This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • Blog
  • Threat Detection Content Update - October 2018

Threat Detection Content Update - October 2018

RajasSave
Respected Contributor RajasSave Respected Contributor
Respected Contributor
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Email to a Friend
  • Printer Friendly Page
  • Report Inappropriate Content
‎2018-10-08 05:03 PM

Summary:

Several changes have been made to the Threat Detection Content in Live. For added detection you need to deploy/download and subscribe to the content via Live, for retired content you'll need to manually remove those.

Additions:

fingerprint_windows_registry Lua Parser – New parser is released to detect Windows Registry Hive files on the wire. A registry hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data. These files hive contains specific registry information pertaining to the user's application settings, desktop, environment, network connections, and printers. Adversaries can use this information to their advantage and craft specific attacks against specific systems according to registry state. With fingerprint_windows_registry parser, analysts can now detect Windows Registry Hive files on the network which will help in investigation of different windows-based incidents.

regwin.PNG

Amazon VPC Traffic Flow Report – New Report is released to provide insights on the Amazon VPC traffic flow.

Detailed Configuration Guide can be found here: https://community.rsa.com/docs/DOC-97137 

Following are NetWitness Rules released which are required for Amazon VPC Traffic Flow Report:

  • Amazon VPC Top Accepted Destination IP - The report rule fetches the top 10 accepted Destination IP addresses based on the total bytes transferred.
  • Amazon VPC Top Accepted Destination Ports - The report rule fetches the details of top accepted Destination Ports with their occurrences.
  • Amazon VPC Top Accepted Source IP - The report rule fetches the top 10 accepted Source IP addresses based on total bytes transferred.
  • Amazon VPC Top Rejected Destination IP - The report rule fetches the top 10 rejected Destination IP addresses based on total bytes transferred.
  • Amazon VPC Top Rejected Destination Ports - The report rule fetches the details of top rejected Destination Ports with their occurrences.
  • Amazon VPC Top Rejected Source IP - The report rule fetches the top 10 rejected Source IP addresses based on total bytes transferred.
  • Amazon VPC Top Source and Destination IP Pair - The report rule fetch the top 10 accepted Source IP and Destination IP address pair based on total bytes transferred.

amz2.PNG

amz1.PNG

Traffic Flow in Azure NSG and Amazon VPC – New Report is released to provide insights on the Azure NSG and Amazon VPC traffic flow.

Detailed information about in Azure NSG Traffic Flow and integration can be found here: https://community.rsa.com/community/products/netwitness/blog/2018/02/28/microsoft-azure-nsg-netwitness-integration  

Detailed Configuration Guide can be found here: https://community.rsa.com/docs/DOC-86361  

auzReport.PNG

Changes:

RDP_lua parser – Functionality has been added to extract screen resolution and usernames from RDP sessions to better identify attacks like ICS attacks. Username is now extracted to the key 'username' and Screen resolution is now extracted to the key 'analysis.service'.

phishing_lua parser - This parser is updated for efficiency improvements as well as added parsing capability to parse URL's that don't begin with http(s)://

traffic_flow lua parser -  Functionally has been added to provide directionality information to other parsers without using meta-callbacks for better efficiency.

 

EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the https://community.rsa.com/docs/DOC-40387 for additional details.

Labels:
  • Announcements
  • Advisories
  • Advisory
  • Announcement
  • logs &network
  • NetWitness
  • netwitness platfrom
  • netwitness*
  • netwtiness
  • NW
  • NWP
  • product adivisory
  • rsa live connect
  • RSA NetWitness
  • rsa netwitness logs and packets
  • RSA NetWitness Platform
  • scol advisories
  • scol notes
  • security analyitcs
  • threat content
  • threat content update
  • threat detection content
  • threat detection content update
  • Threat Feed
  • threat insights
1 Like
Share

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • Agent Tesla: The Information Stealer
  • Threat Analysis: Detecting “Follina” (CVE-2022-30190) RCE Vulnerability with Netwitness Endpoint
  • Introducing NetWitness Vision XDR
  • Introducing NetWitness Platform XDR v12.0
  • Atlassian Confluence Zero-day Vulnerability (0-Zero) CVE-2022-26134: What You Need To Know
  • ‘Follina’ CVE-2022-30190 0-Day: What You Need To Know
  • CVE-2022-1388: BIG-IP iControl REST RCE Vulnerability
  • Ragnar Locker Ransomware: The Rampage Continues…
  • Ransomware Email Attacks: Beware of BazarLoader
  • Detecting Impacket with Netwitness Endpoint
Labels
  • Announcements 54
  • Events 2
  • Features 9
  • Integrations 6
  • Resources 57
  • Tutorials 21
  • Use Cases 21
  • Videos 116
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.