RSA ESA Rules RSA ESA Rules
The following table illustrates how the current RSA Event Stream Analysis Rules are displayed in the ESA Define view after you download them from Live. The Module Name is the internal identification code for the rule.
Note: For content that has been discontinued, see Discontinued Content.
Pivot to Investigate > Navigate from Respond May Not WorkPivot to Investigate > Navigate from Respond May Not Work
In ESA rules that do not select every piece of meta from the session (that is, rules that do not use select *), you may see that data privacy (if enabled) and the Pivot to Investigate > Navigate link accessed from a context tooltip in the Respond Incident Details view does not work. For details on how to fix this, see "Update any ESA Rule that Selects Only Certain Meta Keys from the Session to Include event_source_id" section in the Alerting with ESA Correlation Rules User Guide.
List of ESA RulesList of ESA Rules
| Display Name | File Name | Description | Medium | Tag |
|---|---|---|---|---|
| Account Added to Administrators Group and Removed | esa000090 | Detects log events when a user is added to an administrative group and then removed from the group within 15 minutes. Both the list of administrator groups and event time window are configurable. CONFIGURATION Rule Parameters: * Within this number of seconds, allows you to choose the time window to trigger events. By default, 900 seconds time frame * List of Administrator groups. By default, the groups are Administrators, root and wheel DEPENDENCIES * Existence of at least one Windows Event or Unix log parser enabled on the log decoder BUNDLES * UEBA Essentials |
log | "credential access":"account manipulation", "persistence":"account manipulation" |
| Account Removals From Protected Groups on Domain Controller | esa000133 | Detects account removal from a protected group on a domain controller. There are five parameters: device hostnames to monitor, device IP addresses to monitor, protected groups to monitor, number of times an account was removed before the alert triggers and number of seconds in which events must occur. | log | "credential access":"account manipulation", "persistence":"account manipulation" |
| Aggressive Internal Database Scan | esa000104 | Detects a single host making connection attempts to 100 or more unique IP addresses in 1 minute over any combination of the following ports: TCP/1433, UDP/1434, TCP/3306, TCP/5432, TCP/3351, TCP/1521. Source & Destination IP addresses must be internal addresses according to the RFC-1918 specification. The time window, list of port numbers and target host count are configurable. | packet | "discovery":"network service scanning" |
| Aggressive Internal NetBIOS scan | esa000103 | Detects a single host making connection attempts to 100 or more unique IP addresses in 1 minute over any combination of the following ports: UDP/137, UDP/138, TCP139. Source & Destination IP addresses must be internal addresses according to the RFC-1918 specification. The time window, list of port numbers and target host count are configurable. | packet | "discovery":"network service scanning" |
| Aggressive internal web portal scan | esa000102 | Detects a single host making connection attempts to 100 or more unique IP addresses in 1 minute over any combination of TCP/80 and TCP/443. Source & Destination IPs must be internal addresses according to the RFC-1918 specification. The list of ports, time window, and target host count are configurable. | packet | "discovery":"network service scanning" |
| AWS Critical VM Modified | esa000134 | Detects when Amazon Web Services (AWS) critical virtual machine instances are modified. Actions detected by this module include instances being terminated, stopped and rebooted as well as modification of instance attributes and monitoring status. In order to trigger an alert, a custom feed or application rule of critical instance source IPs must be created to populate the 'alert' meta key with the value 'critical_vm'. VERSIONS SUPPORTED * 11.3 and higher * 11.2 and prior (see CONFIGURATION) CONFIGURATION For this rule to successfully deploy prior to version 11.3, be sure the meta key of 'alert' used within the rule is listed as an array type within ESA. Refer to the 'ESA Configuration Guide' within the section 'Configure Meta Keys as Arrays in ESA Correlation Rule Values'. DEPENDENCIES * CEF Log Parser |
log | |
| AWS Permissions Modified Followed By Instance State Change | esa000155 | Detects when an Amazon Web Services (AWS) permission is modified followed by an instance state change. By default, the creation of a new user followed by a run of a new instance or termination of an existing instance within 5 minutes trigger the rule. The list of permission modifications, instance state changes and time window are configurable. VERSIONS SUPPORTED NetWitness 10.5 and higher CONFIGURATION * Deploy the latest Envision Config File and CEF log parser from Live to enable proper meta generation on the Log Decoder * Prior to 11.3.2, add an entry for the reference.id1 meta key to the index-concentrator-custom.xml file: <key description="Reference ID 1" level="IndexNone" name="reference.id1" format="Text" defaultAction="Hidden"/> * Restart the Concentrator service to force the index update or wait the configured number of hours for index syncronization * Deploy the rule to the ESA service Rule Parameters: * Event descriptions indicating instance state change. By default, TerminateInstances and RunInstances event descriptions are configured * Event descriptions indicating permissions modified. By default, it's a CreateUser event description * Within this number of seconds. By default, 300 seconds DEPENDENCIES * CEF log parser |
log | "credential access":"account manipulation", "persistence":"account manipulation" |
| Backdoor Activity Detected | esa000061 | The rule will detect backdoor activity using logs. By default, the rule will trigger when there is a variation of the keyword backdoor found in either policy.name or event.category.name. This rule may also be customized with a list of backdoor names and will look for these names in either policy.name or event.category.name. | log | |
| BYOD Mobile Web Agent Detected | esa000117 | Detects a web-browsing agent for a mobile device. To configure the rule, specify the list of unauthorized browser agents and remove any mobile agents that are authorized from the list. The rule is triggered when an employee uses an unauthorized device on the network. In addition to the list of unauthorized browser agents, the following parameters are also configurable: the number of connections allowed per source before the alert is triggered and the time window within which the unauthorized use takes place. | packet | "execution":"third-party software", "lateral movement":"third-party software" |
| Cerber Ransomware | esa000158 | For Cerber4 to Cerber6, the rule looks for a spray of outbound suspected command and control (C2) traffic via UDP port 6892 and 6893 from a single source IP to multiple destination IPs. The time window, list of UDP port numbers and amount of UDP traffic are configurable. Prior to Cerber4, the detection relies on a pattern of Cerber ransomware in which a geolocation check of an IP is performed in order to bypass hosts in Eastern European countries directly followed by a one-way command and control (C2) via UDP port 6892. The time window, list of UDP port numbers and IP geolocation check sites are configurable. The Lua parsers, traffic_flow and DNS_verbose_lua, are required. Reference these RSA Link blog posts from RSA Research for more details about this threat: https://community.rsa.com/community/products/netwitness/blog/2016/09/27/the-evolution-of-cerber https://community.rsa.com/community/products/netwitness/blog/2016/11/04/the-evolution-of-cerber-v410 https://community.rsa.com/community/products/netwitness/blog/2017/06/19/ransomware-cerber-v6x-delivery-and-detection |
packet | "impact":"data encrypted for impact", "command and control":"uncommonly used port" |
| Client Using Multiple DHCP Servers | esa000152 | Detects a connection from a single IP address to 2 or more destination IP addresses on UDP 67 or UDP 68 within 10 minutes. The time period is configurable. | log, packet | |
| Detection of Encrypted Traffic to Countries | esa000065 | Detects when there is encrypted traffic to an IP address registered in the specified list of destination countries. Note: You must deploy and enable the TLS_lua parser,the SSH_lua parser and their dependencies on the Decoder. | packet | "exfiltration":"data encrypted" |
| Detects Router Configuration Attempts | esa000069 | Detects when a change in router configuration is attempted. This rule triggers when Event Classification Tag (ECT) of ec.activity is equal to "Modify", and ec.theme is equal to "Configuration", or event.cat.name is equal to "Config.Changes" along with device.class equal to "Router". | log | "discovery":"system network configuration discovery" |
| Direct Login By A Watchlist Account | esa000169 | A successful interactive or remote interactive logon to a user accounts on a Windows host. Uses a Context Hub (CH) list to track users. VERSIONS SUPPORTED NetWitness 11.1 and higher CONFIGURATION Rule Parameters: * Name of the Context Hub (CH) list for user blacklist. By default, the CH list is named User_Blacklist. You have to add users to the default User_Blacklist CH list or replace the default CH list with the name of a custom CH user blacklist. For a list of out of the box CH lists and how to create and update them, refer to https://community.rsa.com/docs/DOC-85972 DEPENDENCIES * User_Blacklist CH list * Windows events log Parser BUNDLES * UEBA Essentials |
log | "privilege escalation":"valid accounts", "defense evasion":"valid accounts", "persistence":"valid accounts", "initial access":"valid accounts" |
| DNS Amplification | esa000013 | Detects when UDP destination port is 53 and the total size of the network session packets is more than 4000 bytes. Both port and size are configurable. | packet | "impact":"network denial of service" |
| Excessive Denied Inbound Traffic Followed By Permit By Source IP | esa000020 | Ten or more consecutive inbound network communication denies are followed by a permit from the same source IP within 5 minutes. The time window and a whitelist of source IPs are configurable. This rule uses the non-standard meta key of "direction" so it must be indexed by the Log Decoder within the table-map.xml file and the Concentrator within the index-concentrator-custom.xml file. | log | |
| Excessive Web Server Errors From Same IP | esa000003 | Five or more error code responses from a web server that begin with the number 4 or 5 for the same source IP within 1 minute. Both the number of errors and time window are configurable. | log | |
| Failed logins Followed By Successful Login and a Password Change | esa000175 | Five or more failed logins for a user followed by a successful login and a password change within 5 minutes. VERSIONS SUPPORTED NetWitness 11.1 and higher CONFIGURATION Rule Parameters: * Within this number of seconds, allows you to choose the time window to trigger events. By default, 300 seconds time frame * Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972) DEPENDENCIES * User_Whitelist CH list * Existence of at least one log parser enabled on the log decoder which populates ec_activity = Logon/Modify, ec_outcome = Success/Failure and user_dst is not null. BUNDLES * UEBA Essentials |
log | "credential access":"brute force", "credential access":"account manipulation", "persistence":"account manipulation" |
| Failed Logins Outside Business Hours | esa000166 | This rule is triggered when a user logs into a system after business hours with following conditions: * At least 2 failed logins, described by ec_activity = Logon and ec_outcome=failure * The failed logins are within a 3600 second (60 minute) timeframe * The failed logins are outside of business hours: by default, this means after 5 pm and before 9 am the following day in UTC time format * Device is not in the whitelist (device classes exempt from failed login alert) * Device is in the blacklist (device classes NOT exempt from failed login alert) This rule suppresses "extra" failed logins. For example, using the default conditions, if within 60 minutes, sometime between 5 pm and 9 am the following day, user xyz tries to log on 5 times and fails each time, this rule triggers an alert only for the first 2 failed logins and will suppress the next 3 events (login failures). CONFIGURATION Rule Parameters: * Start of non-working hours time window for generating alerts is configurable. By default, 17 (UTC Format) * End of non-working hours time window for generating alerts is configurable. By default, 9 (UTC Format) * Within this number of seconds, allows you to choose the time window to trigger events. By default, 3600 seconds time frame. * Alerts suppressed events time window is configurable, which allows flexibility to select alert suppression time frame. By default, 3600 seconds time frame. * Blacklist device class is configurable to trigger alert. By default, 29 device classes listed as blacklist. * Whitelist device class is configurable to exempt from alert. By default, content management systems device class listed as whitelist. * Username is configurable, so that you can specify a list of usernames to be excluded from generating alerts. By default, service accounts are listed. DEPENDENCIES Log Parsers: * Existence of at least one log parser enabled at log decoder which populates ec_activity = Logon and ec_outcome=failure and user_dst. BUNDLES * UEBA Essentials |
log | "credential access":"brute force", "privilege escalation":"valid accounts", "defense evasion":"valid accounts", "persistence":"valid accounts", "initial access":"valid accounts" |
| Head Requests Flood | esa000057 | Detects multiple Head requests from the same source within the given time period. Default values: 30 Head requests, 60 seconds time period. This rule requires either the HTTP-flex or HTTP-lua parser (and their dependencies) to be enabled on the Network Decoder. | packet | "impact":"network denial of service" |
| Horizontal Port Scan | esa000167 | Alert when log events and network sessions contain 200 unique IP destinations with the same source IP and destination port within 60 seconds indicating a horizontal port scan. CONFIGURATION Rule Parameters: * Within this number of seconds, allows you to choose the time window to trigger events. By default, 60 seconds time frame. * Blacklist device class is configurable to trigger alert. By default,Firewall device class listed as blacklist. * Whitelist source IP is configurable to exempt from alert. By default, 1.1.1.1 source IP listed as whitelist. * Whitelist destination IP is configurable to exempt from alert. By default, 1.1.1.2 destination IP listed as whitelist. * Whitelist for destination port is configurable (such as ip destination port for logs , tcp and udp destination port for packets in this scenario) to exempt from alert. By default, 0 destination port number listed as whitelist. * Destination port range is configurable to fire alert. By default, 1 as low range and 1024 as a high range destination port number listed. DEPENDENCIES Lua Parsers: * traffic_flow |
log, packet | "discovery":"network service scanning" |
| HTTP GET Flood | esa000021 | Detects when successful HTTP connections send GET requests, which result in at least 1000 packets to the same destination IP within 60 seconds. Both the time window and number of packets are configurable. | packet | "impact":"network denial of service" |
| ICMP Reconnaissance Scan | esa000022 | Alert when log events contain 20 messages indicating a reconnaissance event using ICMP protocol within 300 seconds from the same source IP. These events may indicate a sweep of a network to discover the range of hosts present and alive. Both the time window and number of messages are configurable. This rule uses the non-standard meta key of "protocol" so it must be indexed by the Log Decoder within the table-map.xml file and the Concentrator within the index-concentrator-custom.xml file. | log | "discovery":"remote system discovery", "discovery":"network service scanning" |
| IDS or IPS Generating Same Events in Network from a Source | esa000042 | Detects similar IDS/IPS events from same source and multiple destination ip. Count of unique destination and time are configurable. | log | |
| Insider Threat Mass Audit Clearing | esa000197 | Detects when the same user logs on multiple times to multiple Windows machines, then clears the audit log on each machine within a configurable time frame. VERSIONS SUPPORTED NetWitness 11.1 and higher CONFIGURATION Rule Parameters: * Within this number of seconds, allows you to choose the time window to trigger events. By default, 600 seconds time frame * Number of systems whose Event Log was cleared. By default, it's 5 * Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972) DEPENDENCIES * User_Whitelist CH list * Windows Events log parser BUNDLES * UEBA Essentials |
log | "defense evasion":"indicator removal on host", "defense evasion":"valid accounts", "persistence":"valid accounts", "initial access":"valid accounts" |
| Internal Data Posting to 3rd party sites | esa000089 | Detects when an internal IP address A receives an amount of data greater than configured size from internal IP address B, and then within the specified time interval, IP A posts data to external 3rd party sites. VERSIONS SUPPORTED * 10.6.0 and higher CONFIGURATION Rule Parameters: * Minimum session size to trigger in bytes. By default it's 5 MB i.e. 5242880 Bytes * List of IPs allowed to post data outbound * List of allowed 3rd party hosts to post data DEPENDENCIES Lua Parsers * traffic_flow |
packet | "exfiltration":"data transfer size limits", "exfiltration":"scheduled transfer" |
| Juniper ScreenOS Administrative Access (CVE-2015-7755) | esa000156 | 10.4 or higher. Administrative Access (CVE-2015-7755) allows unauthorized remote administrative access to the device. Exploitation of this vulnerability can lead to complete compromise of the affected device. This issue only affects ScreenOS 6.3.0r17 through 6.3.0r20. No other Juniper products or versions of ScreenOS are affected by this issue. Upon exploitation of this vulnerability, the log file would contain an entry that "system" had logged on followed by password authentication for a username. | log | "lateral movement":"exploitation of remote services" |
| krbtgt Account Modified on Domain Controller | esa000186 | Detects modification to the krbtgt account on domain controller. There are four parameters: device hostnames to monitor, device IP addresses to monitor, number of events required to trigger the alert and number of seconds in which events must occur. VERSIONS SUPPORTED NetWitness 11.1 and higher CONFIGURATION Rule Parameters: * Within this number of seconds, allows you to choose the time window to trigger events. By default, 60 seconds time frame * Number of krbtgt modifications to trigger events. By default, it's 1 * Name of the CH list for host blacklist. By default, the CH list is named Host_Blacklist. You have to add hosts to the default Host_Blacklist CH list or replace the default CH list with the name of a custom CH host blacklist. * Name of the CH list for IP blacklist. By default, the CH list is named IP_Blacklist. You have to add IPs to the default IP_Blacklist CH list or replace the default CH list with the name of a custom CH IP blacklist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972) DEPENDENCIES * Host_Blacklist CH list * IP_Blacklist CH list * Existence of at least one Windows Event log parser enabled on the log decoder BUNDLES * UEBA Essentials |
log | "credential access":"account manipulation", "persistence":"account manipulation" |
| Lateral Movement Suspected Windows | esa000195 | Detects within a Windows environment a sequence of events in which an executable is copied to a file share, the executable is used to create a new service and the service is started within 5 minutes. The time window is configurable. All events must be logged for the same event computer. The sequence of events may indicate an attacker moving laterally by executing a backdoor on a victim machine from an already compromised system. Detailed file audit logging must be enabled for the file copy event to be recorded. A Microsoft Windows log parser must be enabled. This rule uses non-standard meta keys of "event.computer", "service.name" and "disposition" and so they must be indexed by the Log Decoder within the table-map.xml file and the Concentrator within the index-concentrator-custom.xml file. VERSIONS SUPPORTED NetWitness 11.1 and higher CONFIGURATION Rule Parameters: * Within this number of seconds, allows you to choose the time window to trigger events. By default, 300 seconds time frame * Name of the CH list for host whitelist. By default, the CH list is named Host_Whitelist. You have to add hosts to the default Host_Whitelist CH list or replace the default CH list with the name of a custom CH host whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972) DEPENDENCIES * Host_Whitelist CH list * Existence of at least one Windows Event log parser enabled on the log decoder. BUNDLES * UEBA Essentials |
log | "command and control":"remote file copy", "lateral movement":"remote file copy", "persistence":"new service", "privilege escalation":"new service", "execution":"service execution" |
| Logins across multiple servers | esa000168 | Detects logins from the same user across multiple separate servers or hosts. VERSIONS SUPPORTED NetWitness 11.1 and higher CONFIGURATION Rule Parameters: * Within this number of seconds, allows you to choose the time window to trigger events. By default, 300 seconds time frame * Number of unique destinations. By default, it's 3 * Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972) DEPENDENCIES * User_Whitelist CH list * Existence of at least one log parser enabled on the log decoder which populates ec_activity = Logon BUNDLES * UEBA Essentials |
log | "privilege escalation":"valid accounts", "defense evasion":"valid accounts", "persistence":"valid accounts", "initial access":"valid accounts" |
| Malicious Account Creation Followed by Failed Authorization to Neighboring Devices | esa000060 | Detects when a new account is created on a system and three authentication failures occur from that system with the new account name (i.e. someone gains access to a system, creates a user account, and attempts to log into other appliances from the compromised system hoping that the system is considered trusted). BUNDLES * UEBA Essentials |
log | "persistence":"create account", "credential access":"brute force" |
| Malware Dropper | esa000154 | This rule triggers upon download of pdf, java, rtf, or Microsoft Office file, followed by download of EXE file within 5 minutes. This is indicative of a two-stage malware dropper, where scripting code in a container file (such as pdf, java, rtf, or Microsoft Office in this scenario), results in a request for a download of malware. CONFIGURATION Rule Parameters: * Within this number of seconds, allows you to choose the time window to trigger events. By default, 300 seconds time frame. * Malware dropper filetype is configurable, so that you can specify a list of malware dropper filetype to trigger alerts. By default, rtf, pdf, java and Microsoft Office files are listed. * Malware dropped filetype is configurable, so that you can specify a list of malware dropped filetype to trigger alerts. By default, windows executable files are listed. DEPENDENCIES Lua Parsers: * fingerprint_pdf_lua * fingerprint_java * fingerprint_rtf * fingerprint_office * windows_executable BUNDLES * UEBA Essentials |
packet | "initial access":"spearphishing attachment", "execution":"user execution" |
| Multiple Account Lockouts From Same or Different Users | esa000170 | Multiple account lockouts reported for a single or multiple users within a time window of 10 minutes. The time window is configurable. VERSIONS SUPPORTED NetWitness 11.1 and higher CONFIGURATION Rule Parameters: * Within this number of seconds, allows you to choose the time window to trigger events. By default, 600 seconds time frame * Number of account lockouts before this module alerts. By default, value is 10 * Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972) DEPENDENCIES * User_Whitelist CH list * Existence of at least one Windows Events log parser enabled on the log decoder BUNDLES * UEBA Essentials |
log | "credential access":"brute force" |
| Multiple Failed logins Followed By Successful Login | esa000174 | Multiple failed logons followed by a successful logon by the same user within 5 minutes. The time window and number of failed logins are configurable. VERSIONS SUPPORTED NetWitness 11.1 and higher CONFIGURATION Rule Parameters: * Within this number of seconds, allows you to choose the time window to trigger events. By default, 300 seconds time frame * Number of Failed logins before looking for Successful login. By default, value is 3 * Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972) DEPENDENCIES * User_Whitelist CH list * Existence of at least one log parser enabled on the log decoder which populates ec_activity = Logon, ec_outcome = Success/Failure and user_dst is not null. BUNDLES * UEBA Essentials |
log | "credential access":"brute force" |
| Multiple Failed Logins from Multiple Diff Sources to Same Dest | esa000182 | Alert when log events contain multiple failed logins from a single user from multiple different sources to same destination. VERSIONS SUPPORTED * NetWitness 11.3 and higher * NetWitness 11.1 - 11.2 (see CONFIGURATION) CONFIGURATION For this rule to successfully deploy prior to version 11.3, be sure the meta keys of 'host_src' and 'host_dst' used within the rule are listed as array types within ESA. Refer to the 'ESA Configuration Guide' within the section 'Configure Meta Keys as Arrays in ESA Correlation Rule Values'. Rule Parameters: * Within this number of seconds, allows you to choose the time window to trigger events. By default, 3600 seconds time frame * Number of failured logons to trigger events. By default, it's 3 * Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. * Name of the CH list for host whitelist. By default, the CH list is named Host_Whitelist. You have to add hosts to the default Host_Whitelist CH list or replace the default CH list with the name of a custom CH host whitelist. * Name of the CH list for IP whitelist. By default, the CH list is named IP_Whitelist. You have to add IPs to the default IP_Whitelist CH list or replace the default CH list with the name of a custom CH IP whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972) DEPENDENCIES * User_Whitelist CH list * Host_Whitelist CH list * IP_Whitelist CH list * Existence of at least one log parser enabled on the log decoder which populates ec_activity = Logon and ec_outcome = Failure BUNDLES * UEBA Essentials |
log | "credential access":"brute force" |
| Multiple Failed Logins from Multiple Users to Same Destination | esa000192 | Alert when log events contain multiple failed logins from multiple different users from same source to same destination in configured time. VERSIONS SUPPORTED * NetWitness 11.3 and higher * NetWitness 11.1 - 11.2 (see CONFIGURATION) CONFIGURATION For this rule to successfully deploy prior to version 11.3, be sure the meta keys of 'host_src' and 'host_dst' used within the rule are listed as array types within ESA. Refer to the 'ESA Configuration Guide' within the section 'Configure Meta Keys as Arrays in ESA Correlation Rule Values'. Rule Parameters: * Within this number of seconds, allows you to choose the time window to trigger events. By default, 180 seconds time frame * Number of failured logons to trigger events. By default, it's 3 * Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. * Name of the CH list for host whitelist. By default, the CH list is named Host_Whitelist. You have to add hosts to the default Host_Whitelist CH list or replace the default CH list with the name of a custom CH host whitelist. * Name of the CH list for IP whitelist. By default, the CH list is named IP_Whitelist. You have to add IPs to the default IP_Whitelist CH list or replace the default CH list with the name of a custom CH IP whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972) DEPENDENCIES * User_Whitelist CH list * Host_Whitelist CH list * IP_Whitelist CH list * Existence of at least one log parser enabled on the log decoder which populates ec_activity = Logon and ec_outcome = Failure BUNDLES * UEBA Essentials |
log | "credential access":"brute force" |
| Multiple Failed Logins from Same User Originating from Different Countries | esa000193 | Multiple failed logins from the same user, originating from multiple different countries. IP addresses are used to indicate that the attempted logins originated from different countries. VERSIONS SUPPORTED NetWitness 11.1 and higher CONFIGURATION Rule Parameters: * Within this number of seconds, allows you to choose the time window to trigger events. By default, 300 seconds time frame. * Number of unique countries from where failed logins originated to trigger events. By default, it's 2. * Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972) DEPENDENCIES * User_Whitelist CH list * At least one log parser enabled on the log decoder which populates ec_activity = Logon and ec_outcome = Failure * Requires the built-in GeoIP parser to be enabled. BUNDLES * UEBA Essentials |
log | "credential access":"brute force" |
| Multiple Failed Logins to Single Host from Multiple Hosts | esa000045 | Alert when log events contain multiple failed logins to a single host from multiple different sources in 300 seconds. User info is not correlated among events. Both the time window and number of failed logins are configurable. | log | "credential access":"brute force" |
| Multiple Failed Privilege Escalations by Same User | esa000196 | Triggers after a user account fails privilege escalation multiple times within configured period of time. VERSIONS SUPPORTED NetWitness 11.1 and higher CONFIGURATION Rule Parameters: * Within this number of seconds, allows you to choose the time window to trigger events. By default, 300 seconds time frame * Number of failed privilege escalation attempts. By default, it's 3 * Name of the CH list with privileged user accounts. By default, the CH list is named Admin_Accounts. You have to add users to the default Admin_Accounts CH list or replace the default CH list with the name of a custom CH list with privileged user accounts. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972) DEPENDENCIES * Admin_Accounts CH list * Existence of at least one Windows Event log parser or Unix log parsers like 'aix', 'hpux' or 'solaris' enabled on the log decoder BUNDLES * UEBA Essentials |
log | "credential access":"brute force", "privilege escalation":"valid accounts" |
| Multiple Intrusion Scan Events from Same Username to Unique Destinations | esa000068 | Detects scan events from intrusion devices to unique destinations from the same user. All events leading to alert will have same username and different destination address. This rule triggers when the detected events have the ECT (Event Classification Tag) for ec.activity equals "Scan". | log | "discovery":"network service scanning" |
| Multiple Login Failures by Administrators to Domain Controller | esa000198 | This rule is triggered when a user enters Administrator credentials to log in to a domain controller and fails multiple times within a certain number of minutes. VERSIONS SUPPORTED NetWitness 11.1 and higher CONFIGURATION Rule Parameters: * Within this number of seconds, allows you to choose the time window to trigger events. By default, 180 seconds time frame * Number of failured logons to trigger events. By default, it's 3 * Name of a custom CH list with privileged user accounts. By default, the CH list is named Admin_Accounts. You have to add users to the default Admin_Accounts CH list or replace the default CH list with the name of a custom CH list with privileged user accounts. * Name of the CH list for host blacklist. By default, the CH list is named Host_Blacklist. You have to add hosts to the default Host_Blacklist CH list or replace the default CH list with the name of a custom CH host blacklist. * Name of the CH list for IP blacklist. By default, the CH list is named IP_Blacklist. You have to add IPs to the default IP_Blacklist CH list or replace the default CH list with the name of a custom CH IP blacklist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972) DEPENDENCIES * Admin_Accounts CH list * Host_Blacklist CH list * IP_Blacklist CH list * Existence of at least one Windows Event log parser enabled on the log decoder BUNDLES * UEBA Essentials |
log | "credential access":"brute force" |
| Multiple Login Failures by Guest to Domain Controller | esa000199 | This rule is triggered when a user enters Guest credentials to log in to a domain controller and fails multiple times within a certain number of minutes. VERSIONS SUPPORTED NetWitness 11.1 and higher CONFIGURATION Rule Parameters: * Within this number of seconds, allows you to choose the time window to trigger events. By default, 180 seconds time frame * Number of failured logons to trigger events. By default, it's 3 * Name of a custom CH list with guest user accounts. By default, the CH list is named Guest_Accounts. You have to add users to the default Guest_Accounts CH list or replace the default CH list with the name of a custom CH list with guest user accounts. * Name of the CH list for host blacklist. By default, the CH list is named Host_Blacklist. You have to add hosts to the default Host_Blacklist CH list or replace the default CH list with the name of a custom CH host blacklist. * Name of the CH list for IP blacklist. By default, the CH list is named IP_Blacklist. You have to add IPs to the default IP_Blacklist CH list or replace the default CH list with the name of a custom CH IP blacklist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972) DEPENDENCIES * Guest_Accounts CH list * Host_Blacklist CH list * IP_Blacklist CH list * Existence of at least one Windows Event log parser enabled on the log decoder BUNDLES * UEBA Essentials |
log | "credential access":"brute force" |
| Multiple Login Failures Due to Username That Does Not Exist | esa000038 | Alerts when log events contain multiple login failures due to a username that does not exist from same source in 180 seconds. In this scenario, the username being logged into does not exist and is trying to logon multiple times from same machine. Both the time window and number of failed logins are configurable. | log | "credential access":"brute force" |
| Multiple Login Failures from Same Source IP with Unique Usernames | esa000067 | Detects when log events that contain multiple failed login events from the same source IP address with unique usernames occur within the specified time period. You can configure the time period (default is 180 seconds) and number of failed logins (default is three). BUNDLES * UEBA Essentials |
log | "credential access":"brute force" |
| Multiple Logs from a MsgID Set with Same SourceIP and DestinationIP | esa000071 | Detects when multiple log events from the specified list of message IDs with Same Source IP and Destination IP take place in the specified time period. You can configure the number of log events (default value is three), the list of message IDs, and the time period (default is 300 seconds). | log | |
| Multiple PsExec Within Short Time | esa000200 | This rule is triggered when multiple PsExec.exe instances runs within a certain number of minutes. Running PSEXEC can be an indication of someone trying to execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. These techniques can also be used to maintain persistence or for privilege escalation VERSIONS SUPPORTED * NetWitness 11.3 (Respond Alerting only) * NetWitness 11.4 and higher (Full Support) DEPENDENCIES * NetWitness Endpoint Server |
endpoint | "execution":"service execution" |
| Multiple Service Connections with Authorization Failures | esa000051 | Detects 4 failed login attempts from the same source to the same destination on different destination ports, within a 5 minute period. You can configure the time period, list of destination ports to be monitored, and the number of connection attempts. | log | "credential access":"brute force" |
| Multiple Successful Logins from Multiple Diff Src to Diff Dest | esa000183 | Alert when log events contain multiple successful logins from a single user from multiple different sources to multiple different destinations. VERSIONS SUPPORTED * NetWitness 11.3 and higher * NetWitness 11.1 - 11.2 (see CONFIGURATION) CONFIGURATION For this rule to successfully deploy prior to version 11.3, be sure the meta keys of 'host_src' and 'host_dst' used within the rule are listed as array types within ESA. Refer to the 'ESA Configuration Guide' within the section 'Configure Meta Keys as Arrays in ESA Correlation Rule Values'. Rule Parameters: * Within this number of seconds, allows you to choose the time window to trigger events. By default, 180 seconds time frame * Number of successful logons to trigger events. By default, it's 3 * Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. * Name of the CH list for host whitelist. By default, the CH list is named Host_Whitelist. You have to add hosts to the default Host_Whitelist CH list or replace the default CH list with the name of a custom CH host whitelist. * Name of the CH list for IP whitelist. By default, the CH list is named IP_Whitelist. You have to add IPs to the default IP_Whitelist CH list or replace the default CH list with the name of a custom CH IP whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972) DEPENDENCIES * User_Whitelist CH list * Host_Whitelist CH list * IP_Whitelist CH list * Existence of at least one log parser enabled on the log decoder which populates ec_activity = Logon and ec_outcome = Success BUNDLES * UEBA Essentials |
log | "privilege escalation":"valid accounts", "defense evasion":"valid accounts", "persistence":"valid accounts", "initial access":"valid accounts" |
| Multiple Successful Logins from Multiple Diff Src to Same Dest | esa000191 | Alert when log events contain multiple successful logins from a single user from multiple different sources to same destination in configured time. VERSIONS SUPPORTED * NetWitness 11.3 and higher * NetWitness 11.1 - 11.2 (see CONFIGURATION) CONFIGURATION For this rule to successfully deploy prior to version 11.3, be sure the meta keys of 'host_src' and 'host_dst' used within the rule are listed as array types within ESA. Refer to the 'ESA Configuration Guide' within the section 'Configure Meta Keys as Arrays in ESA Correlation Rule Values'. Rule Parameters: * Within this number of seconds, allows you to choose the time window to trigger events. By default, 3600 seconds time frame * Number of success logins to trigger events. By default, its 3 * Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. * Name of the CH list for host whitelist. By default, the CH list is named Host_Whitelist. You have to add hosts to the default Host_Whitelist CH list or replace the default CH list with the name of a custom CH host whitelist. * Name of the CH list for IP whitelist. By default, the CH list is named IP_Whitelist. You have to add IPs to the default IP_Whitelist CH list or replace the default CH list with the name of a custom CH IP whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972) DEPENDENCIES * User_Whitelist CH list * Host_WhitelistCH list * IP_WhitelistCH list * Existence of at least one log parser enabled on the log decoder which populates ec_activity = Logon and ec_outcome = Success BUNDLES * UEBA Essentials |
log | "privilege escalation":"valid accounts", "defense evasion":"valid accounts", "persistence":"valid accounts", "initial access":"valid accounts" |
| Multiple SYN packets from Same Source | esa000070 | Detects when the specified number of SYN packets from the same source occur in the specified time period. You can configure the time period (default is 60 seconds) and the SYN count (default is 100 packets). | packet | "impact":"network denial of service" |
| Netflow - Spam Detection | esa000147 | 10.4 or higher. Detects spam based on a specified number of connection attempts from one host within one minute over specified ports. For example, this criteria would trigger the rule: Host 1.1.1.1 reaches out to 1000 other hosts within one minute over ports 25, 110, or 143. The following parameters are configurable: source IP addresses to exclude, number of connection attempts, IP destination ports to include. Prerequisites are: device parser must be enabled. Use RSAFlow for 10.3 Log Decoder or CEF for 10.4 Log Decoder. Meta key "direction" must be indexed by the Log Decoder within the table-map.xml file and the Concentrator within the index-concentrator-custom.xml file. | log | "discovery":"network service scanning" |
| Netflow - Web DoS detection | esa000139 | 10.4 or higher. Lists RFC 1918 IP addresses that generate more than a specified number of network flows to a single Internet routable host, via TCP 80 or 443, within a specified number of minutes. These parameters are configurable: number of flows, number of minutes and IP source addresses to exclude from the rule. Dummy proxies are 10.1.1.1 and 10.2.2.2. Prerequisites are: device parser must be enabled, RSAFlow for 10.3 Log Decoder or CEF for 10.4 Log Decoder, and meta key "direction" must be indexed by the Log Decoder within the table-map.xml file and the Concentrator within the index-concentrator-custom.xml file. | log | "impact":"network denial of service" |
| Netflow - Windows Worm Propagation | esa000148 | 10.4 or higher. Detects worm propagation based on a specified number of connection attempts from one host within one minute over specified ports. For example, this criteria would trigger the rule: Host 1.1.1.1 reaches out to 500 other hosts in one minute over ports 135, 137, 139, or 445. The following parameters are configurable: source IP addresses to exclude, number of connection attempts, TCP destination ports to include. Prerequisites are: device parser must be enabled. Use RSAFlow for 10.3 Log Decoder or CEF for 10.4 Log Decoder. Meta key "direction" must be indexed by the Log Decoder within the table-map.xml file and the Concentrator within the index-concentrator-custom.xml file. | log | "discovery":"network service scanning" |
| No logs traffic from device in given time frame | esa000059 | Detects when there is no traffic from a device for a specified time period. The rule identifies log traffic through: device.ip and device.type, or device.host and device.type, or a combination of both. The rule looks for time lag after it receives an event and fires the alert when the time lag exceeds preset time. | log | |
| No Packet traffic detected from source IP address in given timeframe | esa000058 | No traffic from a packet source in given time frame. Packet traffic is identified via source IP. Rule looks for time lag after it receives event. Alert is fired when time lag exceeds preset time. | packet | |
| NTDSXTRACT Tool Download | esa000142 | Detects an internal network session download of NTDSXTRACT, a tool framework for extracting data from the active directory database file NTDS.DIT. At least one network parser that supports the meta keys "action" and "filename" is required. Parsers include HTTP, FTP, IRC and NFS. | packet | "credential access":"credential dumping", "discovery":"account discovery" |
| P2P software as detected by an Intrusion detection device | esa000027 | P2P software as detected by an intrusion detection device (IDS),intrusion prevention device (IPS), firewall or vulnerability scanner. | log | |
| Password Spraying | esa000201 | Password spraying uses one password, or a small list of passwords, that matches the complexity policy of the domain and may be a commonly used password. Logins are attempted with that password and many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. VERSIONS SUPPORTED NetWitness 11.1 and higher CONFIGURATION Rule Parameters: * Within this number of seconds, allows you to choose the time window to trigger events. By default, 60 seconds time frame * Number of unique users to trigger events. By default, it's 50 * List of servers to whitelist. DEPENDENCIES * Existence of at least one Windows Event log parser enabled on the log decoder |
log | "credential access":"brute force" |
| Port Scan Vertical Log | esa000036 | Alert when log events contain 200 unique destination ports with the same source and destination IP within 60 seconds indicating a vertical port scan. Both the time window and number of unique destination ports are configurable. | log | "discovery":"network service scanning" |
| Port Scan Vertical Packet | esa000034 | Alert when network sessions contain 40 unique destination ports with the same source and destination IP within 180 seconds, indicating a vertical port scan. The time window, destination port range and number of unique destination ports are configurable. | packet | "discovery":"network service scanning" |
| Potential APT Service Install | esa000153 | 10.4 or higher. Detects a host making a connection to an internet, routable IP address on port 80 or 443, and then subsequently generating a Windows "service installed" message. | log and packet | "persistence":"new service", "privilege escalation":"new service" |
| Potential HTTP Slow Post DoS | esa000096 | Triggers when a single host executes an HTTP POST to a single destination with less than or equal to 1 byte of data every 50 seconds. Both the time window and number of bytes are configurable. Note: You must upload and enable the HTTP_lua parser and its dependencies onto the Decoder. | packet | "impact":"network denial of service" |
| Privilege Escalation Detected | esa000172 | Scan for escalation in privileges for a Windows user or group. Uses a Context Hub (CH) list to track the lists of administrative user accounts. This list of administrative groups is also configurable. VERSIONS SUPPORTED NetWitness 11.1 and higher CONFIGURATION Rule Parameters: * Name of a custom CH list with administrative accounts. By default, the CH list is named Admin_Accounts. You have to add users to the default Admin_Accounts CH list or replace the default CH list with the name of a custom CH list with administrative accounts. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972). * Group Name. Specify the user group-names for administrator accounts. Default values are 'Administrators, Domain Admins, Schema Admins'. DEPENDENCIES * Admin_Accounts CH list * Windows Events log parser BUNDLES * UEBA Essentials |
log | "persistence":"account manipulation", "privilege escalation":"valid accounts" |
| Privilege Escalation Detected in Unix | esa000043 | Detects 2 kinds of events: user escalates himself using su or administrator adds user to user defined list of groups. | log | "privilege escalation":"valid accounts", "credential access":"account manipulation" |
| Privilege User Account Password Change | esa000171 | Detects a logged modification of an administrative account password. The list of administrative users, which trigger the alert is configurable. Uses a Context Hub (CH) list to track administrative accounts. VERSIONS SUPPORTED * 11.1 and higher CONFIGURATION Rule Parameters: * Name of the Context Hub. By default, the CH list is named Admin_Accounts. You have to add users to the default Admin_Accounts CH list or replace the default with the name of a custom CH admin accounts. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972). DEPENDENCIES * Admin_Accounts CH list * Existence of at least one log parser enabled on the log decoder which populates ec_activity = Logon and ec_activity = Modify BUNDLES * UEBA Essentials |
log | "credential access":"account manipulation", "persistence":"account manipulation" |
| Punycode Phishing Attempt | esa000161 | Identifies mail sessions that have a punycode hostname and also have a mismatch between the hostname in a link (href) and the text in the same link containing an IDN homograph. This suspected phishing attempt is then followed by HTTP(S) traffic with the same hostname in the certificate or in the host. Reference the RSA Link blog post from RSA Research for more details about this threat: https://community.rsa.com/community/products/netwitness/blog/2017/05/03/punycode-not-all-characters-are-created-equal. Supported on ESA 10.6.3 and higher. To enable for ESA 10.6.2, you must make the keys 'ioc' and 'analysis_service' multi-valued types. To do this, go to the NetWitness UI > Administration > Services > ESA > Explore > Workflow > Source > nextgenAggregationSource > ArrayFieldNames. Enter the keys separated by commas and restart the ESA service. If you have other ESA rules using those keys, they will need to be rewritten to use array syntax and redeployed. Select the 'Show Syntax' button in this rule to use as an example. This rule isn't supported prior to 10.6.2 due to the use of a function added to that version to compare multi-valued types. DEPENDENCIES Lua Parsers: * HTTP_lua * IDN_homograph * phishing_lua * MAIL_lua * TLS_lua You must also have at least one of the following mail protocol parsers enabled: * SMTP_lua * POP3_lua * IMAP_lua * WEBMAIL system parser BUNDLES * UEBA Essentials |
packet | "initial access":"spearphishing link" |
| RDP Inbound Traffic | esa000064 | Identifies RDP inbound traffic from one or more source IPs to 2 unique destination IPs within 60 seconds. CONFIGURATION You may customize the number of RDP connections and time window for the connections to occur. Enter a comma-separated whitelist of source and destination IPs in order to exclude them from matching the rule. DEPENDENCIES Lua Parsers * RDP_lua * traffic_flow BUNDLES * UEBA Essentials |
packet | "lateral movement":"remote desktop protocol" |
| RDP traffic from Same source to Multiple different destinations | esa000063 | Detects RDP traffic from the same source to multiple different destinations. The time window and the number of destination connections are configurable. The default is the same source IP to 3 different destination IP addresses in a 3 minute time period. BUNDLES * UEBA Essentials |
packet | "lateral movement":"remote desktop protocol" |
| Remote Data Harvesting | esa000084 | Detects a successful Juniper web-based SSL VPN login followed by the transfer of one or more files to the source host, followed by a VPN logoff by the same user within 2 minutes. Only the Juniper SSL VPN event source is supported, and the associated log device parser must be deployed. | log | "command and control":"remote file copy", "lateral movement":"remote file copy", "exfiltration":"exfiltration over other network medium", "defense evasion":"valid accounts", "privilege escalation":"valid accounts", "persistence":"external remote services", "initial access":"external remote services" |
| Remote Password Cracking Tool Use | esa000113 | Detects login failures from an IP address or host source to 3 different IP or host destinations. The time window and number of login failures are configurable. This module uses non-standard meta keys "host.src" and "host.dst". Login failures for IMAP and VNC protocols may be detected with this module. The LUA parsers for IMAP and VNC must be deployed on a Decoder. | log, packet | "credential access":"brute force" |
| RIG Exploit Kit | esa000160 | RIG exploit kit is suspected in the compromise of a vulnerable website. This is detected through anomalous HTTP session indicators in use with RIG Exploit Kit (EK) operations or a match to a shadow domain. REFERENCES Reference the RSA Link blog post from RSA Research for more details about this threat: https://community.rsa.com/community/products/netwitness/blog/2017/02/01/rig-ek-chronology-of-an-exploit-kit https://community.rsa.com/community/products/netwitness/blog/rig-decimal-ip-campaign VERSIONS SUPPORTED * 11.3 and higher * 11.2 and prior (see CONFIGURATION) CONFIGURATION For this rule to successfully deploy prior to version 11.3, be sure the meta keys of ioc, eoc, analysis_service, analysis_file and threat_desc used within the rule are listed as array types within ESA. Refer to the 'ESA Configuration Guide' within the section 'Configure Meta Keys as Arrays in ESA Correlation Rule Values'. DEPENDENCIES * HTTP_lua Lua parser * HTML_threat Lua parser * Rig Exploit Kit application rule * RSA FirstWatch Command and Control IPs feed BUNDLES * UEBA Essentials |
log and packet, packet | "initial access":"exploit public-facing application", "initial access":"drive-by compromise" |
| Rogue DHCP Server Detected | esa000150 | Detects traffic sourced on UDP 67/68 that is not a legitimate DHCP server, based on a whitelist of IP addresses that is configurable. Prerequisites for logs are: meta key "protocol" must be indexed by the Log Decoder within the table-map.xml file and the Concentrator within the index-concentrator-custom.xml file. | log, packet | "credential access":"network sniffing", "discovery":"network sniffing" |
| SPAM Host Detection | esa000151 | 10.4 or higher. Detects when a SPAM host is generating 500 or more connections destined for 1 or more hosts on TCP/25 within 1 minute, followed by 10 minutes of no initiated activity to any hosts on TCP/25. The following are configurable: the number of connections per minute, the no-activity interval in seconds, the maximum number of constituent events to store in the alert. Prerequisites for logs are: meta key "protocol" must be indexed by the Log Decoder within the table-map.xml file and the Concentrator within the index-concentrator-custom.xml file. | log, packet | "command and control":"commonly used port" |
| SSH connection from internet routable IP followed by HTTP/SSH service restart on destination: Log | esa000078 | SSH connection is detected from an internet routable IP (non-RFC 1918 standard IP or external IP addresses) followed by a HTTP/SSH service restart on destination. The default time is 5 minutes and the default service names being monitored are sshd and httpd. This rule uses a non-indexed key "service.name". It must be indexed by the Log Decoder within the table-map.xml file and the Concentrator within the index-concentrator-custom.xml file. | log | "lateral movement":"remote services" |
| SSH Traffic Detected from a Source to Different Destinations | esa000044 | Detects SSH traffic (service=22) coming from a single IP address to 5 unique destination IPs within 3 minutes. The number of unique destination IP addresses, list of services, and the time window are configurable. | packet | "lateral movement":"remote services" |
| Stealth Email Use | esa000121 | Detects a user sign-up or sign-in attempt for the following stealth mail services: Stealth Email, Hush Mail, Neomailbox, Cryptoheaven and S-mail. | packet | "exfiltration":"" |
| Stealth Email Use with Large Session | esa000128 | Detects a session larger than 1 MB to the following stealth mail services: Stealth Email, Hush Mail, Neomailbox, Cryptoheaven and S-mail. The minimum session size, number of connections, and time window are configurable. | packet | "exfiltration":"data transfer size limits" |
| Suspicious Account Removal | esa000091 | Detects a user account that has been added to an administrative group which disables or removes other accounts on the same server within 15 minutes. Both the list of administrator groups and event time window are configurable. BUNDLES * UEBA Essentials |
log | "credential access":"account manipulation", "persistence":"account manipulation" |
| Suspicious Privileged User Access Activity | esa000188 | Triggers when a privileged user account is observed logging into 3 or more unique hosts in 5 minutes. Uses a Context Hub (CH) list to track the lists of the privileged user accounts. Number of destination hosts and time window are configurable. VERSIONS SUPPORTED NetWitness 11.1 and higher CONFIGURATION Rule Parameters: * Name of a custom CH list with privileged user accounts. By default, the CH list is named Admin_Accounts. You have to add users to the default Admin_Accounts CH list or replace the default CH list with the name of a custom CH list with privileged user accounts. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972). * Within this number of seconds, allows you to choose the time window to trigger events. Default is 300 seconds. * Number of destination hosts. Specify the unique number of destination hosts that a single privileged user logged in multiple times. By default, the count of hosts is 3. DEPENDENCIES * Admin_Accounts CH list * At least one log parser enabled at log decoder which populates ec_activity = Logon, ec_outcome = Success, user_dst exists and ip_dst/host_dst exists. BUNDLES * UEBA Essentials |
log | "privilege escalation":"valid accounts", "defense evasion":"valid accounts", "persistence":"valid accounts", "initial access":"valid accounts" |
| SYN Flood Log Messages | esa000066 | SYN flood log messages with a count of 10 within 60 seconds from the device classes of either IDS, IPS or Firewall. The rule will trigger when the Event Classification Tags (ECT) of ec.theme is equal to "TEV" and ec.activity is equal to "Detect" and ec.subject is equal to "NetworkComm" in combination with a variation of the keyword Syn Flood found within "policy.name", "event.desc" or "msg.id". This alert uses non-standard meta key of "event.desc" and so it must be it must be indexed by the Log Decoder within the table-map.xml file and the Concentrator within the index-concentrator-custom.xml file. | log | "impact":"network denial of service" |
| Tor Outbound | esa000164 | This rule indicates that tor outbound traffic have been detected. This rule triggers on following two conditions: * Tor outbound app rule triggered for at least 2 times within a 5 minute time window * At least 9 alerts indicating issuer and subject name missing in SSL certificate within a 5 minute time window VERSIONS SUPPORTED * 10.6.2.1 and higher * 10.6.2 and prior (see CONFIGURATION) CONFIGURATION To enable for ESA 10.6.2 and prior, you must make the keys 'analysis_service' and 'ioc' multi-valued types. To do this, go to the NetWitness UI > Administration > Services > ESA > Explore > Workflow > Source > nextgenAggregationSource > ArrayFieldNames. Enter the keys separated by commas and restart the ESA service. If you have other ESA rules using those keys, they will need to be rewritten to use array syntax and redeployed. For more information, see https://community.rsa.com/docs/DOC-76158 DEPENDENCIES Packets: Lua Parsers * TLS_lua * traffic_flow Application Rule * Tor Outbound Logs: Lua Parsers * traffic_flow Application Rule * Tor Outbound |
log, packet | "command and control":"multi-hop proxy" |
| User Account Created and Deleted within an Hour | esa000180 | Detects when a user account is created and then gets deleted within the same hour. Uses a Context Hub (CH) list to track users. VERSIONS SUPPORTED * 11.1 and higher CONFIGURATION Rule Parameters: * Within this number of seconds, allows you to choose the time window to trigger events. By default, 3600 seconds time frame. * Name of the Context Hub whitelist. By default, the CH list is named User_Whitelist. Add or remove users from the default User_Whitelist CH list or replace the default with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972). DEPENDENCIES * User_Whitelist CH list * Existence of at least one log parser enabled at log decoder which populates ec_subject=User, ec_outcome=Success and either ec_activity=Create or ec_activity=Delete and user_dst is not null. BUNDLES * UEBA Essentials |
log | "persistence":"create account", "credential access":"account manipulation", "persistence":"account manipulation" |
| User Added to Admin Group Same User Login OR Same User su sudo | esa000181 | Alert when user is upgraded to one of admin groups and same user logins or performs sudo operation. This rule is specific to Unix devices. The events may indicate malicious activity of user. Uses a Context Hub (CH) list to track users. VERSIONS SUPPORTED * 11.1 and higher CONFIGURATION Rule Parameters: * Within this number of seconds, allows you to choose the time window to trigger events. By default, 300 seconds time frame. * Name of the Context Hub (CH) whitelist. By default, the CH list is named User_Whitelist. Add or remove users from the default User_Whitelist CH list or replace the default with the name of a custom CH user whitelist. For a list of out of the box CH Lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972). * Group Name. Specify the user group-names for custom group accounts. Default values are 'root, wheel'. DEPENDENCIES * User_Whitelist CH list * Unix device class log parsers. BUNDLES * UEBA Essentials |
log | "credential access":"account manipulation", "persistence":"account manipulation", "privilege escalation":"sudo" |
| User added to admin group then iptables is restarted | esa000079 | Detects when a user is added to one of specified groups and then the same user restarts IPtables on the same device IP. This rule is specific to Linux devices. | log | "credential access":"account manipulation", "defense evasion":"disabling security tools" |
| User added to admin group then SIGHUP detected | esa000185 | Detects when a user is upgraded to one of the admin groups (custom list of groups) and a SIGHUP is detected on a service on the same device.ip. This rule is specific to Unix devices. Uses a Context Hub (CH) list to track users. VERSIONS SUPPORTED * 11.1 and higher CONFIGURATION Rule Parameters: * Within this number of seconds, allows you to choose the time window to trigger events. By default, 300 seconds time frame. * Name of the Context Hub whitelist. By default, the CH list is named User_Whitelist. Add or remove users from the default User_Whitelist CH list or replace the default with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972). * Group Name. Specify the user group-names for custom group accounts. Default values are 'root, wheel'. DEPENDENCIES * User_Whitelist CH list * Unix device class Log parsers. BUNDLES * UEBA Essentials |
log | "credential access":"account manipulation", "persistence":"account manipulation" |
| User Added to Admin Group then SSH is Enabled | esa000032 | Detects when a user is added to an administrator group and the SSH service starts on the same Linux machine. This rule relies on Event Categorization Tags (ECT) for group modification. You can configure the time period, service name, and the list of administrator groups. | log | "credential access":"account manipulation", "persistence":"account manipulation", "lateral movement":"remote services" |
| User added to admin group then syslog is disabled | esa000041 | User was added to groups listed and same user stops syslog/rsyslog service on Linux machine. Rule relies on ec tags for Group modification. Linux machine does not generate events for stopping syslog service but event is triggered for stopping kernel logging. This event is used to fire rule. | log | "credential access":"account manipulation", "defense evasion":"disabling security tools", "defense evasion":"indicator removal on host" |
| User Login Baseline | esa000173 | This rule detects user accounts suspected of misuse due to credential compromise or a malicious insider. The user account is suspicious due to unusual login activity within the organization. Login activity by user is stored and a score is calculated. When that score is higher than a configurable threshold and the number of unique devices being logged into is unusual, then an alert is generated. REFERENCES For more details about this rule, see the User Login Baseline topic at https://community.rsa.com/docs/DOC-86692. VERSIONS SUPPORTED * NetWitness 11.3 and higher * NetWitness 11.1 - 11.2 (see CONFIGURATION) CONFIGURATION For this rule to successfully deploy prior to version 11.3, be sure the meta keys of 'host_src' and 'host_dst' used within the rule are listed as array types within ESA. Refer to the 'ESA Configuration Guide' within the section 'Configure Meta Keys as Arrays in ESA Correlation Rule Values'. Rule Parameters: * Blacklist of device class. By default, each device class supported by RSA are listed. * Maximum average for user login activity. By default, this is 150 user logins over the length of the baseline. * Maximum login count. By default, this is 300 user logins over the current window of 24 hours. * Minimum average for user login activity. By default, this is an average of 3 user logins over the length of the baseline. * Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972). * Number of days to baseline user login activity. By default, the rule will store user login activity for 7 days. * Score threshold to trigger the rule. By default, the score threshold is 80. DEPENDENCIES * User_Whitelist CH list * At least one log parser which populates ec_activity = Logon and ec_outcome = Success or Failure with a user_dst key that is not null BUNDLES * UEBA Essentials |
log | "privilege escalation":"valid accounts", "defense evasion":"valid accounts", "persistence":"valid accounts", "initial access":"valid accounts" |
| VM Clone After Multiple Root ESX Login Attempts | esa000050 | 10.4 or higher. Alert if there are 3 root login failures to an ESX server followed by root login success to an ESX server followed by a VM Clone event within 5 minutes. The time window and number of root login failures are configurable. | log | "credential access":"brute force" |
| Web DoS Alert | esa000095 | Alert to a possible web DoS when 40 connection attempts occur within a 1 minute period, over port 80 or 443, from unique source IP addresses to the same destination IP address. The number of connection attempts, list of TCP destination ports, and whitelist of source IP addresses are configurable. VERSIONS SUPPORTED * NetWitness 11.4 and higher * NetWitness 11.3 and prior (requires configuration) CONFIGURATION For NetWitness 11.3 and prior, you must add the meta key 'event_source_id' to the index-concentrator.xml file. See the topic 'Customize the Meta Framework' at https://community.rsa.com/docs/DOC-79201 for details on how to make this change. Without this step, ESA will not recognize the meta key and the rule will fail to deploy. This meta key is required for data masking. DEPENDENCIES * NETWORK Decoder parser |
packet | action on objectives, attack phase, denial of service, threat |
| Web DoS Attack | esa000030 | Web DoS attack possible with 1000 connection attempts over port 80 or 443 from the same source IP to the same destination IP. The number of connection attempts, list of TCP destination ports and whitelist of source IPs are configurable. | packet | "impact":"network denial of service" |
| Webshells Detected | esa000163 | This rule indicates that 3 webshells have been detected through communication between the same IP source and destination pair within a 10 minute time window. VERSIONS SUPPORTED * 10.6.2.1 and higher * 10.6.2 and prior (see CONFIGURATION) CONFIGURATION To enable for ESA 10.6.2 and prior, you must make the keys 'analysis_service' and 'ioc' multi-valued types. To do this, go to the NetWitness UI > Administration > Services > ESA > Explore > Workflow > Source > nextgenAggregationSource > ArrayFieldNames. Enter the keys separated by commas and restart the ESA service. If you have other ESA rules using those keys, they will need to be rewritten to use array syntax and redeployed. For more information, see https://community.rsa.com/docs/DOC-76158 DEPENDENCIES Lua Parsers * HTTP_lua * china_chopper |
packet | "persistence":"web shell", "privilege escalation":"web shell" |
| Windows Audit Log Cleared | esa000014 | Alert is fired when Windows Audit log is cleared. | log | "defense evasion":"indicator removal on host" |
| Windows Suspicious Admin Activity: Audit Log Cleared | esa000176 | Detects when a user account is created, added to the Administrators group, and the audit logs are cleared within a five minute period. VERSIONS SUPPORTED NetWitness 11.1 and higher CONFIGURATION Rule Parameters: * Within this number of seconds, allows you to choose the time window to trigger events. By default, 300 seconds time frame * Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972) DEPENDENCIES * User_Whitelist CH list * Existence of at least one Windows Event log parser enabled on the log decoder BUNDLES * UEBA Essentials |
log | "persistence":"create account", "credential access":"account manipulation", "persistence":"account manipulation", "defense evasion":"indicator removal on host" |
| Windows Suspicious Admin Activity: Firewall Service Stopped | esa000177 | Detects when a user account is created, added to administrators group, and the firewall is stopped within a five minute time period. VERSIONS SUPPORTED NetWitness 11.1 and higher CONFIGURATION Rule Parameters: * Within this number of seconds, allows you to choose the time window to trigger events. By default, 300 seconds time frame * Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972) DEPENDENCIES * User_Whitelist CH list * Existence of at least one Windows Event log parser enabled on the log decoder BUNDLES * UEBA Essentials |
log | "persistence":"create account", "credential access":"account manipulation", "persistence":"account manipulation", "defense evasion":"disabling security tools" |
| Windows Suspicious Admin Activity: Network Share Created | esa000178 | Detects when a user account is created, added to administrators group, and a network share is created within a five minute time period. You can configure the time period. VERSIONS SUPPORTED NetWitness 11.1 and higher CONFIGURATION Rule Parameters: * Within this number of seconds, allows you to choose the time window to trigger events. By default, 300 seconds time frame * Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972) DEPENDENCIES * User_Whitelist CH list * Existence of at least one Windows Event log parser enabled on the log decoder BUNDLES * UEBA Essentials |
log | "persistence":"create account", "credential access":"account manipulation", "persistence":"account manipulation", "lateral movement":"windows admin shares" |
| Windows Suspicious Admin Activity: Shared Object Accessed | esa000179 | Detects when a Windows user account is created, a shared object is accessed, and the account is deleted within a five minute time period. VERSIONS SUPPORTED NetWitness 11.1 and higher CONFIGURATION Rule Parameters: * Within this number of seconds, allows you to choose the time window to trigger events. By default, 300 seconds time frame * Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists (https://community.rsa.com/docs/DOC-85972) DEPENDENCIES * User_Whitelist CH list * Existence of at least one Windows Event log parser enabled on the log decoder BUNDLES * UEBA Essentials |
log | "persistence":"create account", "credential access":"account manipulation", "persistence":"account manipulation", "collection":"data from network shared drive" |
| Windows User Added to Administrators Group and Security Disabled | esa000073 | Detects when a Windows user was added to an administrative group and the security center or manager was disabled within the specified time period. You can configure the list of administrator groups and time period (default values is five minutes). Note: This rule uses the "accesses" and "event.desc" non-standard meta keys. You must implement this non-standard meta keys after you download this rule. | log | "credential access":"account manipulation", "defense evasion":"disabling security tools" |
| Windows Worm Activity Detected Logs | esa000082 | Detects log messages indicative of a worm with a destination port of 137, 138, 139 or 445 from at least 10 unique RFC-1918 source IPs within 1 minute. The list of destination ports, event time window and number of unique source IPs are configurable. | log | "command and control":"uncommonly used port" |
| Windows Worm Activity Detected Packets | esa000081 | Detects a single source IP reaching out to 10 distinct destination IP addresses on ports 137, 138, 139, or 445 within 1 minute. The list of destination ports, event time window and number of unique destination IPs are configurable. | packet | "command and control":"uncommonly used port" |
