Threat Detection Content Update - November 2017
Summary:
Several changes have been made to the Threat Detection Content in Live. For Added detection you need to add/subscribe to the content via Live, for retired content you'll need to manually remove those, and for additional changes no action is required if you are subscribed to content.
Additions
Detection
- Enhanced DCERPC - This is a new feature added to our existing DCERPC parser. This pulls out the function calls that are seen in DCERPC sessions. By using these values, it allows us (and our customers) to create more advanced detection around lateral movement and suspicious user/system activity. An example is: by looking for DsGetNCChange from an IP that's not a DC that allows replication. This meta data appears in Action Event (action).
Hunting
- DNS Single Request/Response - This parser update will notify you when there is only 1-side of a DNS request/response in a session. This can be useful for looking for un-resolved DNS beacons or even network/system misconfigurations. This value can be found in Service Analysis (analysis.service).
- Response no Payload - This parser update will note when a session contains a response stream, but there is no payload in the response stream. This allows analysts to see when a server is replying at Layer 3, but isn't sending any application/service level data back to the client. The value appears in Session Analysis (analysis.session).
Changes
Detection
- Tor - An update to 'tunneling outbound tor' has been made. We've included an updated list of Tor ports, the ability to be used against log data, and also incorporating the direction provided by the traffic_flow parser.
- Data Exfiltration rules - The meta values populated by the application rules have been changed to use spaces instead of underscores to be consistent with the rest of our content offering.
- RDP Traffic detection in ESA - 'RDP Traffic from Non RFC 1918 Sources' ESA rule has been updated to use the direction set by the traffic_flow parser instead of relying on RFC1918 address space to dictate direction. Additionally it is not possible to add both source and destination IP addresses to whitelists if there are systems you'd like to filter from the alert.
Retired
We strive to provide timely and accurate detection of threats as well as traits that can help analysts hunt through network and log data. Occasionally this means retiring content that provides little-to-no value.
- Discontinued several legacy feeds due to the updates in the Investigation Feed (see below).
Other bug fixes and changes
- Traffic flow - An update to the traffic_flow Lua parser was made to change the type of ip.addr in the parser from text to IPv4.
- Windows Executable - windows_executable.lua was updated to fix exe identification in identified edge cases that impacted some valid files being flagged as having a suspicious extension because they weren't identified as windows executables.
- Email and Phishing - Adjustments were made to both the email and phishing Lua parser regarding how domain names are pulled out of sessions. We relaxed our strict RFC5321 compliance due to non-compliant mail clients.
- Investigation Feed - An update was made to the Investigation feed to help reduce the reliance on other feeds in the product. This becomes the master feed moving forward so as we transition content away from nwalertid we can adjust this feed accordingly. This also gives us a manageable path away from the 'Risk' Feeds to provide a better Investigation experience.
For additional documentation, downloads, and more, visit the RSA NetWitness Suite page on RSA Link.
EOPS Policy:
RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.
In this article
