.4 agent) full process tracking data is not available. The process-centric content below will still work, but keep in mind that the process data reported is only a snapshot in time based on endpoint scan schedules and will not capture any process events in between scans.  

 

Content Summary:

Autoruns -  Outliers Report & Dashboard
Autoruns & Scheduled Tasks launching from or arguments containing AppData\Local\Temp
Autoruns & Scheduled Tasks launching from root of \ProgramData
Autoruns & Scheduled Tasks invoking Command Shell (cmd.exe or powershell.exe)
Autoruns & Scheduled Tasks invoking wscript.exe or cscript.exe
Autoruns & Scheduled Tasks invoking .vbs, .bat, .hta, .ps1 scripts
Autoruns - Rarest HCKU.../Run and /RunOnce keys
Processes & Files - Outliers Report & Dashboard
Rarest Child Processes of Web Server Processes
Rarest Parent Processes of cmd.exe
Rarest Parent Processes os powershell.exe
Rarest Processes running from AppData\Local\ or AppData\Roaming
Rarest Executables in Root of ProgramData
Rarest Executables in Root of C:\
Rarest Executables in Root of Windows\System32
Rarest Company Headers in Files
Rarest Code Signing CN in Files
ESA Rules
Alert: Scheduled Task running out of AppData\Local\Temp
Alert: Scheduled Tasks running cmd.exe or powershell.exe (with Whitelist expectation)
Alert: Scheduled Tasks running cscript.exe or wscript.exe (with Whitelist expectation)
Alert: Windows Reserved Process Names Running From Suspicious Directory
Alert: Process Running from $RECYCLE.BIN
Meta & Column Groups
1 x Meta Group:  Scan and Log Data
7 x Column Groups:  NWEndpoint [Autorun/DLL/File/Machine/Process/Service/General] Analysis

 

Screenshots

Dashboards

pastedImage_3.png

pastedImage_13.png

Meta Group

pastedImage_43.png

 

Column Group (eg. Process Analysis)

pastedImage_42.png

Column Group (eg. Autoruns and Tasks)

pastedImage_1.png

NWEndpointInsights_Content_v1_05052018.zip
NWEndpointInsights_Content_v1_05052018.zip
7 Comments
© 2022 RSA Security LLC or its affiliates. All rights reserved.