This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • Blog
  • Threat Research Data Hygiene Exercise: Retirement of Threat Research Intelligence Content and Report...

Threat Research Data Hygiene Exercise: Retirement of Threat Research Intelligence Content and Reports 2 MAY 2022

Will_G
Occasional Contributor Will_G Occasional Contributor
Occasional Contributor
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Email to a Friend
  • Printer Friendly Page
  • Report Inappropriate Content
3 weeks ago

Background

 

NetWitness Threat Research has identified a set of NetWitness Threat Research Intelligence Content and Reports that will no longer receive updates and are effectively being retired. They will remain available within the ‘legacy’ branch of NetWitness Threat Research Intelligence Content and Reports but will not appear in the new, strictly Unified Data Model (UDM) - compliant branch. It should be noted that even when the legacy branch reaches End of Life (EoL), customers would keep access to any/all content that they have already downloaded and deployed within their environments, although they will no longer be able to obtain that content from LIVE (for example when standing up net new infrastructure).

 

Splitting our content and creating a new branch to support only UDM-compliant content will help push forward this important initiative while offering customers who have not done so already, the flexibility needed to adopt UDM at their own pace. For more details on the Unified Data Model, please refer to these resources:

  • https://community.netwitness.com/t5/netwitness-platform-unified-data/tkb-p/netwitness-udm

 

Application Rules

Bozok RAT Acquisition

Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow

Cmstar Malware

CryptoShield Ransomware

Cybergate RAT Download

Daserf Malware

DNS Hostnames Resolving Non-Routable IP

Dreambot Malware

Dyzap Malware

High Risk File from Blacklisted Host

KeyBase Keylogger

Locky Malware

Mirage Malware

NetTraveler Malware

NGINX HTTP Server

NTDSXTRACT Tool Download

NWFL_access:data-access

NWFL_access:privilege-escalation-failure

NWFL_access:privilege-escalation-success

NWFL_access:remote-failure

NWFL_access:remote-success

NWFL_access:user-access-revoked

NWFL_account:account-disabled

NWFL_account:auth-success

NWFL_account:created

NWFL_account:deleted

NWFL_account:group-management

NWFL_account:login-and-logout

NWFL_account:logon-failure

NWFL_account:logon-success

NWFL_account:logon-success-direct-access

NWFL_account:logout

NWFL_account:modified

NWFL_account:password-change

NWFL_account:user-accessing-file-servers

NWFL_alm:cardholder-data

NWFL_alm:error-event-types

NWFL_alm:firmware-config-changes

NWFL_alm:inbound-network-traffic

NWFL_alm:outbound-network-traffic

NWFL_alm:system-clock-synch

NWFL_av:signature-update

NWFL_av:virus-summary

NWFL_config:change-audit-setting

NWFL_config:config-changes

NWFL_config:fw-config-changes

NWFL_config:router-change

NWFL_encryption:failures

NWFL_encryption:key-gen-and-changes

NWFL_encryption:success

NWFL_fw:categories

NWFL_fw:inbound-network-traffic

NWFL_fw:outbound-network-traffic

NWFL_fw:url-block

NWFL_fw:url-filetypes

NWFL_host:windows:account-disabled

NWFL_host:windows:file-access

NWFL_host:windows:local-group-account-changes

NWFL_host:windows:user-group-account-changes

NWFL_intrusion:all-activity

NWFL_ops:mailserver-errors

NWFL_wireless:AdminOperations

Only ACK Flag Set in Session Containing Payload

php ini checkin

php put to wordpress plugin dir

qq download client

RIG Exploit Kit

Rogue DHCP Server Detected - Packets

SchoolBell Malware

ScribD Document Upload

Shadow IT: Voice Chat Apps

strings decode download

Taidoor Malware

tdss_rootkit_variant_beaconing

Tendrit Malware

Tor Outbound

Torrent File Download

Trojan BLT

tsone dorkbot beaconing

Unusual Port Utilized by Domain Controller

 

 

ESA Rules

 

esa000061 Backdoor Activity Detected

esa000118 Third Party IOC IP and Domain Feed Hit and an ECAT alert

esa000119 Malware Domains feed hit followed by an ECAT alert

esa000120 Malware IP List feed hit followed by an ECAT alert

esa000156 Juniper ScreenOS Administrative Access (CVE-2015-7755)

esa000160 RIG Exploit Kit

esa000163 Webshells Detected

esa000164 Tor Outbound

esa000001 Adapter in Promiscuous mode after Multiple login attempts

esa000002 Direct Login By A Guest Account

esa000004 Multiple Account Lockouts From Same or Different Users

esa000005 Multiple Failed logins Followed By Successful Login

esa000006 Privilege Escalation Detected

esa000007 Active Directory Policy Modified

esa000008 Brute Force Login To Same Destination

esa000009 Brute Force Login From Same Source

esa000010 Multi Service Connection Attempts Pckt

esa000011 Multi Service Connection Attempts Log

esa000012 Adapter in Promiscuous mode after User Creation and Login

esa000016 Privilege User Account Password Change

esa000017 System Configuration Changes by a Non Administrative User

esa000018 Failed logins Followed By Successful Login and a Password Change

esa000019 Windows Suspicious Admin Activity: Audit Log Cleared

esa000023 Port Scan Messages Log

esa000024 Windows Suspicious Admin Activity: Firewall Service Stopped

esa000025 Windows Suspicious Admin Activity: Network Share Created

esa000026 Windows Suspicious Admin Activity: Shared Object Accessed

esa000028 Direct Login To an Administrative Account

esa000029 User Account Created Logged in and Deleted within an hour

esa000031 User Added to Admin Group Same User Login OR Same User su sudo

esa000033 Port Scan Horizontal Packet

esa000035 Port Scan Horizontal Log

esa000039 Multiple Failed Logins from Multiple Diff Sources to Same Dest

esa000040 Multiple Successful Logins from Multiple Diff Src to Same Dest

esa000046 Multiple Failed Logins from Multiple Users to Same Destination

esa000047 Multiple Successful Logins from Multiple Diff Src to Diff Dest

esa000048 DNS Lookups From the Same Host

esa000049 File Transfer Using Non Standard Port

esa000052 Adapter Entered Promiscuous Mode

esa000053 Non SMTP Traffic on TCP Port 25 Containing Executable

esa000054 Non DNS Traffic on TCP or UDP Port 53 Containing Executable

esa000055 Non HTTP Traffic on TCP Port 80 Containing Executable

esa000072 Multiple Unique Logs from MsgID Set with Same SourceIP and DestinationIP

esa000076 User Added to Administrative Group + SIGHUP Detected within 5 Minutes

esa000083 Detection of High Volume of TCP Resets using Netflow

esa000092 Attempted Identity abuse via excessive login failures

esa000093 Multiple Failed Logins from Same User Originating from Different Countries

esa000097 UDP DoS Tool Use Detection

esa000098 Suspicious Privileged User Access Activity

esa000099 Multiple Failed Privilege Escalations by Same User

esa000105 Consecutive Login without Logout

esa000106 Suspicious Login without any activity in windows hosts

esa000107 Low Orbit Ion Cannon DoS Tool Download

esa000108 WebSploit Tool Download

esa000111 Logins across multiple servers

esa000112 DoS Logged and Service Shutdown

esa000116 Insider Threat Mass Audit Clearing

esa000129 Multiple Login Failures by Administrators to Domain Controller

esa000130 Multiple Login Failures by Guest to Domain Controller

esa000131 Logins by same user to multiple servers

esa000132 krbtgt Account Modified on Domain Controller

esa000144 jRAT Download

esa000145 CyberGate RAT Download

esa000157 Lateral Movement Suspected Windows

esa000162 RIG Decimal IP Campaign

 

Feeds

 

Alert IDs Info

AlertID to name mappings for informational alerts

Name to AlertIDs mappings for suspicious alerts

Dynamic DNS Domains

Tox Supernode

Malware Domain List

Malware IP List

RSA FraudAction Domains

RSA FraudAction IPs

Tor Exit Nodes

Spamhaus DROP List IP Ranges

Spamhaus EDROP List IP Ranges

Third Party IOC Domains

Third Party IOC Ips

 

 

 

Lua Packet Parsers

 

no authentication required              VNC

Crimeware Zeus                                HTTP_lua

Crimeware Zeus Knownbad           HTTP Lua

Possible Poison Ivy                           session_analysis

Trojan/Napolor                                 HTTP_lua

Xtreme RAT                                       HTTP_lua

cerber beacon                                  cerber

dr watson crash report                   dr_watson_lua

glass rat c2 handshake beacon      glass_rat

glass rat c2 handshake connection  glass_rat

mitozhan connection string            Mitozhan

possible evilgrab traffic                   Evilgrab

possible poison ivy beacon              Poison_Ivy

possible poison ivy handshake        Poison_Ivy

potential binary from duqu group duqu_lua

rekaf beacon                                      rekaf

sekur handshake                                sekur

shadyrat encoded command          shadyrat_lua

spora ransomware                            fingerprint_zip

supercmd trojan beacon                 supercmd

 

NetWitness Reports

 

G Suite - Activity Report

G Suite - Admin Report

11.1-11.2 Endpoint Scan Data Autorun and Scheduled Task Report

11.1-11.2 Endpoint Scan Data File and Process Outliers Report

11.3 Endpoint Scan Data Autorun and Scheduled Task Report

11.3 Endpoint Scan Data File and Process Outliers Report

11.1-11.2 Endpoint Machine Summary Report

11.1-11.2 Endpoint Scan Data Host Report

11.3 Endpoint Machine Summary Report

11.3 Endpoint Network Activity

11.3 Endpoint Scan Data Host Report

Azure Monitoring Insights

Amazon VPC Traffic Flow

Traffic Flow in Azure NSG and Amazon VPC

BILL 198 - Compliance Report

Accounts Created SAW

Accounts Deleted SAW

Accounts Disabled SAW

Accounts Modified SAW

Anonymous Proxy and Remote Control Activity

Anti-Virus Signature Updates SAW

AWS Access Permissions Modified Report

AWS Critical VM Modified Report

Bulk Data Transfer - Report

Change in Audit Settings SAW

Cleartext Authentications

Encryption Failures SAW

Encryption Key Generation and Changes SAW

Failed Escalation of Privileges Details SAW

Failed Escalation of Privileges Summary SAW

Failed Remote Access Details SAW

Failed Remote Access Summary SAW

Firewall Configuration Changes SAW

Firmware Changes on Wireless Devices SAW

GPG-13 - Compliance Report

Inbound Network Traffic SAW

Logon Failure Details SAW

Logon Failures Summary SAW

Outbound Network Traffic SAW

Password Changes Details SAW

Password Changes Summary SAW

Router Configuration Changes SAW

Successful Escalation of Privileges Details SAW

Successful Escalation of Privileges Summary SAW

Successful Remote Access Details SAW

Successful Remote Access Summary SAW

Successful Use of Encryption SAW

System Clock Synchronization SAW

User Access Revoked SAW

User Session Terminated Summary SAW

Labels:
  • Announcements
  • Content Hygiene
  • Data Hygiene
  • Threat Content Retirement
  • udm
4 Likes
Share

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • Ransomware Email Attacks: Beware of BazarLoader
  • Detecting Impacket with Netwitness Endpoint
  • Exotic Lily: Global Activity Analysis
  • Threat Research Data Hygiene Exercise: Retirement of Threat Research Intelligence Content and Report...
  • Netwitness Orchestrator Dashboarding Overview
  • Highlights from Recent Releases - Here's What's New in NetWitness Platform 11.7 and 11.7.1
  • NetWitness News Bytes: Improved Broker Query Experience
  • NetWitness News Bytes: Meta Only Event Reconstruction
  • NetWitness News - Press Releases
  • Endpoint Bundle Tuning
Labels
  • Announcements 52
  • Events 2
  • Features 9
  • Integrations 6
  • Resources 56
  • Tutorials 21
  • Use Cases 20
  • Videos 116
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.