This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Platform Product Advisories
Read and subscribe to the latest announcements and advisories relating to the NetWitness Platform.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Threat Detection Content Update - April 2019

Summary:

Several changes have been made to the Threat Detection Content in Live. For added detection you need to deploy/download and subscribe to the content via Live, for retired content you'll need to manually remove those.

Additions:

RSA NetWitness Endpoint 11.3

For RSA NetWitness Platform 11.3, a new content pack was delivered, the Endpoint Content bundle. Additionally, new Endpoint content is being delivered out-of-the-box with 11.3:

  • Endpoint Content bundle:
    • Approximately 400 application rules
    • File Category Lua parser
    • Investigation feed
    • Endpoint Reports
  • OOTB Content delivered with NetWitness 11.3:
    • ESA Endpoint Risk Scoring Rule bundle
    • Risk Score Configuration
    • Incident Rule
    • Reputation Service

In Live, select the drop-down menu for Medium, and select endpoint to search for Endpoint specific content. You can also deploy the Endpoint bundle to get all of the Endpoint content at once. For more information on the content and deployment, please see the topic for Endpoint Content.

pastedImage_3.png

RSA NetWitness Lua Parsers:

  • fingerprint_deb - Detects Debian package files. Meta will be output as filetype = ‘deb’.
  • eicar - Detects the EICAR test string (useful for proving visibility). Meta will be output as analysis.session = ‘eicar test string’.

 

RSA NetWitness Log-Based Application Rules:

Application rules were developed to detect credential dumping and pass the hash Mitre ATT&CK techniques. All rules will populate the Indicators of Compromise meta key as named below.

  • Pass the Hash - Indicates a possible pass-the-hash attack on a Windows system configured to use the NTLM authentication protocol. The rule reduces false positives by excluding anonymous logons, domain controller and machine logons and those that are not local accounts. It is recommended to exclude the domain for which the domain controller is responsible within the rule logic, since an attacker would typically not have this information and it could increase rule accuracy.
  • Remote Thread into LSASS – Detects when a process creates remote thread into target process of LSASS. This is detected through sysmon logs and indicates probable credential dumping.
  • LSASS Access - Detects suspicious access to lsass.exe through sysmon logs. This process access indicates probable credential dumping.
  • Named Pipe into LSASS - Detects when a suspicious Named Pipe is created or connected to target process of LSASS. This is detected through sysmon logs and indicates probable credential dumping.

 

pastedImage_14.png

Changes:

  • TLS_lua parser – Now identifies TLS 1.3. Certificate meta accuracy was increased. Certificate validation is now extracted (in many cases), e.g. extended validation, domain validation.
  • xor_executable_lua - Hex encoded executables are now detected .
  • phishing_lua - Updated for accuracy and efficiency.
  • http_sql_injection – Updated for accuracy and efficiency.
  • HTTP_lua – Increased accuracy for username and password extraction. Identifies increased number of sessions.
  • SMB_lua - Identifies increased number of sessions.
  • Ghost lua – Updated for ZEGOST detection
  • Archive Extension Mismatch app rule – Extended compressed file types and modified to reduce false positives to Office file types
  • ESA rules: These ESA rules were updated due to changes in 11.3 or mutli-valued meta. See ESA Alerting Guide for more information.
    • RIG Exploit Kit
    • AWS Critical VM Modified
    • Multiple Successful Logins from Multiple Diff Src to Same Dest
    • Multiple Successful Logins from Multiple Diff Src to Diff Dest
    • Multiple Failed Logins from Multiple Diff Sources to Same Dest
    • Multiple Failed Logins from Multiple Users to Same Destination
    • User Login Baseline

 

Discontinued:

ESA Rules – Did not provide customer value due to number of alerts or implementation.

  • Suspicious HTTP POST Commands
  • Suspicious Communication Channel Sender
  • Suspicious Communication Channel Receiver
  • Detection of Syn Flood Attack using Netflow

 

For additional documentation, downloads, and more, visit the RSA NetWitness Platform page on RSA Link.

EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.

0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2019-05-09 11:46 AM
Updated by:
Employee

Related Content

© 2022 RSA Security LLC or its affiliates. All rights reserved.