RSA is pleased to announce the addition of new and updated content to RSA Live’s Content Library. This is a large update and our format has changed a bit, so please take a moment to review the various sections in this announcement to become familiar with the latest tools we are providing you to detect threats to your environment.
The categories of new and updated content is as follows:
Event Stream Analysis Rules
Report Engine Rules
Seeking Customer Developed Parsers, Rules and Reports
Security Analytics content will be evolving in 2014, both in functionality and presentation. We would like to work more closely with our customers in order to provide content that helps you find the threats that matter most to you. Your feedback, suggestions, and general questions are always appreciated.
1) Have you created a parser, rule, or report that you would be helpful to the broader RSA User Community? If so, let us know about it! Reach out to us via email at:
3) The content team will also be heavily engaged with the EMC Community portal this year. Not only is the Community a great place for us to communicate directly with our customers, but it’s a wonderful resource for our customers to gain tips and tricks from our research engineers as well as gain early access to our various pieces of security research. Not a member? Sign up here:
- Our RSA Incident Response Team’s research dissecting Shell Crew and their malicious tactics, techniques, and procedures was recently released. As a supplement to this report we have released a digital appendix of content that can be utilized in Security Analytics as well as RSA ECAT to help identify stances of Shell Crew. RSA Security Analytics customers can subscribe to this content via RSA Live. The full report can be found here:
One final thought, if you haven’t already registered to RSA’s SecurCare Online support site, please do so. Being a member allows you to subscribe to notifications and announcements for the entire suite of RSA security products. From new release announcements to end of support notifications, SecurCare Online keeps you informed about what’s happening with your RSA product.
We look forward to forging a stronger relationship with you in 2014 as we move to evolve our content and enhance your improve your total content experience.
If you have suggestions about how you would like to see this type of messaging formatted in the future, let us know about it. Please keep in mind that this is an unusually large update and future notifications will be much smaller.
New Event Stream Analysis Rules for Correlation and Complex Event Processing
Title: Multiple login failures from same source for username that does not exist
Desc: Alert when log events contain multiple login failures due to username that does not exist from same source in 180 seconds. It is different from the username which exists but fail to logon because of bad password. Over here, the user itself does not exist and is trying to logon multiple times from same machine. Both the time window and number of failed logins are configurable.
Title: Multiple failed logins from a single user from multiple different sources to same destination in X seconds
Desc: Alert when log events contain multiple failed logins from a single user from multiple different sources to same destination in 3600 seconds. Both the time window and number of failed logins are configurable.
Title: Multiple successful logins from a single user from multiple different sources to the same destination
Desc: Alert when log events contain multiple successful logins from a single user from multiple different sources to same destination in 3600 seconds. Both the time window and number of success logins are configurable.
Title: User added to admin group then syslog is disabled
Desc: User was added to groups listed and same user stops syslog/rsyslog service on Linux m/c. Rule relies on ec tags for Group modification. Linux m/c does not generate events for stopping syslog service but event is triggered for stopping kernel logging. This event is used to fire rule.
Title: Single source, Same IDS / IPS message type, different destination IP
Desc: Detects similar IDS/IPS events from same source and multiple destination ip. Count of unique destination and time are configurable.
Title: Privilege Escalation Detected for Unix devices
Desc: Detects 2 kinds of events: user escalates himself using su or administrator adds user to user defined list of groups
Title: SSH traffic detected from a single source to different destinations
Desc: Detects SSH traffic(service=22) coming from single source to multiple destination in given time. Number of destination, service and time are configurable.
Title: Multiple failed logins from multiple different users from same source to same destination
Desc: Alert when log events contain multiple failed logins from multiple different users from same source to same destination in 180 seconds. Both the time window and number of failed logins are configurable.
Title: Multiple successful logins from a single user from multiple different sources to multiple destinations
Desc: Alert when log events contain multiple successful logins from a single user from multiple different sources to multiple different destinations in 180 seconds. Both the time window and number of success logins are configurable.
Title: DNS Lookups From the Same Host
Desc: Detects 50 DNS lookups in 60 seconds from the same IP source. Both the time window and number of lookups are configurable.
Title: File Transfer Using Non Standard Port
Desc: File transferred using non-standard TCP destination port. Both the list of file extensions and standard TCP ports are configurable. The statement detects if the TCP destination port does not equal those that are standard as configured.
Title: User added to admin group then ssh is enabled
Desc: User was added to groups configured and same user starts syslog/rsyslog service on Linux m/c. Rule relies on Event Categorization Tags (ECT) for group modification. For this rule to work, infobloxnios should be disabled. The time window, service name and a list of administrator groups are configurable. This rule uses non-standard meta key of client so it must be made available to the Log Decoder and Concentrator by updating index-concentrator-custom.xml and/or table-map.xml.
Title: Non SMTP Traffic on TCP Port 25 Containing Executable
Desc: Monitors for non-SMTP traffic on TCP destination port 25 containing executable.Both the list of executable file extensions and TCP port for SMTP traffic are configurable.This rule assumes that the connection does not need to be successful at both the client and server and a single event matching the filter criteria should trigger the rule.
Title: HTTP Outbound Traffic to Multiple Destinations From Single Source
Desc: HTTP outbound traffic to 50 unique destination IPs from a single source IP within 60 seconds.Outbound traffic is defined as that which does not have a private reserved address.Source IP must be within the RFC 1918 specification.The time window,number of unique destination IPs and source IP whitelist are all configurable.All events are grouped by ip.src and 50 must occur within 60 seconds.
Title: Multi-Service connection attempts_Pckt
Desc: Multiple Connection Failures detected based on Packet data from the Same Source to multiple common service ports (destination ports - ex. TCP 21, 22, 23, 25, 80, 8080, 443) of Same Destination within time period of 5 minutes.Time window and List of destination ports to be monitored, Number of Connection Attempts is configurable.
Title: Root fail ESX server (x3) + Root success to ESX server + VMClone
Desc: Alert if there are Multiple (here,assumed as 3 Failures) Root Login Failures to ESX server followed by Root Login Success to ESX server followed by a VMClone event within 5 minutes.The time window is configurable.
Title: Non HTTP Traffic on TCP Port 80 Containing Executable
Desc: Monitors for non-HTTP traffic on TCP destination port 80 containing executable.Both the list of executable file extensions and TCP port for HTTP traffic are configurable.This rule assumes that the connection does not need to be successful at both the client and server and a single event matching the filter criteria should trigger the rule.
Title: Account Created and Deleted within an hour.
Desc: Account Created and Deleted within an hour.
Log Collector Content
Title: ActivIdentity AAA Server Log Collector Configuration
Desc: Log Collector configuration content for event source ActivIdentity AAA Server