One of the major new features found in RSA NetWitness Platform version 11.1 is RSA NetWitness Endpoint Insights. RSA NetWitness Endpoint Insights is a free endpoint agent that provides a subset of the full RSA NetWitness Endpoint 4.4 functionality as well as the ability to perform Windows log collection. Details of how to configure RSA NetWitness Endpoint Insights can be found here: https://community.rsa.com/docs/DOC-86450
Additionally, as of RSA NetWitness Platform version 11.0, those with both RSA NetWitness Log & full RSA NetWitness Endpoint components have the option to start bringing the two worlds together under a unified interface. This integration strengthens in version 11.1, and will continue to do so through version 11.2 and beyond. Details of this integration can be found here: Endpoint Integ: RSA Endpoint Integration
I created the content below to compliment the endpoint scan data (RSA NW Endpoint and RSA NW Endpoint Insights) as well as tracking data (RSA NW Endpoint + meta integration into 11.X). As you leverage this content, please let me know if you have any questions, and please post improvements and iterations as well.
Note: If using the RSA NW Endpoint Insights agent (vs the full RSA NW Endpoint 4.4 agent) full process tracking data is not available. The process-centric content below will still work, but keep in mind that the process data reported is only a snapshot in time based on endpoint scan schedules and will not capture any process events in between scans.
Autoruns - Outliers Report & Dashboard |
---|
Autoruns & Scheduled Tasks launching from or arguments containing AppData\Local\Temp |
Autoruns & Scheduled Tasks launching from root of \ProgramData |
Autoruns & Scheduled Tasks invoking Command Shell (cmd.exe or powershell.exe) |
Autoruns & Scheduled Tasks invoking wscript.exe or cscript.exe |
Autoruns & Scheduled Tasks invoking .vbs, .bat, .hta, .ps1 scripts |
Autoruns - Rarest HCKU.../Run and /RunOnce keys |
Processes & Files - Outliers Report & Dashboard |
Rarest Child Processes of Web Server Processes |
Rarest Parent Processes of cmd.exe |
Rarest Parent Processes os powershell.exe |
Rarest Processes running from AppData\Local\ or AppData\Roaming |
Rarest Executables in Root of ProgramData |
Rarest Executables in Root of C:\ |
Rarest Executables in Root of Windows\System32 |
Rarest Company Headers in Files |
Rarest Code Signing CN in Files |
ESA Rules |
Alert: Scheduled Task running out of AppData\Local\Temp |
Alert: Scheduled Tasks running cmd.exe or powershell.exe (with Whitelist expectation) |
Alert: Scheduled Tasks running cscript.exe or wscript.exe (with Whitelist expectation) |
Alert: Windows Reserved Process Names Running From Suspicious Directory |
Alert: Process Running from $RECYCLE.BIN |
Meta & Column Groups |
1 x Meta Group: Scan and Log Data |
7 x Column Groups: NWEndpoint [Autorun/DLL/File/Machine/Process/Service/General] Analysis |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.