RSA NetWitness Rules RSA NetWitness Rules
This table lists all of the delivered RSA NetWitness Rules.
Note: For content that has been discontinued, see Discontinued Content.
| Display Name | File Name | Description | Medium | Tag |
|---|---|---|---|---|
| 11.1-11.2 Autoruns and Scheduled Tasks from or referencing AppData | 11.1-11.2 Autoruns and Scheduled Tasks from or referencing AppData | Compliance Rule- Anti-Virus Signature Update | endpoint | assurance, compliance, audit, operations, event analysis, situation awareness |
| 11.1-11.2 Autoruns and Scheduled Tasks from Root of ProgramData | 11.1-11.2 Autoruns and Scheduled Tasks from Root of ProgramData | Autoruns and Tasks details when accessed from or referencing AppData. Task name, Autorun type, Directory, Command, Launch Arguments and number of hosts associated will be reflected. These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.1 and higher |
endpoint | attack phase, exploit, threat |
| 11.1-11.2 Autoruns and Scheduled Tasks Invoking Command Shell | 11.1-11.2 Autoruns and Scheduled Tasks Invoking Command Shell | Attackers will often use registry autoruns and scheduled tssks to maintain persistence on a compromised machine. A common technique leverages %SYSTEMROOT%\\\\ProgramData as a storage location for malicious payloads set to run at a particular time or upon trigger (i.e. login). It is not common for executables to be launching from the root of ProgramData, so any instance should be considered suspicious. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.1 and higher |
endpoint | attack phase, exploit, threat |
| 11.1-11.2 Autoruns and Scheduled Tasks Invoking Windows Script Host | 11.1-11.2 Autoruns and Scheduled Tasks Invoking Windows Script Host | Attackers will often use registry autoruns and scheduled tasks to maintain persistence on a compromised machine. A common technique will invoke trusted system shells (cmd.exe and powershell.exe) to perform malicious activity in an effort to evade anti-malware solutions. While not all autoruns invoking these commands are inherently malicious, an analyst should understand which of those are normal or require for IT operations and be suspicious of all others. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.1 and higher |
endpoint | attack phase, exploit, threat |
| 11.1-11.2 Autoruns and Scheduled Tasks Running Scripts | 11.1-11.2 Autoruns and Scheduled Tasks Running Scripts | Attackers will often use registry autoruns and scheduled tasks to maintain persistence on a compromised machine. A common technique will invoke Windows Script Host (cscript.exe and wscript.exe) to launch scripts in an effort to evade anti-malware solutions. While not all autoruns invoking these commands are inherently malicious, an analyst should understand which of those are normal or required for IT operations and be suspicious of all others. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.1 and higher |
endpoint | attack phase, exploit, threat |
| 11.1-11.2 Autoruns and Tasks on Host | 11.1-11.2 Autoruns and Tasks on Host | Attackers will often use registry autoruns and scheduled tasks to maintain persistence on a compromised machine. A common technique will call and execute various scripts to provide further instructions for attack. Detecting arguments being passed to an executable that look like common script file formats can be a good indicator of compromise, particularly when attackers choose to obfuscate the name of the launching binary (e.g. create a copy of cmd.exe under a different name), While not all autoruns invoking these scripts are inherently malicious, an analyst should understand which of those are normal or require for IT operations and be suspicious of all others. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.1 and higher |
endpoint | attack phase, exploit, threat |
| 11.1-11.2 DLLs on Host | 11.1-11.2 DLLs on Host | Aggregates sessions that contain CDNs, which are listed in the Content Delivery Networks List.Filter these sites to reduce the amount of "noise" from non-dangerous traffic. | endpoint | operations, event analysis, application analysis, situation awareness |
| 11.1-11.2 Endpoint Operating Systems Summary | 11.1-11.2 Endpoint Operating Systems Summary | For each Dynamic DNS hosts, associated IP Addresses, Ports and Module accessing domain name will be reflected. The dynamic DNS are maintained in a list which can be altered as per needs. DDNS provides flexibility to adversaries and help them in evasion and persistence. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.1 and higher CONFIGURATION If this rule is used with the Endpoint Network Activity Report or custom report, before the report is scheduled to run, you must enter a domain name or configure and use a NetWitness List of domain names to return this network data information. |
endpoint | assurance, audit, compliance, operations, risk, threat |
| 11.1-11.2 Endpoint Version Summary | 11.1-11.2 Endpoint Version Summary | Operating System Details associated with the host(s). VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.1 and higher |
endpoint | assurance, audit, compliance, operations, risk |
| 11.1-11.2 Files on Host | 11.1-11.2 Files on Host | Displays files transported over uncommon protocols such as ICMP and those identified as unknown. This report will ignore files transferred over common protocols of HTTP, FTP, SMTP, POP, RSYNC and TFTP | endpoint | operations, event analysis, protocol analysis |
| 11.1-11.2 Machine Details on Host | 11.1-11.2 Machine Details on Host | Detects logouts for users on a watchlist by user name. | endpoint | assurance, compliance, audit, identity, authentication |
| 11.1-11.2 Processes on Host | 11.1-11.2 Processes on Host | Details related to external domain names accessed by PowerShell. Host associated, Source IP Address, Destination IP Address, domain name and Launch argument used with PowerShell are reflected. Connection to external domain can help adversary in executing remote script or fetching files or other useful information. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.1 and higher |
endpoint | assurance, attack phase, operations, risk, threat |
| 11.1-11.2 Rarest Autorun Registry Keys | 11.1-11.2 Rarest Autorun Registry Keys | There are numerous registry autorun keys that allow for command execution without interaction by the end user. Two common keys used by attackers are the HKCU\\\\Sofware\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run and \\\\RunOnce keys. Outliers in an enterprise environment should be inspected. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.1 and higher |
endpoint | attack phase, exploit, threat |
| 11.1-11.2 Rarest Child Processes of Web Server Processes | 11.1-11.2 Rarest Child Processes of Web Server Processes | Filename, Launch Arguments and number of hosts associated are reflected when registry contains autorun registry keys. Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.1 and higher |
endpoint | assurance, operations, reconnaissance, risk, threat |
| 11.1-11.2 Rarest Code Signing Certificate CNs | 11.1-11.2 Rarest Code Signing Certificate CNs | Details of Child Processes of web server. Web Shells can be used to run malicious tools, commands and scripts by adversaries. Parent Process, Checksum, Directory and number of hosts associated are reflected. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.1 and higher |
endpoint | assurance, operations, risk, threat |
| 11.1-11.2 Rarest Parent Processes of cmd | 11.1-11.2 Rarest Parent Processes of cmd | List of Filenames with their checksum, directory and number of hosts associated with. This information can be helpful in investigations. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.1 and higher |
endpoint | assurance, operations, risk, threat |
| 11.1-11.2 Rarest Parent Processes of powershell | 11.1-11.2 Rarest Parent Processes of powershell | Attackers will often use trusted Windows processes as part of their attack. In a corporate environment, the number of unique parent processes invoking cmd.exe should be minimal. Very unique parent processes could indicate malware or alternate execution paths used by malware and attackers and should be investigated. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.1 and higher |
endpoint | attack phase, exploit, threat |
| 11.1-11.2 Rarest Processes Running from AppData | 11.1-11.2 Rarest Processes Running from AppData | Attackers will often use trusted Windows processes as part of their attack. In a corporate environment, the number of unique parent processes invoking powershell.exe should be minimal. Very unique parent processes could indicate malware or alternate execution paths used by malware and attackers and should be investigated. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.1 and higher |
endpoint | attack phase, exploit, threat |
| 11.1-11.2 Services on Host | 11.1-11.2 Services on Host | Detects the meta key service generated through a network parser, which match a list of configured source IPs. | endpoint | operations, event analysis, protocol analysis, situation awareness |
| 11.1-11.2 Windows Process Parent Child Mismatch | 11.1-11.2 Windows Process Parent Child Mismatch | Indicates a possible pass-the-hash attack on Windows systems configured to use the NTLM authentication protocol. This rule does not apply to systems which use the Kerberos authentication protocol. This ruler reduces false positives for anonymous logons and eliminates all DC or machine logons by removing any usernames that end in a $. | endpoint | action on objectives, attack phase, authentication, identity, lateral movement, threat |
| 11.3 Autoruns and Scheduled Tasks from or referencing AppData | 11.3 Autoruns and Scheduled Tasks from or referencing AppData | Compliance Rule- Anti-Virus Signature Update | endpoint | assurance, compliance, audit, operations, event analysis, situation awareness |
| 11.3 Autoruns and Scheduled Tasks from Root of ProgramData | 11.3 Autoruns and Scheduled Tasks from Root of ProgramData | Autoruns and Tasks details when accessed from or referencing AppData. Task name, Autorun type, Directory, Command, Launch Arguments and number of hosts associated will be reflected. These locations are used often by malware authors to store malicious payloads, with autoruns in place to ensure persistence. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.3 and higher |
endpoint | attack phase, exploit, threat |
| 11.3 Autoruns and Scheduled Tasks Invoking Command Shell | 11.3 Autoruns and Scheduled Tasks Invoking Command Shell | Attackers will often use registry autoruns and scheduled tssks to maintain persistence on a compromised machine. A common technique leverages %SYSTEMROOT%\\\\ProgramData as a storage location for malicious payloads set to run at a particular time or upon trigger (i.e. login). It is not common for executables to be launching from the root of ProgramData, so any instance should be considered suspicious. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.3 and higher |
endpoint | attack phase, exploit, threat |
| 11.3 Autoruns and Scheduled Tasks Invoking Windows Script Host | 11.3 Autoruns and Scheduled Tasks Invoking Windows Script Host | Attackers will often use registry autoruns and scheduled tasks to maintain persistence on a compromised machine. A common technique will invoke trusted system shells (cmd.exe and powershell.exe) to perform malicious activity in an effort to evade anti-malware solutions. While not all autoruns invoking these commands are inherently malicious, an analyst should understand which of those are normal or require for IT operations and be suspicious of all others. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.3 and higher |
endpoint | attack phase, exploit, threat |
| 11.3 Autoruns and Scheduled Tasks Running Scripts | 11.3 Autoruns and Scheduled Tasks Running Scripts | Attackers will often use registry autoruns and scheduled tasks to maintain persistence on a compromised machine. A common technique will invoke Windows Script Host (cscript.exe and wscript.exe) to launch scripts in an effort to evade anti-malware solutions. While not all autoruns invoking these commands are inherently malicious, an analyst should understand which of those are normal or required for IT operations and be suspicious of all others. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.3 and higher |
endpoint | attack phase, exploit, threat |
| 11.3 Autoruns and Tasks on Host | 11.3 Autoruns and Tasks on Host | Attackers will often use registry autoruns and scheduled tasks to maintain persistence on a compromised machine. A common technique will call and execute various scripts to provide further instructions for attack. Detecting arguments being passed to an executable that look like common script file formats can be a good indicator of compromise, particularly when attackers choose to obfuscate the name of the launching binary (e.g. create a copy of cmd.exe under a different name), While not all autoruns invoking these scripts are inherently malicious, an analyst should understand which of those are normal or require for IT operations and be suspicious of all others. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.3 and higher |
endpoint | attack phase, exploit, threat |
| 11.3 DLLs on Host | 11.3 DLLs on Host | Aggregates sessions that contain CDNs, which are listed in the Content Delivery Networks List.Filter these sites to reduce the amount of "noise" from non-dangerous traffic. | endpoint | operations, event analysis, application analysis, situation awareness |
| 11.3 Endpoint Host State | 11.3 Endpoint Host State | Compliance Rule- Encryption Key Generation and Changes | endpoint | assurance, compliance, audit |
| 11.3 Endpoint Indicators Analysis | 11.3 Endpoint Indicators Analysis | Details of host state with the rarest occurring state on top. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.3 and higher |
endpoint | assurance, compliance, operations, risk |
| 11.3 Endpoint Indicators by Tactic | 11.3 Endpoint Indicators by Tactic | Number of risk indicators associated with each host broken down in risk levels i.e. critical, high, medium and low. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.3 and higher |
endpoint | assurance, compliance, operations, risk, threat |
| 11.3 Endpoint Indicators by Tactic and Technique | 11.3 Endpoint Indicators by Tactic and Technique | Number of indicators associated with adversarial tactics described in MITRE ATT&CK™ Enterprise framework. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.3 and higher |
endpoint | assurance, compliance, operations, risk, threat |
| 11.3 Endpoint Indicators Summary | 11.3 Endpoint Indicators Summary | Number of indicators associated with adversarial tactics and techniques described in MITRE ATT&CK™ Enterprise framework. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.3 and higher |
endpoint | assurance, compliance, operations, risk, threat |
| 11.3 Endpoint Module and Dynamic DNS | 11.3 Endpoint Module and Dynamic DNS | Number of risk indicators associated with each host. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.3 and higher |
endpoint | assurance, compliance, operations, risk, threat |
| 11.3 Endpoint Operating Systems Summary | 11.3 Endpoint Operating Systems Summary | For each Dynamic DNS hosts, associated IP Addresses, Ports and Module accessing domain name will be reflected. The dynamic DNS are maintained in a list which can be altered as per needs. DDNS provides flexibility to adversaries and help them in evasion and persistence. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.3 and higher CONFIGURATION If this rule is used with the Endpoint Network Activity Report or custom report, before the report is scheduled to run, you must enter a domain name or configure and use a NetWitness List of domain names to return this network data information. |
endpoint | assurance, audit, compliance, operations, risk, threat |
| 11.3 Endpoint Version Summary | 11.3 Endpoint Version Summary | Operating System Details associated with the host(s). VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.3 and higher |
endpoint | assurance, audit, compliance, operations, risk |
| 11.3 Files on Host | 11.3 Files on Host | Displays files transported over uncommon protocols such as ICMP and those identified as unknown. This report will ignore files transferred over common protocols of HTTP, FTP, SMTP, POP, RSYNC and TFTP | endpoint | operations, event analysis, protocol analysis |
| 11.3 Machine Details on Host | 11.3 Machine Details on Host | Detects logouts for users on a watchlist by user name. | endpoint | assurance, compliance, audit, identity, authentication |
| 11.3 Multiple Arguments for Same Task | 11.3 Multiple Arguments for Same Task | Summarizes a list of hosts with mismatched HREFs | endpoint | operations, event analysis, protocol analysis |
| 11.3 Multiple Filename for Task Name | 11.3 Multiple Filename for Task Name | Filename, number of parameters and parameters will be displayed for the tasks will all the supplied arguments. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.3 and higher |
endpoint | assurance, operations, reconnaissance, risk, threat |
| 11.3 Multiple Task Name for Filename | 11.3 Multiple Task Name for Filename | Filename, Directory and number of files will be displayed when the number of files associated with task is more then one. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.3 and higher |
endpoint | assurance, operations, reconnaissance, risk, threat |
| 11.3 Powershell to External Domain | 11.3 Powershell to External Domain | Compliance Rule- Password Changes | endpoint | assurance, compliance, audit, identity, authorization |
| 11.3 Processes on Host | 11.3 Processes on Host | Details related to external domain names accessed by PowerShell. Host associated, Source IP Address, Destination IP Address, domain name and Launch argument used with PowerShell are reflected. Connection to external domain can help adversary in executing remote script or fetching files or other useful information. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.3 and higher |
endpoint | assurance, attack phase, operations, risk, threat |
| 11.3 Rare Extension for Task | 11.3 Rare Extension for Task | List of vendors associated with unsigned files. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.3 and higher |
endpoint | attack phase, malware, threat |
| 11.3 Rarest Autorun Registry Keys | 11.3 Rarest Autorun Registry Keys | There are numerous registry autorun keys that allow for command execution without interaction by the end user. Two common keys used by attackers are the HKCU\\\\Sofware\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run and \\\\RunOnce keys. Outliers in an enterprise environment should be inspected. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.1 and higher |
endpoint | attack phase, exploit, threat |
| 11.3 Rarest Child Processes of Web Server Processes | 11.3 Rarest Child Processes of Web Server Processes | Filename, Launch Arguments and number of hosts associated are reflected when registry contains autorun registry keys. Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.3 and higher |
endpoint | assurance, operations, reconnaissance, risk, threat |
| 11.3 Rarest Code Signing Certificate CNs | 11.3 Rarest Code Signing Certificate CNs | Details of Child Processes of web server. Web Shells can be used to run malicious tools, commands and scripts by adversaries. Parent Process, Checksum, Directory and number of hosts associated are reflected. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.3 and higher |
endpoint | assurance, operations, risk, threat |
| 11.3 Rarest File Names Across Endpoints | 11.3 Rarest File Names Across Endpoints | Less careful malware authors may attempt to sign an executable with an untrusted CA to appear more legitimate to the untrained eye. In a corporate environment, looking for rarity of the common name assigned to the certificate can turn up unwanted applications. The analyst should investigate the rarest instances. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.3 and higher |
endpoint | assurance, operations, risk, threat |
| 11.3 Rarest Parent Processes of cmd | 11.3 Rarest Parent Processes of cmd | List of Filenames with their checksum, directory and number of hosts associated with. This information can be helpful in investigations. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.3 and higher |
endpoint | assurance, operations, risk, threat |
| 11.3 Rarest Parent Processes of powershell | 11.3 Rarest Parent Processes of powershell | Attackers will often use trusted Windows processes as part of their attack. In a corporate environment, the number of unique parent processes invoking cmd.exe should be minimal. Very unique parent processes could indicate malware or alternate execution paths used by malware and attackers and should be investigated. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.3 and higher |
endpoint | attack phase, exploit, threat |
| 11.3 Rarest Processes Running from AppData | 11.3 Rarest Processes Running from AppData | Attackers will often use trusted Windows processes as part of their attack. In a corporate environment, the number of unique parent processes invoking powershell.exe should be minimal. Very unique parent processes could indicate malware or alternate execution paths used by malware and attackers and should be investigated. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.3 and higher |
endpoint | attack phase, exploit, threat |
| 11.3 Rarest Unsigned Service Names Across Endpoints | 11.3 Rarest Unsigned Service Names Across Endpoints | A common malware characteristic is to run out of temporary and low security folders. Rare processes running out of the AppData\\\\Local or AppData\\\\Roaming folders should be investigated. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.3 and higher |
endpoint | attack phase, malware, threat |
| 11.3 Rarest Unsigned Task Names Across Endpoints | 11.3 Rarest Unsigned Task Names Across Endpoints | Services which are unsigned will be reflected along with module details, directory, checksum and number of hosts associated with it. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.3 and higher |
endpoint | assurance, operations, reconnaissance, risk, threat |
| 11.3 Rarest Vendor of Unsigned Files Across Endpoints | 11.3 Rarest Vendor of Unsigned Files Across Endpoints | Tasks which are unsigned will be reflected along with module details, directory, checksum and number of hosts associated with it. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.3 and higher |
endpoint | assurance, operations, reconnaissance, risk, threat |
| 11.3 Same Arguments for Different Task Filename | 11.3 Same Arguments for Different Task Filename | Returns all usernames that have performed failed authentications as declared by RSA SecurID. This rule populates users who have entered an unregistered username within the SecurID Server database (invalid username). It has a limit of returning 5,000 users. Note: You will need to index the non-standard meta key 'result' on the Log Decoder and Concentrator in order to fully populate this report. See the report documentation for more details at https://community.rsa.com/docs/DOC-43406. DEPENDENCIES: RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv) |
endpoint | authentication, identity |
| 11.3 Services on Host | 11.3 Services on Host | Detects the meta key service generated through a network parser, which match a list of configured source IPs. | endpoint | operations, event analysis, protocol analysis, situation awareness |
| 11.3 Task Present on one Machine | 11.3 Task Present on one Machine | Compliance Rule- System Clock Synchronization | endpoint | assurance, compliance, audit |
| 11.3 Uncommon Directory for Task | 11.3 Uncommon Directory for Task | Displays internal users communicating over tunneling protocols that may indicate inappropriate or anonymous access. This rule includes SSH and Tor tunneling protocols. | endpoint | operations, event analysis, protocol analysis, flow analysis, situation awareness |
| 11.3 User Created Unique Task | 11.3 User Created Unique Task | Compliance Rule- User Session Terminated Summary | endpoint | identity, authentication |
| 11.3 User Defined Domain Name Analysis | 11.3 User Defined Domain Name Analysis | Unique Task that is created or authored by a user. VERSIONS SUPPORTED * RSA NetWitness Endpoint 11.3 and higher |
endpoint | assurance, operations, risk, threat |
| 11.3 Windows Process Parent Child Mismatch | 11.3 Windows Process Parent Child Mismatch | Indicates a possible pass-the-hash attack on Windows systems configured to use the NTLM authentication protocol. This rule does not apply to systems which use the Kerberos authentication protocol. This ruler reduces false positives for anonymous logons and eliminates all DC or machine logons by removing any usernames that end in a $. | endpoint | action on objectives, attack phase, authentication, identity, lateral movement, threat |
| Access to Compliance Data Details | Access to Compliance Data Details | Access to Compliance Data Details | log | assurance, compliance, audit, identity, authorization |
| Access to Compliance Data Summary | Access to Compliance Data Summary | Compliance Rule- Access to Compliance Data Summary | log | assurance, compliance, audit, identity, authorization |
| Accounts Created | Accounts Created | Compliance Rule- Accounts Created | log | assurance, compliance, audit, identity, authorization |
| Accounts Deleted | Accounts Deleted | Compliance Rule- Accounts Deleted | log | assurance, compliance, audit, identity, authorization |
| Accounts Disabled | Accounts Disabled | Compliance Rule- Accounts Disabled | log | assurance, compliance, audit, identity, authorization |
| Accounts Modified | Accounts Modified | Compliance Rule- Accounts Modified | log | assurance, compliance, audit, identity, authorization |
| Ad Servers by Bandwidth | Ad Servers by Bandwidth | Aggregates sessions that contain ad sites, which are listed in the Ad Servers List.Ad services consume a lot of disk space. If the traffic is acceptable, ad servers are a good candidate for filtering.This rule feeds data to the Global Filtering Candidate report. | log, packet | assurance, audit, compliance, operations, situation awareness |
| Admin Access to Compliance Systems Details | Admin Access to Compliance Systems Details | Compliance Rule- Admin Access to Compliance Systems Details | log | assurance, audit, authorization, compliance, identity |
| Admin Access to Compliance Systems Summary | Admin Access to Compliance Systems Summary | Compliance Rule- Admin Access to Compliance Systems Summary | log | assurance, audit, authorization, compliance, identity |
| Alert IDs By Profiled Source IP | Alert IDs by Profiled Source IP | Detects the meta key alert.id generated through basic correlation rules, which match a list of configured source IPs. | log, packet | threat, identity, assurance, operations, situation awareness |
| Alerts By Profiled Source IP | Alerts by Profiled Source IP | Detects the meta key alert generated through application rules, which match a list of configured source IPs. | log, packet | threat, identity, assurance, operations, situation awareness |
| All Risk Suspicious by Destination IP | All Risk Suspicious by Destination IP | Aggregates sessions by risk.suspicious and displays all results by ip.dst in descending order. | log, packet | threat, identity, assurance, operations, situation awareness |
| All Risk Suspicious by Session Size | All Risk Suspicious by Session Size | Aggregates sessions by risk.suspicious and displays all results by session size in descending order. | log, packet | threat, identity, assurance, operations, situation awareness |
| All Risk Suspicious by Source IP | All Risk Suspicious by Source IP | Aggregates sessions by risk.suspicious and displays all results by ip.src in descending order. | log, packet | threat, identity, assurance, operations, situation awareness |
| All Risk Warning by Destination IP | All Risk Warning by Destination IP | Aggregates sessions by risk.warning and displays all results by ip.dst in descending order. | log, packet | threat, identity, assurance, operations, situation awareness |
| All Risk Warning by Session Size | All Risk Warning by Session Size | Aggregates sessions by risk.warning and displays all results by session size in descending order. | log, packet | threat, identity, assurance, operations, situation awareness |
| All Risk Warning by Source IP | All Risk Warning by Source IP | Aggregates sessions by risk.warning and displays all results by ip.src in descending order. | log, packet | threat, identity, assurance, operations, situation awareness |
| Amazon VPC Top Accepted Destination IP | Amazon VPC Top Accepted Destination IP | The report rule fetches the top 10 accepted Destination IP addresses on the basis of the total bytes transferred. VERSIONS SUPPORTED 10.6.5.x and higher CONFIGURATION Configure the Amazon VPC plugin with valid credentials as per the plugin configuration document Use the latest table-map.xml DEPENDENCIES CEF log parser |
log | event analysis, flow analysis, operations |
| Amazon VPC Top Accepted Destination Ports | Amazon VPC Top Accepted Destination Ports | The report rule fetches the details of top accepted Destination Ports with their occurrences. VERSIONS SUPPORTED 10.6.5.x and higher CONFIGURATION Configure the Amazon VPC plugin with valid credentials as per the plugin configuration document Use the latest table-map.xml DEPENDENCIES CEF log parser |
log | event analysis, flow analysis, operations |
| Amazon VPC Top Accepted Source IP | Amazon VPC Top Accepted Source IP | The report rule fetches the top 10 accepted Source IP addresses on the basis of total bytes transferred. VERSIONS SUPPORTED 10.6.5.x and higher CONFIGURATION Configure the Amazon VPC plugin with valid credentials as per the plugin configuration document Use the latest table-map.xml DEPENDENCIES CEF log parser |
log | event analysis, flow analysis, operations |
| Amazon VPC Top Rejected Destination IP | Amazon VPC Top Rejected Destination IP | The report rule fetches the top 10 rejected Destination IP addresses on the basis of total bytes transferred. VERSIONS SUPPORTED 10.6.5.x and higher CONFIGURATION Configure the Amazon VPC plugin with valid credentials as per the plugin configuration document Use the latest table-map.xml DEPENDENCIES CEF log parser |
log | event analysis, flow analysis, operations |
| Amazon VPC Top Rejected Destination Ports | Amazon VPC Top Rejected Destination Ports | The report rule fetches the details of top rejected Destination Ports with their occurrences. VERSIONS SUPPORTED 10.6.5.x and higher CONFIGURATION Configure the Amazon VPC plugin with valid credentials as per the plugin configuration document Use the latest table-map.xml DEPENDENCIES CEF log parser |
log | event analysis, flow analysis, operations |
| Amazon VPC Top Rejected Source IP | Amazon VPC Top Rejected Source IP | The report rule fetches the top 10 rejected Source IP addresses on the basis of total bytes transferred. VERSIONS SUPPORTED 10.6.5.x and higher CONFIGURATION Configure the Amazon VPC plugin with valid credentials as per the plugin configuration document Use the latest table-map.xml DEPENDENCIES CEF log parser |
log | event analysis, flow analysis, operations |
| Amazon VPC Top Source and Destination IP Pair | Amazon VPC Top Source and Destination IP Pair | The report rule fetch the top 10 accepted Source IP and Destination IP address pair on the basis of total bytes transferred. VERSIONS SUPPORTED 10.6.5.x and higher CONFIGURATION Configure the Amazon VPC plugin with valid credentials as per the plugin configuration document Use the latest table-map.xml DEPENDENCIES CEF log parser |
log | event analysis, flow analysis, operations |
| Anonymous Access by Suspicious Source | Anonymous Access by Suspicious Source | Displays when a user enters or exists through a suspected criminal SOCKS or VPN node.RSA feeds populate the meta keys used within the rule.The rule requires the following:threat.category equal to "anonymous access" AND threat.desc as any of the following:"suspicious-ip" or "criminal vpn service exit node" or "criminal vpn service entry node" or "criminal socks node". | log, packet | assurance, compliance, audit, operations, event analysis, situation awareness |
| Anonymous Proxy Service Connection | Anonymous Proxy Service Connection | Detects use of common proxy services. It uses a list of domains matched against the alias host meta key. Use of an HTTP network parser is required. | log, packet | assurance, compliance, audit, operations, event analysis, situation awareness |
| Anti-Virus Signature Update | Anti-Virus Signature Update | Compliance Rule- Anti-Virus Signature Update | log | assurance, compliance, audit, operations, event analysis, situation awareness |
| AWS Access Permissions Modified | AWS Access Permissions Modified | 10.5 and higher. Detects when Amazon Web Services (AWS) instance permissions are modified. The AWS CloudTrail log parser is a required dependency. | log | assurance, compliance, audit, identity, authorization |
| AWS Critical VM Modified | AWS Critical VM Modified | 10.5 and higher. Detects when Amazon Web Services (AWS) critical virtual machine instances are modified. Actions detected by this module include instances being terminated, stopped and rebooted as well as modification of instance attributes and monitoring status. In order to trigger an alert, a custom feed of critical instance source IPs must be created to populate the alert meta key with the value "critical_vm". The AWS CloudTrail log parser is a required dependency. | log | assurance, compliance, audit, identity, authorization |
| Azure Monitor Operations by Resource Group | Azure Monitor Operations by Resource Group | The report rule fetches the top 10 operations by Resource Groups with their occurrences monitored by Azure Monitor. VERSIONS SUPPORTED 10.6.5.x and higher CONFIGURATION Configure the Azure Monitor plugin with valid credentials as per the plugin configuration document Use the latest table-map.xml Metas required: group. Please index group meta in the Concentrator and make it in None in table-map.xml |
log | event analysis, operations |
| Azure Monitor Operations by Resource Provider | Azure Monitor Operations by Resource Provider | The report rule fetches the top 10 operations by Resource Providers with their occurrences monitored by Azure Monitor. VERSIONS SUPPORTED 10.6.5.x and higher CONFIGURATION Configure the Azure Monitor plugin with valid credentials as per the plugin configuration document Use the latest table-map.xml |
log | event analysis, operations |
| Azure Monitor Resource Providers by Resource Group | Azure Monitor Resource Providers by Resource Group | The report rule fetches the top 10 Resource Providers by Resource Group with their occurrences monitored by Azure Monitor. VERSIONS SUPPORTED 10.6.5.x and higher CONFIGURATION Configure the Azure Monitor plugin with valid credentials as per the plugin configuration document Use the latest table-map.xml Metas required: group. Please index group meta in the Concentrator and make it in None in table-map.xml |
log | event analysis, operations |
| Azure Monitor Top IP Addresses | Azure Monitor Top IP Addresses | The report rule fetches the top 10 caller IP addresses which would make an API call resulting in an operation monitored by Azure Monitor. VERSIONS SUPPORTED 10.6.5.x and higher CONFIGURATION Configure the Azure Monitor plugin with valid credentials as per the plugin configuration document Use the latest table-map.xml |
log | event analysis, operations |
| Azure Monitor Top Operations | Azure Monitor Top Operations | The report rule fetches the top 10 Operation names monitored by Azure Monitor. VERSIONS SUPPORTED 10.6.5.x and higher CONFIGURATION Configure the Azure Monitor plugin with valid credentials as per the plugin configuration document Use the latest table-map.xml |
log | event analysis, operations |
| Azure Monitor Top Resource Groups | Azure Monitor Top Resource Groups | The report rule fetches the top 10 Resource Groups in the operations monitored by Azure Monitor. VERSIONS SUPPORTED 10.6.5.x and higher CONFIGURATION Configure the Azure Monitor plugin with valid credentials as per the plugin configuration document Use the latest table-map.xml Metas required: group. Please index group meta in the Concentrator and make it in None in table-map.xml |
log | event analysis, operations |
| Azure Monitor Top Virtual Machines | Azure Monitor Top Virtual Machines | The report rule fetches the top 10 Virtual Machine names monitored by Azure Monitor. VERSIONS SUPPORTED 10.6.5.x and higher CONFIGURATION Configure the Azure Monitor plugin with valid credentials as per the plugin configuration document Use the latest table-map.xml |
log | event analysis, operations |
| Bandwidth By Profiled Source IP | Bandwidth by Profiled Source IP | Displays aggregated session size of each source IP configured in the report list. | log, packet | operations, event analysis, situation awareness |
| Behaviors of Compromise | Behaviors of Compromise | Designated for suspect or nefarious behavior outside the standard signature-based detection. This rule displays output when the meta key, Behaviors of Compromise, is populated. The Hunting Pack is a required dependency. | log, packet, endpoint | attack phase, threat |
| Behaviors of Compromise Detail | Behaviors of Compromise Detail | Designated for suspect or nefarious behavior outside the standard signature-based detection. This rule displays output when the meta key, Behaviors of Compromise, is populated. Additional context is provided to an analyst by grouping with additional meta keys of Service Type and Device Type. The Hunting Pack is a required dependency. | log, packet, endpoint | attack phase, threat |
| Browsers By Profiled Source IP | Browsers by Profiled Source IP | Detects the meta key browser generated through a network parser, which match a list of configured source IPs. | packet | operations, event analysis, application analysis, situation awareness |
| Bulk Data Transfer | Bulk Data Transfer | Displays events where the amount of data transferred between the Source-Destination IP pairs is over 20 Mb or 50 Mb. | packet | assurance, compliance, audit |
| Change in Audit Settings | Change in Audit Settings | Compliance Rule- Change in Audit Settings | log | assurance, compliance, audit |
| Cleartext Authentications | Cleartext Authentications | This rule displays events in which passwords were sent over cleartext using network protocols such as FTP, HTTP, POP3 and SMTP. | packet | assurance, risk, organizational hazard, operations, event analysis, protocol analysis |
| Cleartext Authentications By Service | Cleartext Authentications By Service | Displays the top authentications detected in clear text by service through packet traffic. | packet | authentication, identity |
| Cleartext Authentications By User Watchlist | Cleartext Authentications by User Watchlist | Detects events for users on a watchlist in which passwords were sent over cleartext using network protocols such as FTP, HTTP, POP3 and SMTP. | packet | assurance, risk, organizational hazard, operations, event analysis, protocol analysis, identity, authentication |
| Cleartext Passwords By Service | Cleartext Passwords By Service | Displays the top passwords detected in clear text by service through packet traffic. | packet | authentication, identity |
| Clients by Profiled Source IP | Clients by Profiled Source IP | Detects the meta key client generated through a network parser, which match a list of configured source IPs. | log, packet | operations, event analysis, application analysis, situation awareness |
| Content Delivery Networks by Bandwidth | Content Delivery Networks by Bandwidth | Aggregates sessions that contain CDNs, which are listed in the Content Delivery Networks List.Filter these sites to reduce the amount of "noise" from non-dangerous traffic. | log, packet | operations, event analysis, application analysis, situation awareness |
| Email Address Activity By User Watchlist | Email Address Activity by User Watchlist | Detects all email activity using the email.src meta key for users on a watchlist by email address. | log, packet | assurance, compliance, corporate, identity, operations, situation awareness |
| Email Senders | Email Senders | Displays the top email senders from packet traffic. | packet | identity |
| Email User Activity By User Watchlist | Email User Activity by User Watchlist | Detects all email activity using the email and username meta keys for users on a watchlist by user name. | log, packet | assurance, compliance, corporate, identity, operations, situation awareness |
| Enablers of Compromise | Enablers of Compromise | Instances of poor information or operational security. Post-mortem often ties these to the root cause. This rule displays output when the meta key, Enablers of Compromise, is populated. The Hunting Pack is a required dependency. | log, packet, endpoint | attack phase, threat |
| Enablers of Compromise Detail | Enablers of Compromise Detail | Instances of poor information or operational security. Post-mortem often ties these to the root cause. This rule displays output when the meta key, Enablers of Compromise, is populated. Additional context is provided to an analyst by grouping with additional meta keys of Service Type and Device Type. The Hunting Pack is a required dependency. | log, packet, endpoint | attack phase, threat |
| Encrypted Traffic over Non-Standard Port | Encrypted Traffic over Non-Standard Port | Summarizes sessions containing encrypted traffic that is not communicating on port 22, 993, 995 or 443. | packet | event analysis, operations, protocol analysis |
| Encryption Failures | Encryption Failures | Compliance Rule- Encryption Failures | log | assurance, compliance, audit |
| Encryption Key Generation and Changes | Encryption Key Generation and Changes | Compliance Rule- Encryption Key Generation and Changes | log | assurance, compliance, audit |
| Executables by Country | Executables by Country | Summarizes a list of executables by country | packet | operations, event analysis, file analysis, situation awareness |
| Executables by Domain | Executables by Domain | Summarizes a list of executables by domain | packet | operations, event analysis, file analysis, situation awareness |
| Executables with Abnormal Characteristics - Suspicious | Executables with Abnormal Characteristics - Suspicious | Summarizes a list of executables with suspicious abnormal characteristics | log, packet | operations, event analysis, file analysis, situation awareness |
| Executables with Abnormal Characteristics - Warning | Executables with Abnormal Characteristics - Warning | Summarizes a list of executables with warning abnormal characteristics | log, packet | operations, event analysis, file analysis, situation awareness |
| Failed Escalation of Privileges Details | Failed Escalation of Privileges Details | Compliance Rule- Failed Escalation of Privileges Details | log | assurance, compliance, audit, identity, authorization |
| Failed Escalation of Privileges Summary | Failed Escalation of Privileges Summary | Compliance Rule- Failed Escalation of Privileges Summary | log | assurance, compliance, audit, identity, authorization |
| Failed Remote Access Details | Failed Remote Access Details | Compliance Rule- Failed Remote Access Details | log | assurance, compliance, audit, identity, authentication |
| Failed Remote Access Summary | Failed Remote Access Summary | Compliance Rule- Failed Remote Access Summary | log | assurance, compliance, audit, identity, authentication |
| File Analysis | File Analysis | A large inspection library that highlights file characteristics and anomalies. This rule displays output when the meta key, File Analysis, is populated. The Hunting Pack is a required dependency. | log, packet, endpoint | event analysis, file analysis, operations |
| File Analysis Detail | File Analysis Detail | A large inspection library that highlights file characteristics and anomalies. This rule displays output when the meta key, File Analysis, is populated. Additional context is provided to an analyst by grouping with the additional meta key of Filename. The Hunting Pack is a required dependency. | log, packet, endpoint | event analysis, file analysis, operations |
| File Transport Over Uncommon Protocol | File Transport Over Uncommon Protocol | Displays files transported over uncommon protocols such as ICMP and those identified as unknown. This report will ignore files transferred over common protocols of HTTP, FTP, SMTP, POP, RSYNC and TFTP | log, packet | operations, event analysis, protocol analysis |
| Firewall Configuration Changes | Firewall Configuration Changes | Compliance Rule- Firewall Configuration Changes | log | assurance, compliance, audit |
| Firewall Denied Connections | Firewall Denied Connections | Displays destination IP addresses using the 'ip.dst' meta with an 'action' showing a denied connection as populated by event class of Firewall. | log | operations, situation awareness |
| Firewall Destination IP Addresses | Firewall Destination IP Addresses | Displays destination IP addresses using the 'ip.dst' meta as populated by event class of Firewall. | log | operations, situation awareness |
| Firewall Events | Firewall Events | Displays firewall events with the 'action' meta key as populated by event class of Firewall. | log | operations, situation awareness |
| Firewall Systems | Firewall Systems | Displays firewall systems by system IP using the 'ip.addr' meta key as populated by event class of Firewall. | log | operations, situation awareness |
| Firewall Users | Firewall Users | Displays the destination users using the 'user.dst' meta as populated by event class of Firewall. | log | operations, situation awareness |
| Firmware Changes on Wireless Devices | Firmware Changes on Wireless Devices | Compliance Rule- Firmware Changes on Wireless Devices | log | assurance, compliance, audit |
| G Suite Activity by IP Address | G Suite Activity by IP Address | The report rule fetches the activities by IP Address with the admin email who performed the activity. VERSIONS SUPPORTED 11.2.1 and higher CONFIGURATION Configure the G Suite plugin with valid credentials as per the plugin configuration document Use the latest table-map.xml Metas required: stransaddr. Please index stransaddr meta in the Concentrator and make it in None in table-map.xml DEPENDENCIES CEF log parser |
log | event analysis, log analysis, operations |
| G Suite Admin Activity | G Suite Admin Activity | The report rule fetches the G Suite admin activities. VERSIONS SUPPORTED 11.2.1 and higher CONFIGURATION Configure the G Suite plugin with valid credentials as per the plugin configuration document Use the latest table-map.xml DEPENDENCIES CEF log parser |
log | event analysis, log analysis, operations |
| G Suite App Token Actions | G Suite App Token Actions | The report rule fetches the details of G Suite app token actions . VERSIONS SUPPORTED 11.2.1 and higher CONFIGURATION Configure the G Suite plugin with valid credentials as per the plugin configuration document Use the latest table-map.xml DEPENDENCIES CEF log parser |
log | event analysis, log analysis, operations |
| G Suite Count by Login State | G Suite Count by Login State | The report rule fetches the G Suite login state statistics . VERSIONS SUPPORTED 11.2.1 and higher CONFIGURATION Configure the G Suite plugin with valid credentials as per the plugin configuration document Use the latest table-map.xml DEPENDENCIES CEF log parser |
log | event analysis, log analysis, operations |
| G Suite Group Members - Added or Removed | G Suite Group Members - Added or Removed | The report rule fetches the information on Groups, with users added or removed. VERSIONS SUPPORTED 11.2.1 and higher CONFIGURATION Configure the G Suite plugin with valid credentials as per the plugin configuration document Use the latest table-map.xml DEPENDENCIES CEF log parser |
log | event analysis, log analysis, operations |
| G Suite Logins with Multiple IPs | G Suite Logins with Multiple IPs | The report rule fetches the logins from multiple IP addresses by a user. VERSIONS SUPPORTED 11.2.1 and higher CONFIGURATION Configure the G Suite plugin with valid credentials as per the plugin configuration document Use the latest table-map.xml Metas required:\ stransaddr. Please index stransaddr meta in the Concentrator and make it in None in table-map.xml DEPENDENCIES CEF log parser |
log | event analysis, log analysis, operations |
| G Suite Most Active IPs | G Suite Most Active IPs | The report rule the most active IP addresses based on the number of events performed by that IP address. VERSIONS SUPPORTED 11.2.1 and higher CONFIGURATION Configure the G Suite plugin with valid credentials as per the plugin configuration document Use the latest table-map.xml Metas required:\ stransaddr. Please index stransaddr meta in the Concentrator and make it in None in table-map.xml DEPENDENCIES CEF log parser |
log | event analysis, log analysis, operations |
| G Suite Top Five Admin Actions | G Suite Top Five Admin Actions | The report rule provides information on the top G Suite admin actions. VERSIONS SUPPORTED 11.2.1 and higher CONFIGURATION Configure the G Suite plugin with valid credentials as per the plugin configuration document Use the latest table-map.xml DEPENDENCIES CEF log parser |
log | event analysis, log analysis, operations |
| G Suite Top Ten Apps by Count | G Suite Top Ten Apps by Count | The report rule provides information on the top G Suite Apps. VERSIONS SUPPORTED 11.2.1 and higher CONFIGURATION Configure the G Suite plugin with valid credentials as per the plugin configuration document Use the latest table-map.xml DEPENDENCIES CEF log parser |
log | event analysis, log analysis, operations |
| G Suite User Login Failures | G Suite User Login Failures | The report rule provides information on login failures by a G Suite user. VERSIONS SUPPORTED 11.2.1 and higher CONFIGURATION Configure the G Suite plugin with valid credentials as per the plugin configuration document Use the latest table-map.xml Metas required:\ stransaddr. Please index stransaddr meta in the Concentrator and make it in None in table-map.xml DEPENDENCIES CEF log parser |
log | event analysis, log analysis, operations |
| G Suite Users-Created or Deleted | G Suite Users-Created or Deleted | The report rule provides information on users created and deleted. VERSIONS SUPPORTED 11.2.1 and higher CONFIGURATION Configure the G Suite plugin with valid credentials as per the plugin configuration document Use the latest table-map.xml DEPENDENCIES CEF log parser |
log | event analysis, log analysis, operations |
| Group Management | Group Management | Compliance Rule- Group Management | log | assurance, compliance, audit, identity, authorization |
| IDS Signatures | IDS Signatures | Displays the possible intrusions through the meta key 'policy.name' as populated by event class of IDS, IPS or Intrusion. | log | operations, situation awareness |
| Inbound Network Traffic | Inbound Network Traffic | Compliance Rule- Inbound Network Traffic | log | operations, event analysis, protocol analysis, flow analysis |
| Indicators of Compromise | Indicators of Compromise | Possible intrusions into the network or at the endpoint that can be identified through malware signatures or IPs and domains associated with command and control campaigns. This rule displays output when the meta key, Indicators of Compromise, is populated. The Hunting Pack is a required dependency. | log, packet, endpoint | attack phase, malware, threat |
| Indicators of Compromise Detail | Indicators of Compromise Detail | Possible intrusions into the network or at the endpoint that can be identified through malware signatures or IPs and domains associated with command and control campaigns. This rule displays output when the meta key, Indicators of Compromise, is populated. Additional context is provided to an analyst by grouping with additional meta keys of Service Type and Device Type. The Hunting Pack is a required dependency. | log, packet, endpoint | attack phase, malware, threat |
| Known Service detected over Non Standard Network Port | Known Service detected over Non Standard Network Port | Displays sessions whose service is detected on a non-standard network port. For example, DNS detected on port 555 when the default port is 53. | packet | operations, event analysis, protocol analysis |
| Large Outbound Encrypted Sessions | Large Outbound Encrypted Sessions | Summarizes a list of executables by country,Summarizes sessions containing encrypted traffic that has a session size of 5MB or greater, those being indicative of a large file transfer from RFC 1918 to non RFC 1918 address. | packet | assurance, event analysis, flow analysis, operations, organizational hazard, risk |
| Large Outbound Sessions | Large Outbound Sessions | Summarizes sessions which have a session size of 5MB or greater, those being indicative of a large file transfer from RFC 1918 to non RFC 1918 address | packet | assurance, risk, organizational hazard, operations, event analysis, flow analysis |
| Log Destination Ports | Log Destination Ports | Displays the destinations ports using the 'ip.dstport' meta as populated by log event traffic. | log | operations, situation awareness |
| Log Event Categories | Log Event Categories | Displays the log event categories using the 'event.category' meta as populated by log event traffic. | log | operations, situation awareness |
| Log Event Classes | Log Event Classes | Displays the log event classes using the 'device.class' meta as populated by log event source traffic. | log | operations, situation awareness |
| Log Event Types | Log Event Types | Displays the log event types using the 'device.type' meta as populated by the log event traffic. | log | operations, situation awareness |
| Log Event Users | Log Event Users | Displays the top 10 users as populated by log event traffic. | log | identity |
| Login Failures By User Watchlist | Login Failures By User Watchlist | Detects login failures for users on a watchlist by user name. | log | assurance, compliance, audit, identity, authentication |
| Login Success By User Watchlist | Login Success By User Watchlist | Detects login successes for users on a watchlist by user name. | log | assurance, compliance, audit, identity, authentication |
| Logon Failures Details | Logon Failures Details | Compliance Rule- Logon Failures Details | log | assurance, compliance, audit, identity, authentication |
| Logon Failures Summary | Logon Failures Summary | Displays the top logon failures as populated by log event traffic. | log | authentication, identity |
| Logon Success Summary | Logon Success Summary | Displays the top logon success as populated by log event traffic. | log | authentication, identity |
| Logouts By User Watchlist | Logouts By User Watchlist | Detects logouts for users on a watchlist by user name. | log | assurance, compliance, audit, identity, authentication |
| Malware Activity DNS | Malware Activity DNS | Displays DNS packet traffic that is going to a known malicious IP address or references a hostname that is known to be malicious. This could indicate an infected host on your network is making DNS queries. The native NETWORK packet parser must be enabled in order to identify the DNS service. This parser is enabled by default. You will also need to have at least one of the following feeds deployed. Feeds * Investigation * RSA FirstWatch C2 Domains * RSA FirstWatch C2 IPs * RSA FirstWatch APT Domains * RSA FirstWatch APT IPs If deploying the Investigation feed, you will need at least one of the related Lua parsers. Lua Parsers * DNS_verbose_lua * DynDNS Note: For deployments prior to 10.6.2, you will also need to configure a set of new meta keys: inv.context and inv.category. See product documentation of the Investigation Feed for more details: https://community.rsa.com/docs/DOC-62303. |
packet | malware, threat |
| Malware Activity Unidentified | Malware Activity Unidentified | Displays packet and log traffic other than DNS and Web that has been going to a known malicious IP address or references a hostname that is known to be malicious. This could indicate an infected host on your network. The native NETWORK packet parser must be enabled. This parser is enabled by default. You will also need to have at least one of the following feeds deployed. Feeds * Investigation * RSA FirstWatch C2 Domains * RSA FirstWatch C2 IPs * RSA FirstWatch APT Domains * RSA FirstWatch APT IPs If collecting logs you need at least one of the following event source types: * Firewall * IDS * IPS * Netflow (rsaflow) Note: For deployments prior to 10.6.2, you will also need to configure a set of new meta keys: inv.context and inv.category. See product documentation of the Investigation Feed for more details: https://community.rsa.com/docs/DOC-62303. |
log, packet | malware, threat |
| Malware Activity Web | Malware Activity Web | Displays web-based packet and web logs traffic that has been going to a known malicious IP address or references a hostname that is known to be malicious. This could indicate an infected host on your network is making web requests. The native NETWORK packet parser must be enabled in order to identify the web service. This parser is enabled by default. You will also need to have at least one of the following feeds deployed. Feeds * Investigation * RSA FirstWatch C2 Domains * RSA FirstWatch C2 IPs * RSA FirstWatch APT Domains * RSA FirstWatch APT IPs If deploying the Investigation feed, you will need at least one of the related Lua parsers. Lua Parsers * HTTP_lua * TLS_lua If collecting logs you will need at least one event source with device class of web logs. This includes web proxy and security products such as Cisco WSA and SQUID. Note: For deployments prior to 10.6.2, you will also need to configure a set of new meta keys: inv.context and inv.category. See product documentation of the Investigation Feed for more details: https://community.rsa.com/docs/DOC-62303. |
log, packet | malware, threat |
| Mismatched HREF Header | Mismatched HREF Header | Summarizes a list of hosts with mismatched HREFs | packet | operations, event analysis, protocol analysis |
| Netflow - Excesssive DNS Responses by Client IP | Netflow - Excesssive DNS Responses by Client IP | 10.4 or higher Log Collector required for Netflow collection protocol.Displays Excesssive DNS Responses by Client IP. This could indicate someone collecting information for a possible attack.For this rule to fire, ensure that device parser "RSAFlow" for 10.3 logdecoder or "CEF" for 10.4 logdecoder is enabled and meta-keys "direction" and "Source Port (ip.srcport) " are indexed in table-map.xml and index-concentrator-custom.xml | log | operations, event analysis, protocol analysis, flow analysis |
| Netflow - Excesssive DNS Responses by Server IP | Netflow - Excesssive DNS Responses by Server IP | 10.4 or higher Log Collector required for Netflow collection protocol.Displays Excesssive DNS Responses by Server IP. This could indicate someone collecting information for a possible attack. For this rule to fire, ensure that device parser "RSAFlow" for 10.3 logdecoder or "CEF" for 10.4 logdecoder is enabled and meta-keys "direction" and "Source Port (ip.srcport) " are indexed in table-map.xml and index-concentrator-custom.xml | log | operations, event analysis, protocol analysis, flow analysis |
| Netflow - First Heard by Destination IP | Netflow - First Heard by Destination IP | 10.4 or higher Log Collector required for Netflow collection protocol.Displays the Source IP address of any system not observed from previous flow data. It lists only the new IP addresses in the time range mentioned at the time of running of the rule. For this rule to fire, ensure that device parser "RSAFlow" for 10.3 logdecoder or "CEF" for 10.4 logdecoder is enabled and meta-keys "direction" is indexed in table-map.xml and index-concentrator-custom.xml.This Rule is a part of the Report: Netflow - Filtering Candidates. | log | operations, event analysis, protocol analysis, flow analysis |
| Netflow - First Heard by Source IP | Netflow - First Heard by Source IP | 10.4 or higher Log Collector required for Netflow collection protocol.Displays the Source IP address of any system not observed from previous flow data. It lists only the new IP addresses in the time range mentioned at the time of running of the rule. For this rule to fire, ensure that device parser "RSAFlow" for 10.3 logdecoder or "CEF" for 10.4 logdecoder is enabled and meta-keys "direction" is indexed in table-map.xml and index-concentrator-custom.xml. This Rule is a part of the Report: Netflow - Filtering Candidates. | log | operations, event analysis, protocol analysis, flow analysis |
| Netflow - TCP Resets by Source IP | Netflow - TCP Resets by Source IP | 10.4 or higher Log Collector required for Netflow collection protocol.Displays TCP Resets by Source IP. Useful in determining devices that are behaving abnormally. For this rule to fire, ensure that device parser "RSAFlow" for 10.3 logdecoder or "CEF" for 10.4 logdecoder and Feed - TCP Flags Seen are enabled. and meta-keys "direction" is indexed in table-map.xml and index-concentrator-custom.xml. Also ensure that the meta-key "TCP Flags Seen (tcp.flags.seen)" is indexed index-concentrator-custom.xml | log | operations, event analysis, protocol analysis, flow analysis |
| Netflow - Top Applications | Netflow - Top Applications | 10.4 or higher Log Collector required for Netflow collection protocol.This rule displays the list of Top Applications in the network. Provides an overview of the network and helps to analyse the network traffic. For this rule to fire, ensure that device parser "RSAFlow" for 10.3 logdecoder or "CEF" for 10.4 logdecoder is enabledand meta-keys "direction" is indexed in table-map.xml and index-concentrator-custom.xml. This Rule is a part of the Report: Netflow - Filtering Candidates. | log | operations, event analysis, application analysis, flow analysis, situation awareness |
| Netflow - Top Protocols | Netflow - Top Protocols | 10.4 or higher Log Collector required for Netflow collection protocol.This rule displays the list of Top Protocols in the network. Provides an overview of the network and helps to analyse the network traffic. For this rule to fire, ensure that device parser "RSAFlow" for 10.3 logdecoder or "CEF" for 10.4 logdecoder is enabledand meta-keys "direction" is indexed in table-map.xml and index-concentrator-custom.xml. This Rule is a part of the Report: Netflow - Filtering Candidates. | log | operations, event analysis, protocol analysis, flow analysis, situation awareness |
| Netflow - Top Talkers by Source IP | Netflow - Top Talkers by Source IP | 10.4 or higher Log Collector required for Netflow collection protocol.Displays Top Talking IP pairs via Netflow summarized by the number of flows. This rule can be used for identifying possible sources of DoS or disruption. It can also be used to identify sources for Data Ex-filtration.For this rule to fire, ensure that device parser "RSAFlow" for 10.3 logdecoder or "CEF" for 10.4 logdecoder is enabledand meta-key "direction" is indexed in table-map.xml and index-concentrator-custom.xmlThis Rule is a part of the Report: Netflow - Top Communicants. | log | operations, event analysis, protocol analysis, flow analysis, situation awareness |
| Netflow - Volume - Top Talkers by Destination Port | Netflow - Volume - Top Talkers by Destination Port | 10.4 or higher Log Collector required for Netflow collection protocol.This rule displays Top Talkers by Destination Port summarized by volume via Netflow. This rule can be used for identifying possible sources of DoS or disruption. It can also be used to identify sources for Data Ex-filtration. For this rule to fire, ensure that device parser "RSAFlow" for 10.3 logdecoder or "CEF" for 10.4 logdecoder is enabledand meta-key "direction" is indexed in table-map.xml and index-concentrator-custom.xml. This Rule is a part of the Report: Netflow - Top Communicants. | log | operations, event analysis, protocol analysis, flow analysis, situation awareness |
| Netflow - Volume - Top Talkers by Source IP | Netflow - Volume - Top Talkers by Source IP | 10.4 or higher Log Collector required for Netflow collection protocol.This rule displays Top Talkers by Source IP summarized by volume via Netflow. This rule can be used for identifying possible sources of DoS or disruption. It can also be used to identify sources for Data Ex-filtration.For this rule to fire, ensure that device parser "RSAFlow" for 10.3 logdecoder or "CEF" for 10.4 logdecoder is enabledand meta-key "direction" is indexed in table-map.xml and index-concentrator-custom.xml.This Rule is a part of the Report: Netflow - Top Communicants. | log | operations, event analysis, protocol analysis, flow analysis, situation awareness |
| NetWitness Administration - Events Classification Summary | NetWitness Administration - Events Classification Summary | This Rule gives a summary of event types and sub types with its count and the last time the event occurred. | log | threat, identity, assurance, operations, situation awareness |
| NetWitness Administration - Hosts and Events Summary | NetWitness Administration - Hosts and Events Summary | This rule gives a summary of all the events that occurred under each host along with its count. | log | threat, identity, assurance, operations, situation awareness |
| NetWitness Administration - User Activity by Source IP Summary | NetWitness Administration - User Activity by Source IP Summary | This rule gives a break-down of the user activity for each user along with its Source Address, Count and the last time the event occurred. | log | identity, operations, situation awareness |
| NetWitness Administration - User Authentication Attempt Details | NetWitness Administration - User Authentication Attempt Details | This rule gives a detailed list of authentication (success and failures) with Source IP address, Hostname, time and etc. | log | authentication, identity, operations, situation awareness |
| NetWitness Administration - User Authentication Failure Details | NetWitness Administration - User Authentication Failure Details | This rule gives a detailed list of authentication failures with Hostname, Source IP address, time and etc. | log | authentication, identity, operations, situation awareness |
| NetWitness Administration - User Authentication Failure Reason Summary | NetWitness Administration - User Authentication Failure Reason Summary | This rule gives a break-down of the reasons for authentication failures for each user along with its occurrence count and last time the event occurred. | log | authentication, identity, operations, situation awareness |
| NetWitness Respond - Alert Details | NetWitness Respond - Alert Details | The rule displays a detailed view of the alerts generated using NetWitness Respond. REFERENCES On RSA Link, see the NetWitness Respond Configuration and User Guides for details. VERSIONS SUPPORTED 10.6.2 and higher CONFIGURATION You must configure the Respond service and database, alert data sources and aggregation rules for this report to populate. DEPENDENCIES * Common Event Format Log Parser |
log, packet | assurance, audit, compliance |
| NetWitness Respond - Alert Summary | NetWitness Respond - Alert Summary | The rule displays a summary view of the alerts generated using NetWitness Respond. REFERENCES On RSA Link, see the NetWitness Respond Configuration and User Guides for details. VERSIONS SUPPORTED 10.6.2 and higher CONFIGURATION You must configure the Respond service and database, alert data sources and aggregation rules for this report to populate. DEPENDENCIES * Common Event Format Log Parser |
log, packet | assurance, audit, compliance |
| NetWitness Respond - Incident Summary | NetWitness Respond - Incident Summary | The rule displays a summary view of the incidents generated using NetWitness Respond. REFERENCES On RSA Link, see the NetWitness Respond Configuration and User Guides for details. VERSIONS SUPPORTED 10.6.2 and higher CONFIGURATION You must configure the Respond service and database, alert data sources and aggregation rules for this report to populate. DEPENDENCIES * Common Event Format Log Parser |
log, packet | assurance, audit, compliance |
| News Portals by Bandwidth | News Portals by Bandwidth | Aggregates sessions that contain news sites, which are listed in the News Portal List.If you are not worried about these sites, you should filter them from capture. | log, packet | operations, event analysis, application analysis, situation awareness |
| OS By Profiled Source IP | OS by Profiled Source IP | Detects the meta key OS generated through a network parser, which match a list of configured source IPs. | log, packet | operations, event analysis, application analysis, situation awareness |
| Outbound Network Traffic | Outbound Network Traffic | Compliance Rule- Outbound Network Traffic | log | operations, event analysis, protocol analysis, flow analysis |
| Password Change on Privileged Account | Password Change on Privileged Account | Detects events that triggered an application rule for a password change, which match a list of configured administrative users. | log | assurance, compliance, audit, identity, authorization |
| Password Changes | Password Changes | Compliance Rule- Password Changes | log | assurance, compliance, audit, identity, authorization |
| Password Changes Summary | Password Changes Summary | Compliance Rule- Password Changes Summary | log | assurance, compliance, audit, identity, authorization |
| Remote Control Client Site | Remote Control Client Site | Detects use of common remote client download sites. It uses a list of domains matched against the alias host meta key. Use of an HTTP network parser is required. | log, packet | assurance, compliance, corporate, operations, event analysis, protocol analysis |
| Remote Control or Proxy Client Download | Remote Control or Proxy Client Download | Detects proxy and remote client file downloads by looking for the file name and extension within the filename meta key. Use of an HTTP network parser is required. | log, packet | assurance, compliance, corporate, operations, event analysis, protocol analysis, file analysis |
| Risk Info By Profiled Source IP | Risk Info by Profiled Source IP | Detects all risks registered by the meta key risk.info through the Alert IDs Information feed, which match a list of configured source IPs. | log, packet | threat, identity, assurance, operations, situation awareness |
| Risk Suspicious By Profiled Source IP | Risk Suspicious by Profiled Source IP | Detects all risks registered by the meta key risk.suspicious through the Alert IDs Suspicious feed, which match a list of configured source IPs. | log, packet | threat, identity, assurance, operations, situation awareness |
| Risk Suspicious By User Watchlist | Risk Suspicious by User Watchlist | Detects all risks registered by the meta key risk.suspicious through the Alert IDs Suspicious feed on a watchlist by user name. | log, packet | threat, identity, assurance, operations, situation awareness |
| Risk Warning By Profiled Source IP | Risk Warning by Profiled Source IP | Detects all risks registered by the meta key risk.warning through the Alert IDs Warning feed, which match a list of configured source IPs. | log, packet | threat, identity, assurance, operations, situation awareness |
| Risk Warning By User Watchlist | Risk Warning by User Watchlist | Detects all risks registered by the meta key risk.warning through the Alert IDs Warning feed on a watchlist by user name. | log, packet | threat, identity, assurance, operations, situation awareness |
| Router Configuration Changes | Router Configuration Changes | Compliance Rule- Router Configuration Changes | log | assurance, compliance, audit |
| RSA SecurID Cloud Latest Failed User Authentications | RSA SecurID Cloud Latest Failed User Authentications | The report rule fetches the top 10 latest failed user authentication details. VERSIONS SUPPORTED 10.6.5.x and higher This is supported only for the SecurID Cloud platform CONFIGURATION Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document Use the latest table-map.xml |
log | authentication, identity |
| RSA SecurID Cloud Super Admin Logon Summary | RSA SecurID Cloud Super Admin Logon Summary | The report rule fetches the Logon summary of Super Admin based on the occurrences. VERSIONS SUPPORTED 10.6.5.x and higher This is supported only for the SecurID Cloud platform CONFIGURATION Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document Use the latest table-map.xml Metas required: user.role. Please index user.role in the Concentrator and make it None in the table-map.xml |
log | authentication, identity |
| RSA SecurID Cloud Top Failed User Event IP Addresses | RSA SecurID Cloud Top Failed User Event IP Addresses | The report rule fetches the top 10 IP addresses of failed user events. VERSIONS SUPPORTED 10.6.5.x and higher This is supported only for the SecurID Cloud platform CONFIGURATION Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document Use the latest table-map.xml Metas required: severity. Please index severity meta in the Concentrator and make it None in the table-map.xml |
log | authentication, identity |
| RSA SecurID Cloud Top Failed User Event Reasons | RSA SecurID Cloud Top Failed User Event Reasons | The report rule fetches the top 10 failed user event reasons. VERSIONS SUPPORTED 10.6.5.x and higher This is supported only for the SecurID Cloud platform CONFIGURATION Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document Use the latest table-map.xml Metas required: severity. Please index severity meta in the Concentrator and make it None in the table-map.xml |
log | authentication, identity |
| RSA SecurID Cloud Top Failed User Events | RSA SecurID Cloud Top Failed User Events | The report rule fetches the top 10 failed user events. VERSIONS SUPPORTED 10.6.5.x and higher This is supported only for the SecurID Cloud platform CONFIGURATION Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document Use the latest table-map.xml Metas required: severity. Please index severity meta in the Concentrator and make it None in the table-map.xml |
log | authentication, identity |
| RSA SecurID Cloud Top Successful User Authentications | RSA SecurID Cloud Top Successful User Authentications | The report rule fetches the top 10 successful user authentications. VERSIONS SUPPORTED 10.6.5.x and higher This is supported only for the SecurID Cloud platform CONFIGURATION Configure the RSA SecurID Access plugin with valid credentials as per the plugin configuration document Use the latest table-map.xml |
log | authentication, identity |
| RSA SecurID-Account Lockouts | RSA SecurID-Account Lockouts | Returns usernames that have failed to authenticate as declared by RSA SecurID. This rule populates users who attempt to login too many times without successfully logging in, and have locked their SecurID account. It has a limit of returning 5,000 users. DEPENDENCIES: RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv) |
log | authentication, identity |
| RSA SecurID-Bad PIN Good Token Code | RSA SecurID-Bad PIN Good Token Code | Returns usernames that have failed to authenticate as declared by RSA SecurID. This rule populates users who have entered an incorrect PIN but are using a valid SecurID token code (hard or soft). It has a limit of returning 5,000 users. DEPENDENCIES: RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv) |
log | authentication, identity |
| RSA SecurID-Bad PIN Previous Token Code | RSA SecurID-Bad PIN Previous Token Code | Returns usernames that have failed to authenticate as declared by RSA SecurID. This rule populates users who have entered a previous token code. The token code reached the end of it's validity period (usually 60 seconds) and rolled out of the system before authentication completed. It has a limit of returning 5,000 users. DEPENDENCIES: RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv) |
log | authentication, identity |
| RSA SecurID-Bad Token Code Bad PIN | RSA SecurID-Bad Token Code Bad PIN | Returns usernames that have failed to authenticate as declared by RSA SecurID. This rule populates users who have attempted to login with a valid username but have entered the SecurID Token Code and PIN incorrectly. It has a limit of returning 5,000 users. Note: You will need to index the non-standard meta key 'result' on the Log Decoder and Concentrator in order to fully populate this report. See the report documentation for more details at https://community.rsa.com/docs/DOC-43406. DEPENDENCIES: RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv) |
log | authentication, identity |
| RSA SecurID-Bad Token Code Good PIN | RSA SecurID-Bad Token Code Good PIN | Returns usernames that have failed to authenticate as declared by RSA SecurID. This rule populates users who have entered a valid pin for a given username, but the SecurID token code was typed incorrectly. It has a limit of returning 5,000 users. DEPENDENCIES: RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv) |
log | authentication, identity |
| RSA SecurID-Static Passcode Authentication | RSA SecurID-Static Passcode Authentication | Returns users that have successfully authenticated using a static passcode and not with an RSA SecurID token. It has a limit of returning 5,000 users. Note: You will need to index the non-standard meta key 'result' on the Log Decoder and Concentrator in order to fully populate this report. See the report documentation for more details at https://community.rsa.com/docs/DOC-43406. DEPENDENCIES: RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv) |
log | authentication, identity |
| RSA SecurID-Token Code Reuse | RSA SecurID-Token Code Reuse | Returns usernames that have failed to authenticate as declared by RSA SecurID. This rule populates users who have entered a valid pin for a given username, but the SecurID token code was used previously. The user did not allow the token code to change prior to attempting a new logon. It has a limit of returning 5,000 users. DEPENDENCIES: RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv) |
log | authentication, identity |
| RSA SecurID-Unknown User Failed Login | RSA SecurID-Unknown User Failed Login | Returns all usernames that have performed failed authentications as declared by RSA SecurID. This rule populates users who have entered an unregistered username within the SecurID Server database (invalid username). It has a limit of returning 5,000 users. Note: You will need to index the non-standard meta key 'result' on the Log Decoder and Concentrator in order to fully populate this report. See the report documentation for more details at https://community.rsa.com/docs/DOC-43406. DEPENDENCIES: RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv) |
log | authentication, identity |
| Service Analysis | Service Analysis | Core application protocols identification and inspection. This rule displays output when the meta key, Service Analysis, is populated. The Hunting Pack is a required dependency. | packet | event analysis, operations |
| Service Analysis Detail | Service Analysis Detail | Core application protocols identification and inspection. This rule displays output when the meta key, Service Analysis, is populated. Additional context is provided to an analyst by grouping with additional meta keys of Service Type and Alias Host. The Hunting Pack is a required dependency. | packet | event analysis, operations |
| Services By Profiled Source IP | Services by Profiled Source IP | Detects the meta key service generated through a network parser, which match a list of configured source IPs. | packet | operations, event analysis, protocol analysis, situation awareness |
| Session Analysis | Session Analysis | Client-server communication deviations. This rule displays output when the meta key, Session Analysis, is populated. The Hunting Pack is a required dependency. | packet | event analysis, operations |
| Session Analysis Detail | Session Analysis Detail | Client-server communication deviations. This rule displays output when the meta key, Session Analysis, is populated. Additional context is provided to an analyst by grouping with additional meta keys of Service Type and Alias Host. The Hunting Pack is a required dependency. | packet | event analysis, operations |
| Shadow IT Use by BYOD | Shadow IT Use by BYOD | Shadow IT by Bring Your Own Device (BYOD) is detected through the application rule, nw110125, for byod mobile web agent. | log, packet | assurance, risk, organizational hazard |
| Shadow IT Use by Category - Event Count | Shadow IT Use by Category - Event Count | Shadow IT use is detected through a set of application rules. The application rules have been divided by category: stealth email use (nw110105), voice chat apps (nw30050) and file sharing apps (nw110150). This rule summarizes the results in descending order by event count. | log, packet | assurance, risk, organizational hazard |
| Shadow IT Use by Category - Session Size | Shadow IT Use by Category - Session Size | Shadow IT use is detected through a set of application rules. The application rules have been divided by category: stealth email use (nw110105), voice chat apps (nw30050) and file sharing apps (nw110150). This rule summarizes the results in descending order by session size. | log, packet | assurance, risk, organizational hazard |
| Shadow IT Use by IP Source | Shadow IT Use by IP Source | Shadow IT use is detected through a set of application rules. The application rules have been divided by category: stealth email use (nw110105), voice chat apps (nw30050) and file sharing apps (nw110150). This rule aggregates the results by source IP. | log, packet | assurance, risk, organizational hazard |
| Shadow IT Use High Risk | Shadow IT Use High Risk | Displays high risk events based on detection of shadow IT. High risk events are defined as either a large outbound session size as detected with application rule, nw110060, or a match to a user-defined watchlist of source IPs. | log, packet | assurance, risk, organizational hazard |
| SSH Over Non Standard Port | SSH over Non Standard Port | Fires when ssh traffic is detected over a port that is not typically used for ssh. | packet | operations, event analysis, protocol analysis |
| SSH to External Address | SSH to External Address | Detects when an internal IP address initiates an SSH connection to an external IP address.An SSH connection is identified by the following service=22.An Internal IP address is a private address space defined by RFC-1918. Any IP address not in the private space is considered external. | packet | operations, event analysis, protocol analysis, flow analysis |
| Streaming Media by Bandwidth | Streaming Media by Bandwidth | Aggregates sessions that contain streaming media sites, which are listed in the Streaming Media List. Capturing streaming media is a huge problem for disk retention. These are good filtering candidates. | log, packet | assurance, compliance, corporate, operations, event analysis, application analysis |
| Successful Escalation of Privileges Details | Successful Escalation of Privileges Details | Compliance Rule- Successful Escalation of Privileges Details | log | assurance, compliance, audit, identity, authorization |
| Successful Escalation of Privileges Summary | Successful Escalation of Privileges Summary | Compliance Rule- Successful Escalation of Privileges Summary | log | assurance, compliance, audit, identity, authorization |
| Successful Remote Access Details | Successful Remote Access Details | Compliance Rule- Successful Remote Access Details | log | assurance, compliance, audit, identity, authentication |
| Successful Remote Access Summary | Successful Remote Access Summary | Compliance Rule- Successful Remote Access Summary | log | assurance, compliance, audit, identity, authentication |
| Successful Use of Encryption | Successful Use of Encryption | Compliance Rule- Successful Use of Encryption | log | assurance, compliance, audit, operations, event analysis, protocol analysis |
| System Clock Synchronization | System Clock Synchronization | Compliance Rule- System Clock Synchronization | log | assurance, compliance, audit |
| Threat Categories | Threat Categories | Displays threat categories based on network traffic. The threat.category meta key is populated by feeds and LUA parsers. | log, packet | threat |
| Threat Categories By Profiled Source IP | Threat Categories by Profiled Source IP | Detects events through the meta key threat.category, which match a list of configured source IPs. The meta key is generated through alert and threat feeds. | log, packet | threat, identity, assurance, operations, situation awareness |
| Threat Sources | Threat Sources | Displays threat sources based on network traffic. The threat.source meta key is populated by feeds and LUA parsers. | log, packet | threat |
| Threat Sources By Profiled Source IP | Threat Sources by Profiled Source IP | Detects events through the meta key threat.source, which match a list of configured source IPs. The meta key is generated through alert and threat feeds. | log, packet | threat, identity, assurance, operations, situation awareness |
| Top 10 Categorized Sites | Top 10 Categorized Sites | Summarizes a list of categorized sites | packet | assurance, compliance, operations, situation awareness |
| Top 10 Destination Countries | Top 10 Destination Countries | Summarizes a list of destination countries | log, packet | operations, event analysis, situation awareness |
| Top 10 Destination Countries by Service Type | Top 10 Destination Countries by Service Type | Summarizes a list of destination countries based on services | log, packet | operations, event analysis, protocol analysis, situation awareness |
| Top 10 Destination Countries with Warning and Suspicious Level Alerts | Top 10 Destination Countries with Warning and Suspicious Level Alerts | Summarizes a list of countries with warning and suspicious alerts | log, packet | threat, identity, assurance, operations, event analysis, protocol analysis, situation awareness |
| Top 10 Destination IP Addresses | Top 10 Destination IP Addresses | Summarizes a list of destination IP addresses | log, packet | operations, event analysis, situation awareness |
| Top 10 Search Engine Queries | Top 10 Search Engine Queries | Summarizes a list of search engine queries | packet | operations, event analysis, application analysis, situation awareness |
| Top 10 Services | Top 10 Services | Summarizes a list of services | packet | operations, event analysis, protocol analysis, situation awareness |
| Top 10 Uncategorized Sites | Top 10 Uncategorized Sites | Summarizes a list of uncategorized sites | packet | operations, event analysis, application analysis, situation awareness |
| Top 10 Websites | Top 10 Websites | Summarizes a list of most commonly accessed websites | packet | operations, event analysis, application analysis, situation awareness |
| Top Alias Host Destination by Session Count | Top Alias Host Destination by Session Count | Aggregates sessions by alias.host and displays the top five results by session count in descending order. | log, packet | operations, event analysis, protocol analysis, situation awareness |
| Top Alias Host Destination by Source IP | Top Alias Host Destination by Source IP | Aggregates sessions by alias.host and displays the top five results grouped by ip.src and summarized by session count in descending order. | log, packet | operations, event analysis, protocol analysis, situation awareness |
| Top Destination Country by Session Count | Top Destination Country by Session Count | Aggregates sessions by country.dst and displays the top five results by session count in descending order. | log, packet | operations, event analysis, protocol analysis, situation awareness |
| Top Destination Country by Session Size | Top Destination Country by Session Size | Aggregates sessions by country.dst and displays the top five results by session size in descending order. | log, packet | operations, event analysis, protocol analysis, situation awareness |
| Top Destination Country by Source IP | Top Destination Country by Source IP | Aggregates sessions by country.dst and displays the top five results grouped by ip.src and summarized by session count in descending order. | log, packet | operations, event analysis, protocol analysis, situation awareness |
| Top Destinations By Profiled Source IP - Bandwidth | Top Destinations by Profiled Source IP - Bandwidth | Displays events with the meta key of ip.dst aggregated by seesion size, which match a list of configured source IPs. | log, packet | operations, event analysis, protocol analysis, situation awareness |
| Top Destinations By Profiled Source IP - Sessions | Top Destinations by Profiled Source IP - Sessions | Displays events with the meta key of ip.dst aggregated by number of sesssions, which match a list of configured source IPs. | log, packet | operations, event analysis, protocol analysis, situation awareness |
| Top Email Addresses by Frequency | Top Email Addresses by Frequency | Summarizes a list of email addresses based on frequency of occurence | packet | operations, event analysis, protocol analysis, situation awareness |
| Top Email Destinations by Frequency | Top Email Destinations by Frequency | Summarizes a list of email destination countries | packet | operations, event analysis, protocol analysis, situation awareness |
| Top Email Subjects | Top Email Subjects | Summarizes a list of email subjects | packet | operations, event analysis, protocol analysis, situation awareness |
| Top File Extensions by Frequency | Top File Extensions by Frequency | Summarizes a list of file extensions based on frequency of occurence. | log, packet | operations, event analysis, protocol analysis, file analysis, situation awareness |
| Top Foreign Countries | Top Foreign Countries | Summarizes a list of foreign countries from where network traffic is very high other than the local country. | log, packet | operations, event analysis, protocol analysis, situation awareness |
| Top Foreign Domains | Top Foreign Domains | Summarizes a list of foreign domains from where network traffic is very high other than the local domains. | log, packet | operations, event analysis, protocol analysis, situation awareness |
| Top HTTPS Destination IP by Session Size | Top HTTPS Destination IP by Session Size | Aggregates sessions by ip.dst and displays the top five results where the tcp.dstport equals 443 or the client equals HTTPS. The results are summarized by session count in descending order. | log, packet | operations, event analysis, protocol analysis, situation awareness |
| Top Network Service by Session Count | Top Network Service by Session Count | Aggregates sessions by service and displays the top five results by session count in descending order. | packet | operations, event analysis, protocol analysis, situation awareness |
| Top Outbound Protocols | Top Outbound Protocols | Summarizes a list of outbound protocols in a network. | packet | operations, event analysis, protocol analysis, flow analysis, situation awareness |
| Top Outbound Source IP | Top Outbound Source IP | Summarizes a list of outbound source IPs in a network. | log, packet | operations, event analysis, protocol analysis, flow analysis, situation awareness |
| Top Protocols | Top Protocols | Summarizes a list of top protocols in a network. | packet | operations, event analysis, protocol analysis, situation awareness |
| Top Social Sites by Bandwidth | Top Social Sites by Bandwidth | Aggregates sessions that contain social sites, which are listed in the Social Sites List. If social media is not blocked or considered a risk, filter traffic to reduce amount of data captured. | log, packet | operations, event analysis, protocol analysis, application analysis, situation awareness |
| Top Source Countries | Top Source Countries | Displays the top source countries as populated by the country.src meta key. To populate this key, the GeoIP parser must be enabled on the network decoder and log decoder. | log, packet | operations, situation awareness |
| Top Source IP Addresses | Top Source IP Addresses | Displays the top source IP addresses as populated by the ip.src meta key. | log, packet | operations, situation awareness |
| Top TCP Destination Ports | Top TCP Destination Ports | Displays the top TCP destination ports as populated by the tcp.dstport meta key. | packet | operations, situation awareness |
| Tox P2P Activity | Tox P2P Activity | The Tox protocol is used for P2P instant messaging and video calling. An actor may use as an encrypted communication channel for malicious purposes. This rule displays all IP sources that have been identified as communicating with a Tox supernode, so an analyst may conduct further investigation. The feed, Tox Supernode, is a required dependency. |
log, packet | operations, situation awareness |
| Traffic Flow Direction | Traffic Flow Direction | Displays traffic flow as populated with the Traffic Flow LUA parser or as parsed from a log event source. | log, packet | flow analysis, operations |
| Traffic Flow in Azure NSG and Amazon VPC | Traffic Flow in Azure NSG and Amazon VPC | The report rule fetches details of the traffic flow from Azure NSG and/or Amazon VPC. VERSIONS SUPPORTED 10.6.5.x and higher CONFIGURATION Configure the Amazon VPC and Microsoft Azure NSG plugin with valid credentials as per the plugin configuration documents Use the latest table-map.xml DEPENDENCIES CEF log parser |
log | event analysis, flow analysis, operations |
| Tunneling Protocols Outbound | Tunneling Protocols Outbound | Displays internal users communicating over tunneling protocols that may indicate inappropriate or anonymous access. This rule includes SSH and Tor tunneling protocols. | log, packet | operations, event analysis, protocol analysis, flow analysis, situation awareness |
| Unknown Service detected over Standard Network Port | Unknown Service detected over Standard Network Port | Displays sessions where unknown service is detected on the standard network port. For example, unknown service detected on port 53, which is the standard DNS port | packet | operations, event analysis, protocol analysis |
| User Access Revoked | User Access Revoked | Compliance Rule- User Access Revoked | log | assurance, compliance, audit, identity, authorization |
| User Access to Compliance Systems Details | User Access to Compliance Systems Details | Compliance Rule- User Access to Compliance Systems Details | log | assurance, compliance, audit, identity, authorization |
| User Access to Compliance Systems Summary | User Access to Compliance Systems Summary | Compliance Rule- User Access to Compliance Systems Summary | log | assurance, compliance, audit, identity, authorization |
| User Session Terminated Summary | User Session Terminated Summary | Compliance Rule- User Session Terminated Summary | log | identity, authentication |
| Vendor Update Sites by Bandwidth | Vendor Update Sites by Bandwidth | Rule aggregates sessions that contain vendor update sites defined in Vendor Update SitesList. Traffic from most of vendor sites is considered normal and hence can act as good filtering candidates. | log, packet | operations, event analysis, protocol analysis, application analysis, situation awareness |
| Virus Detection | Virus Detection | Displays possible virus infections by name using the 'virusname' meta key as populated by event class of Anti Virus. | log | operations, situation awareness |
| Windows Credential Harvesting Services | Windows Credential Harvesting Services | This rule monitors the installation of Windows services known to be used for pass the hash and brute force attacks. These may include psexec, wce, pwdump, cachedump, gsecdump. | log | action on objectives, application analysis, attack phase, event analysis, lateral movement, operations, threat |
| Windows Logon to High Value Assets | Windows Logon to High Value Assets | Rule looks for logon types of 3, 8 or 10 to high value assets. It is required to set-up a High Value Assets custom feed. The feed should populate custom meta keys of High Value Asset Group, fd.hv.group, and Escalation Contact, fd.escalate. The feed may populate these keys based on a callback to the event computer or device IP. | log | assurance, audit, authentication, compliance, identity, lateral movement |
| Windows NTLM Network Logon Successful | Windows NTLM Network Logon Successful | Indicates a possible pass-the-hash attack on Windows systems configured to use the NTLM authentication protocol. This rule does not apply to systems which use the Kerberos authentication protocol. This ruler reduces false positives for anonymous logons and eliminates all DC or machine logons by removing any usernames that end in a $. | log | action on objectives, attack phase, authentication, identity, lateral movement, threat |
