NetWitness Community

Will_G · ‎2022-05-02

Background

NetWitness Threat Research has identified a set of NetWitness Threat Research Intelligence Content and Reports that will no longer receive updates and are effectively being retired. They will remain available within the ‘legacy’ branch of NetWitness Threat Research Intelligence Content and Reports but will not appear in the new, strictly Unified Data Model (UDM) - compliant branch. It should be noted that even when the legacy branch reaches End of Life (EoL), customers would keep access to any/all content that they have already downloaded and deployed within their environments, although they will no longer be able to obtain that content from LIVE (for example when standing up net new infrastructure).

Splitting our content and creating a new branch to support only UDM-compliant content will help push forward this important initiative while offering customers who have not done so already, the flexibility needed to adopt UDM at their own pace. For more details on the Unified Data Model, please refer to these resources:

https://community.netwitness.com/t5/netwitness-platform-unified-data/tkb-p/netwitness-udm

Application Rules

Bozok RAT Acquisition

Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow

Cmstar Malware

CryptoShield Ransomware

Cybergate RAT Download

Daserf Malware

DNS Hostnames Resolving Non-Routable IP

Dreambot Malware

Dyzap Malware

High Risk File from Blacklisted Host

KeyBase Keylogger

Locky Malware

Mirage Malware

NetTraveler Malware

NGINX HTTP Server

NTDSXTRACT Tool Download

NWFL_access:data-access

NWFL_access:privilege-escalation-failure

NWFL_access:privilege-escalation-success

NWFL_access:remote-failure

NWFL_access:remote-success

NWFL_access:user-access-revoked

NWFL_account:account-disabled

NWFL_account:auth-success

NWFL_account:created

NWFL_account:deleted

NWFL_account:group-management

NWFL_account:login-and-logout

NWFL_account:logon-failure

NWFL_account:logon-success

NWFL_account:logon-success-direct-access

NWFL_account:logout

NWFL_account:modified

NWFL_account:password-change

NWFL_account:user-accessing-file-servers

NWFL_alm:cardholder-data

NWFL_alm:error-event-types

NWFL_alm:firmware-config-changes

NWFL_alm:inbound-network-traffic

NWFL_alm:outbound-network-traffic

NWFL_alm:system-clock-synch

NWFL_av:signature-update

NWFL_av:virus-summary

NWFL_config:change-audit-setting

NWFL_config:config-changes

NWFL_config:fw-config-changes

NWFL_config:router-change

NWFL_encryption:failures

NWFL_encryption:key-gen-and-changes

NWFL_encryption:success

NWFL_fw:categories

NWFL_fw:inbound-network-traffic

NWFL_fw:outbound-network-traffic

NWFL_fw:url-block

NWFL_fw:url-filetypes

NWFL_host:windows:account-disabled

NWFL_host:windows:file-access

NWFL_host:windows:local-group-account-changes

NWFL_host:windows:user-group-account-changes

NWFL_intrusion:all-activity

NWFL_ops:mailserver-errors

NWFL_wireless:AdminOperations

Only ACK Flag Set in Session Containing Payload

php ini checkin

php put to wordpress plugin dir

qq download client

RIG Exploit Kit

Rogue DHCP Server Detected - Packets

SchoolBell Malware

ScribD Document Upload

Shadow IT: Voice Chat Apps

strings decode download

Taidoor Malware

tdss_rootkit_variant_beaconing

Tendrit Malware

Tor Outbound

Torrent File Download

Trojan BLT

tsone dorkbot beaconing

Unusual Port Utilized by Domain Controller

ESA Rules

esa000061 Backdoor Activity Detected

esa000118 Third Party IOC IP and Domain Feed Hit and an ECAT alert

esa000119 Malware Domains feed hit followed by an ECAT alert

esa000120 Malware IP List feed hit followed by an ECAT alert

esa000156 Juniper ScreenOS Administrative Access (CVE-2015-7755)

esa000160 RIG Exploit Kit

esa000163 Webshells Detected

esa000164 Tor Outbound

esa000001 Adapter in Promiscuous mode after Multiple login attempts

esa000002 Direct Login By A Guest Account

esa000004 Multiple Account Lockouts From Same or Different Users

esa000005 Multiple Failed logins Followed By Successful Login

esa000006 Privilege Escalation Detected

esa000007 Active Directory Policy Modified

esa000008 Brute Force Login To Same Destination

esa000009 Brute Force Login From Same Source

esa000010 Multi Service Connection Attempts Pckt

esa000011 Multi Service Connection Attempts Log

esa000012 Adapter in Promiscuous mode after User Creation and Login

esa000016 Privilege User Account Password Change

esa000017 System Configuration Changes by a Non Administrative User

esa000018 Failed logins Followed By Successful Login and a Password Change

esa000019 Windows Suspicious Admin Activity: Audit Log Cleared

esa000023 Port Scan Messages Log

esa000024 Windows Suspicious Admin Activity: Firewall Service Stopped

esa000025 Windows Suspicious Admin Activity: Network Share Created

esa000026 Windows Suspicious Admin Activity: Shared Object Accessed

esa000028 Direct Login To an Administrative Account

esa000029 User Account Created Logged in and Deleted within an hour

esa000031 User Added to Admin Group Same User Login OR Same User su sudo

esa000033 Port Scan Horizontal Packet

esa000035 Port Scan Horizontal Log

esa000039 Multiple Failed Logins from Multiple Diff Sources to Same Dest

esa000040 Multiple Successful Logins from Multiple Diff Src to Same Dest

esa000046 Multiple Failed Logins from Multiple Users to Same Destination

esa000047 Multiple Successful Logins from Multiple Diff Src to Diff Dest

esa000048 DNS Lookups From the Same Host

esa000049 File Transfer Using Non Standard Port

esa000052 Adapter Entered Promiscuous Mode

esa000053 Non SMTP Traffic on TCP Port 25 Containing Executable

esa000054 Non DNS Traffic on TCP or UDP Port 53 Containing Executable

esa000055 Non HTTP Traffic on TCP Port 80 Containing Executable

esa000072 Multiple Unique Logs from MsgID Set with Same SourceIP and DestinationIP

esa000076 User Added to Administrative Group + SIGHUP Detected within 5 Minutes

esa000083 Detection of High Volume of TCP Resets using Netflow

esa000092 Attempted Identity abuse via excessive login failures

esa000093 Multiple Failed Logins from Same User Originating from Different Countries

esa000097 UDP DoS Tool Use Detection

esa000098 Suspicious Privileged User Access Activity

esa000099 Multiple Failed Privilege Escalations by Same User

esa000105 Consecutive Login without Logout

esa000106 Suspicious Login without any activity in windows hosts

esa000107 Low Orbit Ion Cannon DoS Tool Download

esa000108 WebSploit Tool Download

esa000111 Logins across multiple servers

esa000112 DoS Logged and Service Shutdown

esa000116 Insider Threat Mass Audit Clearing

esa000129 Multiple Login Failures by Administrators to Domain Controller

esa000130 Multiple Login Failures by Guest to Domain Controller

esa000131 Logins by same user to multiple servers

esa000132 krbtgt Account Modified on Domain Controller

esa000144 jRAT Download

esa000145 CyberGate RAT Download

esa000157 Lateral Movement Suspected Windows

esa000162 RIG Decimal IP Campaign

Feeds

Alert IDs Info

AlertID to name mappings for informational alerts

Name to AlertIDs mappings for suspicious alerts

Dynamic DNS Domains

Tox Supernode

Malware Domain List

Malware IP List

RSA FraudAction Domains

RSA FraudAction IPs

Tor Exit Nodes

Spamhaus DROP List IP Ranges

Spamhaus EDROP List IP Ranges

Third Party IOC Domains

Third Party IOC Ips

Lua Packet Parsers

no authentication required VNC

Crimeware Zeus HTTP_lua

Crimeware Zeus Knownbad HTTP Lua

Possible Poison Ivy session_analysis

Trojan/Napolor HTTP_lua

Xtreme RAT HTTP_lua

cerber beacon cerber

dr watson crash report dr_watson_lua

glass rat c2 handshake beacon glass_rat

glass rat c2 handshake connection glass_rat

mitozhan connection string Mitozhan

possible evilgrab traffic Evilgrab

possible poison ivy beacon Poison_Ivy

possible poison ivy handshake Poison_Ivy

potential binary from duqu group duqu_lua

rekaf beacon rekaf

sekur handshake sekur

shadyrat encoded command shadyrat_lua

spora ransomware fingerprint_zip

supercmd trojan beacon supercmd

NetWitness Reports

G Suite - Activity Report

G Suite - Admin Report

11.1-11.2 Endpoint Scan Data Autorun and Scheduled Task Report

11.1-11.2 Endpoint Scan Data File and Process Outliers Report

11.3 Endpoint Scan Data Autorun and Scheduled Task Report

11.3 Endpoint Scan Data File and Process Outliers Report

11.1-11.2 Endpoint Machine Summary Report

11.1-11.2 Endpoint Scan Data Host Report

11.3 Endpoint Machine Summary Report

11.3 Endpoint Network Activity

11.3 Endpoint Scan Data Host Report

Azure Monitoring Insights

Amazon VPC Traffic Flow

Traffic Flow in Azure NSG and Amazon VPC

BILL 198 - Compliance Report

Accounts Created SAW

Accounts Deleted SAW

Accounts Disabled SAW

Accounts Modified SAW

Anonymous Proxy and Remote Control Activity

Anti-Virus Signature Updates SAW

AWS Access Permissions Modified Report

AWS Critical VM Modified Report

Bulk Data Transfer - Report

Change in Audit Settings SAW

Cleartext Authentications

Encryption Failures SAW

Encryption Key Generation and Changes SAW

Failed Escalation of Privileges Details SAW

Failed Escalation of Privileges Summary SAW

Failed Remote Access Details SAW

Failed Remote Access Summary SAW

Firewall Configuration Changes SAW

Firmware Changes on Wireless Devices SAW

GPG-13 - Compliance Report

Inbound Network Traffic SAW

Logon Failure Details SAW

Logon Failures Summary SAW

Outbound Network Traffic SAW

Password Changes Details SAW

Password Changes Summary SAW

Router Configuration Changes SAW

Successful Escalation of Privileges Details SAW

Successful Escalation of Privileges Summary SAW

Successful Remote Access Details SAW

Successful Remote Access Summary SAW

Successful Use of Encryption SAW

System Clock Synchronization SAW

User Access Revoked SAW

User Session Terminated Summary SAW